Honestly, something as simple as statutory damages would be enough. Probably makes the most sense since it's going to be difficult to shown whose database was used for identify theft.

You want to compile a database on your 1 million customers? Go ahead but you're going to pay $X * 1 million if you don't protect it.