If your bank lost your money due to getting hacked would you just shrug and accept that they do money, not IT security and therefore it's outside scope for a negligence claim?
If the negligence directly led to provable harm to me (such as getting evicted because I couldn't make rent), then I would want a negligence suit. If it didn't cause provable harm to me, merely some annoyance, and I got all of my money back from FDIC insurance, then I believe any negligence claim should be greatly limited, or even outside of scope, yes.
If probable harm happens to people because of these record leaks I believe the law firm should be part of the joint liability to make that harm as financially whole as possible. But that's what a civil suit is for, not a DA enforcement.
Negligence doesn't work the way you describe with potential to be out of scope. It is a finding of fact: there was negligence or there was not. The law has a separate mechanism for situations that you might call 'out of scope' which is to award zero damages.
I understand that. You were the one who chose "scope" as the word to use to describe this and I was just using your word in order to facilitate conversation between us.
If probable harm happens to people because of these record leaks I believe the law firm should be part of the joint liability to make that harm as financially whole as possible. But that's what a civil suit is for, not a DA enforcement.