Actually, I have a simple proposal for a bill:
Any party that leaks cc information is liable for any use of the cc card as of the date of the breach, unless they can prove the 3rdparty did not have the cc information at the time of use.
If your company is STUPID ENOUGH to store cc data and anybody accesses it, OR anybody manages to intercept said data, any purchases made with said cc information after the time it was retrieved is YOUR COMPANY'S problem ... then, and only then will companies take security seriously, that will also mean the end of MS' empire.... which can only be a good thing ;-)
Let's keep things simple!