This. I'd go as far as to say that the law mostly tries to conserve liability, in the "energy conservation" sense. Once harm is defined and quantified, the consequences have to be discharged somewhere, and there's tons of rules that try to sensibly distribute them among parties involved, while counteracting everyones' attempts at diffusing liability or redirecting it somewhere else.
On that note, after some time working in cybersec and GRC fields, I realized that cybersecurity is best understood in terms of liability management. This is what all the security framework certification and auditing is about, and this is a big reason security today is more about buying services from the right vendors and less about the hard tech stuff. Preventing a hack is hard. Making it so you aren't liable for the consequences is easier - and it looks like a network of companies interlinked with contracts that shift liability around. It's a kind of distributed meta-insurance (that also involves actual insurance, too).
My eyes were opened to this when management wasn't just talking about deleting unneeded private data just as the right thing to do, but specifically how it could reduce our insurance premiums.
At least in the US, there's precious little difference. If a company is found guilty of a crime, the C-suite isn't thrown in prison; they pay a fine.
If a company is found to have committed a tort against a party, they pay damages.
There are exceptions (the Volkswagen diesel scandal comes to mind) but generally both punishments entail paying out a monetary amount that is often lower than the profit generated by the crime, often because of tort reform or because of fine amounts that are out-of-date with current corporate revenues.
Most legal principles are designed to reduce liability. That's the whole point of incorporation, for example.