At this point I get about 1-2 emails a year telling me some company has exposed my private data in some way. It’s completely routine.

We need a law mandating the company pays at least $1k per exposed record per customer or absolutely nothing will change. The current cost of “here’s a years worth of credit monitoring” doesn’t even amount to a slap on the wrist.