Fines would work if they were a substantial amount instead of what they are now. Look at the EU fining Google $2.7 billion. If the fine is more than the amount made doing something illegal, companies would think twice.
While fines can help ethical people make the case that they should do the right thing, I am afraid it isn't enough.
What I'm talking about isn't the actual data leak but rather what equifax did or did not do before and after the leak. That is the real crime here. I don't see the CEO and the board facing prison which means we need to change something.
We are a nation of what we choose to be laws and right now it feels like we are a nation where there's no responsibility for the people at the top. Plausible deniability has gone too far. As with everything in life, we need to seek balance and the balance is making sure the board and the CEO have an incentive to ensure the organization isn't systemically violating the spirit of the law.
We are a nation of laws but laws aren't something we got from the mountaintop. We need to tweak things sometimes.
The financial world lost its collective shit and cut Iceland off from the global credit markets. Iceland doesn't seem to be suffering to me.
And their prisons are nicer than club fed :)