Penalties are too reactive. Regulation would be more proactive.
A huge corporation will mostly see a fine as a cost of doing business. It won't work when you're looking at negligence, or security, because you can hedge all of your bets on never being found out, or otherwise only being found out so far in the future that the negligence has already paid for itself.
Regulating the storage of sensitive information, same as you have with HIPAA and GDPR, presents a much stronger case for being more careful up front. You're no longer talking about negligence: the expectation for how you handle sensitive info is made clear right from the start, and you can treat egregious violations (like storing passport numbers alongside other account details like a physical address without securing the system) as malicious.
A huge corporation will mostly see a fine as a cost of doing business. It won't work when you're looking at negligence, or security, because you can hedge all of your bets on never being found out, or otherwise only being found out so far in the future that the negligence has already paid for itself.
Regulating the storage of sensitive information, same as you have with HIPAA and GDPR, presents a much stronger case for being more careful up front. You're no longer talking about negligence: the expectation for how you handle sensitive info is made clear right from the start, and you can treat egregious violations (like storing passport numbers alongside other account details like a physical address without securing the system) as malicious.