Problem is, "Evil Hackers" always get the blame rather than the negligent companies, who play the victims. They trot out all the usual flawed analogies about locked doors and burglars, to excuse their negligence, and it works! So, the only legislation we ever see is to be Tougher And Tougher On Hackers instead of holding these clown companies responsible for the data they act as custodians of.
For negligence to arise there must be, inter Alia, duty and proximate harm. I think you’ll find the identity services have a duty to their contractual partner, the website, but not to the victim whose identity was stolen. And there’s a circuit split as to whether any of these people were even harmed.
While litigation seems appealing, the answer here is legislation.
Sometimes there's probably negligence involved; sometimes not. You don't know without having access to the specifics. Always blaming "negligent companies" is just as wrong as always blaming "evil hackers".
