Penalties should be strong enough that sites and apps do not collect more than an email address without very good reason. Just wanting to contact me with marketing literature is not a good reason.

I can't help but think that we need is for a class action suit to impose strong enough penalties that insurance companies to insist on proper audits of what data is actually needed and what is just a financial loss waiting to happen.

They even don't need to be hacked if the Government wants to receive/alter the data.

Not because it’s hard work to protect themselves. But because it’s typically not a business priority (at top middle and via coercion and incentives, the bottom/workers too) to invest in security. Most of these big hacks are via well known threats that can be caught in typical good-faith auditing