> There should be fines big enough to bankrupt the companies who fail to secure data this kind of data

...and then when their assets are broken up and sold off in bankruptcy, your sensitive data ends up scattered to random companies you never heard of.

That just pushes them offshore.

I would rather that there be greater security training in software development programs/bootcamps.

I’m a software engineer. I know a lot of software engineers. None of us have ever been trained in security.

Any “best practices” are usually picked up in Stack Overflow conversations.

It seems to me that the way to deal with offshoring would be to bring back a modern version of outlawery. The US could basically declare: "Until this corporation pays their fines the US will not prosecute or extradite any individual or corporation who hacks them, steals their physical or intellectual property, declares debts to them canceled, or violates contracts with them."

Software engineers don't run these companies, executives do. Even if you have security training, that won't do you much good if leadership doesn't value security. If your company stores highly-sensitive data, you need teams dedicated to security, you need regular audits, and you need your entire company trained to handle phishing attacks.

Verogen might very well be in trouble because of CCPA violations either from state fines or from consumer suits.