This is exactly what will happen in Europe next year.
With the General Data Protection Regulation, any leak of private data caused by a major cybersecurity gap in a company will lead to severe financial sanctions such as a fine based on 4% of the company turnover.
As I understand it, Europe does not generally suffer from the disease of banks and courts accepting knowledge of basic demographic data as proof of identity. GDPR is not really comparable to the mess of the US social security number situation.
The risk we need is to introduce is to make banks (not customers) responsible when banks allow themselves to be tricked w.r.t. personal identity. This would motivate them to come up with identity verification schemes reflecting ~anything at all that the security community has figured out in 50+ years.
With the General Data Protection Regulation, any leak of private data caused by a major cybersecurity gap in a company will lead to severe financial sanctions such as a fine based on 4% of the company turnover.
This law will indeed give the risk a “cost” :).