Monetary penalties should work the other way..
Start out at the maximum and reduce it based on what they have done since the breach, how open they have been with those affected and investigating, any controls which were in place prior (and working) and then balance that against what they failed to do e.g. ineffective controls.
Currently breaches as with data protection fines of old sit into categories of "low, medium, high, holy**** and finally the big *we're moving to GDPR so we can finally hit them with max* "
Biting the hand that feeds IT
