> Oddly, a fifth thought “legal fines” would be one of the most critical outcomes of cyber warfare waged against their employers.
Naturally. It frankly seems certain that these companies are NOT in compliance with the relevant regulatory authority's requirements, and have no intention of putting themselves in compliance, because they deem the costs of implementing compliance are too high and/or their profits rely on not complying. In the usual course of things, all is business-as-usual, until some hack comes along and exposes how noncompliant they were.
It's pretty much the same as what I always say about labor laws: the laws are on the books, but without active and ongoing investigation only when malfeasance is reported can it be enforced.
Basically, if you want your cyber-laws to have any real bite, you need to deploy a department of government hackers dedicated to hacking all and sundry companies to find out if they are breaching your laws, and then fine the bajeezus out of them, just like if you want your labor laws against things such as wage theft to be enforced, you need to employ regulators with "legend" type undercover identities to roam the land, taking on low-end jobs such as waitstaff, retail associate, etc, work a few weeks to a month in the shoes of a drudge, and then move on, only months later for the employer to get regulatory beat-down and curb-stomping for the wage theft, employee abuse, etc.