The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.
I underwent a government required background check to get a security clearance and my data was stolen: https://en.wikipedia.org/wiki/2015_Office_of_Personnel_Manag...
My "compensation" for my data being leaked was 1 year of free credit monitoring. But obviously, criminals interested in identity theft will continue their attacks after 1 year.
As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour ... could have been put in prison as punishment instead of just resigning. I don't think that would change anything. There will still be future scenarios where governments want more collection of private data. Flock cameras, TSA airport scans, internet access age-verification face scans, etc.
I think that what we're seeing is evidence that humans, in general, are not capable of securely delivering the kinds of online services that they are trying to deliver. It's just too complicated, and while defenses have to be perfect, attacks only have to work occasionally to be worth doing.
Edit: not that we shouldn't expect best efforts, and financial liability for organizational failures. Prison maybe for clear proven negligence or intentional sabotage, but for mistakes? Nobody will write software anymore. When is the last time you wrote even a screenful of code without a mistake?
So we should start treating them like licensed engineers... Actually I agree with this.
Let's not forget the largest data breach in US history by Elon Musk and his DOGE kids.