Are you reading the same news the rest of us are? Companies are basically never found liable for a "hack" into their systems. And when the companies share user data intentionally, at worst they get a fine so low as to be meaningless. And in the US, usually not even that, because selling user data is mostly legal.
What usually happens in cases of government agencies getting hacked (in my non-US experience) is that an inspector investigates what went wrong, proposes improvements to security systems and processes, then monitors the agency to make sure they carry them out.
What usually happens in cases of government agencies getting hacked (in my non-US experience) is that an inspector investigates what went wrong, proposes improvements to security systems and processes, then monitors the agency to make sure they carry them out.