What about making them put up a hefty bond proportional to the sensitivity and scale of the data collected, which is forfeit to any potentially affected users in the event of a breach.
How about pay the user whose data has been collected. It's their data. If we are the product, we should get paid for being used! And we should get paid a whole lot more (multiples) for the exposure of a leak.