Accountability and Identity
I would love to see what TJX spent on Christmas decorations, christmas parties and coffee the past 2 years and compare that with what they spent on security infrastructure. If they spent less on the security portion of their business they deserved to be hacked. By the way, that goes for any company who is placed in a position of customers sharing data and their trust with them.
So how does this stuff stop happening? PCI DSS is one initiative from the card companies, but I believe until there is personal accountability in these breaches at the Management or Board level, this will continue to happen. Did we learn nothing about SOX (Sarbanes Oxley) and compliance. The teeth in that is Management goes to jail - or put another way - accountability.
How about legislation for increased corporate accountability vs. legislation about data breaches and consumer protection. Companies who are more secure, will get more business, be trusted more, have a better brand, and continue to grow. Those who don't figure it out, or see the benefit to maintaining trust with your customers, lose.