I do believe regulation, in this rare case, is applicable to set a minimum industry standard for good and ethical practice. Failure to comply would bring regulatory penalties as well as open the door for litigation by the victims.

Now keep in mind, I am not a fan of cybersecurity regulation. I don't take the matter lightly. But in some cases, such as this, it is desirable.