[dspillett]

I suppose some might reason that if something that serious happens they'll be out of business anyway, and just make sure the responsibility can't follow them if it does happen and the business does fall.

Those that specialise in holding other party's data like this will have liability insurance to cover significant events financially (though there is of course still reputational risk to consider) and processes in place to try make sure such events don't happen so calling on that insurance never needs to happen.

> if someone hosting your data gets hacked

It wouldn't be if any someone got hacked, just if something they are responsible for fails and enables a data leak, so they are not accepting third-party risk unless they themselves involve third parties in the mix. Proving you are not the source of a leak could be an interesting proposition though.