It seems apparent that US companies and organizations need to do a better job improving their security practices. Are GDPR-like laws the solution?