Lastly, there is a lack of accountability for the breaches. If you collect data about others you are responsible for it. Yet all too often organizations discover years later they suffered a massive data breach and then proclaim to the press that they were hacked by evil doers and caught unprepared.
Then they progress through the stages of data breach grief:
OMG I just read the news and found out we’ve been hacked
Turns out it was 4 years ago
Blame evil hackers while proclaiming innocence as a naive victim
The media turns up the heat – time to blame some systems administrator
Offer your customers credit monitoring
Wait until the next hack then GOTO step #1
It will be interesting to see what (if anything) comes out of this.