This data breach nonsense with slaps on the wrist is very easy to fix. Just have the government assign a dollar value to each piece of private information and allow for class action lawsuits for data breaches.
I have been saying that companies that wish to collect and store private data should be forced to buy "data insurance" for this purpose and to incentive only storing necessary information
But it wouldn't be a reward. It'd be a fine paid to the government. The only real reason with malicious intent I can see from it is people intentionally hacking companies to bankrupt them or cripple them. But that just means they had weak security anyways
The OP was talking about class action lawsuits. The plaintiffs in class actions are individuals, not governments. I took that the mean the OP was talking about penalties to private actors, rather than to governments.
For example
Social security number $5000
Credit card number $1000
Address $500
Telephone $200
Email $100