I'm no lawyer (you know a great post is coming when those are the first words), but I would venture to guess that contractual liabilities for software that stores personally identifiable information are a much more complicated matter than the liability a contractor in other industries (construction, e.g.) takes on when he/she hires a sub. I would be surprised to learn that the laws around data breaches didn't place ultimate responsibility for protection of the personal data squarely on the end user opting to provide it. Otherwise, I'm pretty sure no technology firm would be willing to take on the risk to develop such systems.

If the government is to blame for this in any respect, I think it would be in that the Feds continue to use SSN as the key to open every door into our life histories. It's stored in so many databases (many not even managed by the govt.) at this point that none of us is safe from identity theft. Seems to me there should be one, read only resource (possibly replicated down from the system that stores the master SS records) that any application that relies on a person's identity must interface with in order to validate SSNs. Once a SSN has been validated, that system should return a code that corresponds to that SSN (but is not an acceptable means of identification for any other purpose), which becomes the value stored in the application database. That way, if a breach occurs, the offender has a set of useless codes that can't be used to steal identities. Of course, that assumes nobody manages to hack the master system, which is not a safe assumption.

Online commerce is a wonderful world that is unfortunately wrought with peril. Enter at your own risk (at least I assume that's what I've done).