But then company executives would actually be held accountable for something...

"With great power comes great responsibility"? 

It is the company job to protect our information, and yet they failed miserably! Look at Equifax data breach case. One guy in charge of 145 millions customer info.......................Equifax, one of the top three major credit report company do this kind of security practice. What a shame.

We need to put a strict law!  

No, absolutely not because you are completely ignoring zero days. You can put all the effort in and still be breached through a combination of exploits you'd have no way to defend against.

What would you suggest then? Something has to be done for breaches for our security as more of our identifiers become digitized. 

Something akin to PCI DSS where you need to demonstrate proper security, fail compliance and get fined bigly depending on severity and impact. That way you demonstrate proper security practices and if you are still breached, it's not because you were lax.

Does it say anything about having payment info encrypted? 

What does, PCI DSS? That's two of 12 requirements. If you're talking what I suggested, then PCI DSS already has that handled.

Is there a penalty for not taking the standard? Marriott is in the news for its purchased venture not having encrypted payment data, passports, and other PII. 

If you want to do business with cards (Master Card, Visa, Amex, Discover, and JCB.) they will do a compliance audit before you are allowed to use their services as PCI DSS is ran quite literally by those companies. Visa and MC will issue fines if an entity fails to comply, especially so if there is a breach. Certain entities are not required to comply but merchants most certainly are. If the server wasn't directly part of the payment process system, it's likely that it could be missed in an audit.

So I just read about that breach, most of the information didn't need to be directly encrypted. The payment info was encrypted with AES-128 which seems odd to me, as I would figure hashing with SHA256 or better would be preferred, though I'm not familiar with actual practices in the industry (still in school haha). They haven't ruled out the private keys being stolen. The passport numbers isn't too big of an issue, especially since only e-passports are issued now by the US. I cannot attest to other countries though.

Forgot to mention, it seems like they were compliant for the most part. As far as I'm aware, how the attacker accessed the database is still unknown so I'm not going rail against them.

https://www.lbmc.com/blog/pci-compliance-fees-fines-and-penalties

I wasn't aware that payment systems had to be audited. Good to know that the CC companies are setting common practices to combat fraud, theft, and such.