Equifax had a 3rd party PCI auditor and passed their audits. Needless to say that vendor was fired after the breach. I guess my point is who do you go after? And what level of precaution mitigates liability and who determines that?
This is easy, and will satisfy the law mongers (like we need more).
Craft a law where credit bureaus and banks can have whatever level of liability they want written into their service agreements (you may not read those for phone apps, but should for your banking institutions) just so long as that mirrors the liability incurred by consumers when the applicable data is breached. No reason I should spend weeks or months sorting crap out when they can't be bothered to take the well known steps needed to prevent the issue in the first place. That's the big issue here, the people affected by the breaches are much more vulnerable to the consequences of Fraud/ID theft then the services (which are essentially mandatory) that made it possible in the first place. Hold their feet to the fire (make it cost MONEY, "Someone in Honduras bought 30K in capri pants on my card? Sucks to be you." x100,000,000) and you can bet security will move right on up the budget list.
As it stands, we are talking about speeding/parking tickets for millionaires. Even if they can't beat it, the results are inconsequential.