Uh huh, I'm sure it's just that easy, right? I mean, I'm certain it's an even playing field even for someone like me who has the money to hire an attorney. Hell, why regulate these industries at all? We can just file civil suits, right? Even if you win it costs less for them to settle than it does to change the way the do business/security.

We regulate the finance industry not because of a risk of physical harm, but because financial harm can be equally serious and civil suits do not act as a sufficient deterrent to bad behavior by the powerful. Why do you feel this sort of thing is different? I believe the only real difference is that this sort of thing is new, not well understood by most, and we just haven't caught up.

It's not practical for individual users to litigate, but hopefully someone will bring a civil class action suit.

Additionally, you can't always show a direct link between a data breach and e.g. subsequent bank fraud.