This latest breach was due to ridiculously poor application security. I would expect companies or government agencies to be heavily penalized for privacy violations like this, such that it is cheaper for them to pay for good security up front than to pay damages later. Are the penalties too low, such that companies and agencies are saving money by skimping on security? I know from experience that many programmers have so little security awareness that they would create vulnerabilities like this without even realizing it. That would change in a heartbeat if security competence had any effect on hiring and salaries.