They would be if the punishment was severe enough. Heck, businesses might even become afraid to collect personal information if there was a risk of serious bodily harm and financial penalties for letting it loose.
They might also re-evaluate their risk profile and invest more into securing their systems (for existing tech&laws, an analogy for the IRL product companies). The lawyers and peanut counters are often involved in the decision making around these things.
