Solution: An Incentive for Management to Prioritize the Security of Personal Information
Today, there are almost no consequences for having your customer database stolen. While bad press exists, with the frequency of new breaches, it is becoming less impactful, and an organization is unlikely to lose much goodwill. The cost of experiencing a breach is, therefore, severely diminished.
It's time for big governments to enact laws that hold the entity collecting personal information responsible for its theft. This could be as simple as a flat rate per affected person and per breach damage cost. The fees don't need to be exorbitant, just significant enough to place them on the risk and budget spreadsheets of companies. Imagine a damage fee per person affected of $5 for personal information and $10 for sensitive information (credit card details, passwords, correspondence, health information).
This financial risk is all that is needed for companies to start prioritizing this issue. They need to weigh this risk against possible investments in security for their data systems. Consequently, insurance companies would begin offering packages to cover firms against personal information theft damages. These insurance companies would then create a list of security requirements their customers need to meet to be eligible for insurance payouts.
This is not in any way targeted specifically at Rite Aid, but rather a commentary on the PI-theft situation as a whole.
TL;DR: Putting a price tag on losing personal information would almost instantly create a new market for the standardization of best practices and auditing for systems and infrastructure handling Personal Information, reducing the risk of fines.