Re: FIX: No permission to accept cards for 30 days - 30 YEARS
"make the penalty so bad that firms are FORCED to have good security or go out of business"
Nope. That means that the firm takes the hit not the management. If the firm goes down, well qualified experienced managers will quickly find another job even if they were at fault. It's easy when a firm collapses to ensure any personal blame is hidden.
But who does take the hit if the firm goes down: ordinary employees, suppliers and unsecured creditors, and the owners, who are mostly secondary market passive stock investors like pension funds, insurers and the like. Is that a good outcome?
A partial solution is to make directors and officers personally liable for data security, including a change to the law to make them liable for breaches, and to impose a duty of responsibility to know what the security status of the firm is (ie close off the "we didn't know" excuse). A bit of jail time would be far more of a deterrent than a corporate penalty, particularly after a few golf club friends have been hauled off to the big house.