or, we could stop using the SS number that you are required to give to people like employers as a de-facto national ID, and credit ID, and also a secret that just knowing seems to authenticate you.

Under what law would a CEO go to jail for being hacked?

We'd almost certainly have to write a new one, but there are several straightforward ways to do it if we had the political will. An off the cuff example that could certainly be improved:

Definitions: Government Identification Data includes Social Security Number. Bulk Extraction means any removal of data more than element by element. Unauthorized Third party means any person who the Company does not intend to grant access to. Intentionally Retaining means that a company chooses to ask clients to supply information which is then saved in a way accessible to the company for any reason in the future.

Law: Any company maintaining Government Identification Data must select someone as personally liable for the security of said data. If the company does not have a person who accepts personally liability, this liability transfers to the Chief Executive Officer of the company. In order for the liability to be considered transferred, the Company most keep on file a notarized copy of an affidavit accepting such liability Any company intentionally retaining any Government Identification Data must do so in a system that does not allow for Bulk Extraction by any Unauthorized Third Party. Failure to do so is considered Willful Negligence on the part of the company. Any company guilty of Willful Negligence herein described must forfeit the greater of 15% of their previous yearly revenue or 5 times the Gross Annual Compensation of the most compensated employee. In addition, whomever the company has selected as outlined above shall be incarcerated for no less than 12 months and no more than 60 months.

We could (and should) create a personal criminal liability for management over cybersecurity.

Specifically one that flows past the CISO and prevents that role from being a firebreak to insulate the CEO.

The "fall guy" problem strikes me as nontrivial. Even if you add to the law that the CEO always has liability for any data leak, a sufficiently well capitalized company run by someone aware of the liability would simply create a shell company that owns all of that data. You could disallow company transmission of said data at all but that is going to cause problems when trying to actually verify said information . . .

Well the plebs are all in debt and have no cash to steal. They are already being exploited to the hilt by every mindless over optimizing corporate robot.

Its how the Elite are reacting to their data floating around is what should be focused on.

They aren't calling for changes in companies, cause companies are proactively running to them with "new services" to protect them and their families and well paid servant class (ie the exec class) who are all quite clueless and constantly get into all kinds of cyber trouble. Google "cyber concierge" services.