I don't think that criminal negligence is the most helpful legal tool for incentivizing improved security. It's too hard to prove negligence.
Instead, there should be standard civil penalties for leaking various degrees of PII paid as restitution to the affected individual. Importantly, this must be applied REGARDLESS of "certification" or whether any security practices were "incorrect" or "insufficient". Even if there's a zero-day exploit and you did everything right, you pay. That's the cost of storing people's secrets.
This would make operating services whose whole "thing" is storing a bunch of information about individuals (like Canvas) much more expensive. Good! It's far to cheap to stockpile a ticking time bomb of private info and then walk away paying no damages just because you complied with some out-of-date list of rules or got the stamp of approval from a certification org that's incentivized to give out stamps of approval.
And this strict liability will come with an expectation of insurance. The insurance policies will necessitate audits, which will actually improve security.
I feel like there’s a tendency here to seriously overestimate how damaging these leaks are to individuals.
For most individuals impacted by these hacks, appropriate restitution would be $0. Anything more than that would go beyond making them whole.
It's not a popular opinion but I agree. I live in a country that has a very extensive principle of public records, and often times these leaks disclose much less than you would get by simply calling the authorities and ask. Now, whether that's good or bad is a different story.
Leaking school or medical record can have serious personal consequences that cannot even be enumerated
We use to hand out whole books of this information to as many people as possible. (phone books)
The only right answer.
Let's do this.