Failure to disclose a significant data breach isn't just about deceit against users, it's also about defrauding investors. To borrow a phrase from Matt Levine (Bloomberg), "everything is securities fraud," including failure to disclose a data breach certain to have a material effect on the company's stock price.
Failure to disclose (or unreasonable delay in disclosing) a massive data breach by the executives of a public company is already a criminal offense! But I don't know of any cases where criminal charges have actually been brought. It's possible that assembling a securities fraud case is extremely challenging, or that US Attorneys are not keen to go after tech co. execs. If the latter is true, I don't suspect a new data privacy law would be any better enforced.
Failure to disclose (or unreasonable delay in disclosing) a massive data breach by the executives of a public company is already a criminal offense! But I don't know of any cases where criminal charges have actually been brought. It's possible that assembling a securities fraud case is extremely challenging, or that US Attorneys are not keen to go after tech co. execs. If the latter is true, I don't suspect a new data privacy law would be any better enforced.