Drawing a distinction between cybersecurity in the Federal government and cybersecurity in other large organizations is meaningless. The only thing that does is make it easier for any large organization to avoid accountability for their failures.
The US business community has been completely successful in avoiding any regulations on cybersecurity. The US Chamber of Commerce has defeated all attempts to define laws or national standards for computer business security. Instead we have some Presidential decrees that have minimal real world impact.
Since there are no standards, it is impossible to assign any responsibility when data breaches occur. The response consists of cover ups, minimizing the impact of the event, denial of responsibility (the word "unprecedented" is common), rhetoric on helping the victims and not letting it happen in the future.
After the public outcry dies down nothing is ever heard about it again. It might as well not have happened. No one is ever fired. No follow ups are made available to anyone outside the organization.
Additionally, those effected by the data leaks are given no support and have no recourse. Being offered free credit monitoring for a year, or even two, is like offering someone with potential HIV exposure a band-aid. The level off effort involved is grossly inadequate. The potential repercussions can happen years later.
If the corporation responsible doesn't know how much effect the breach had, how can they decide to come up policies that balance cost and benefits? The reason they do no follow up is because it provides them with iron clad cover from having to pick up the real cost of their failure. It also makes it a certainty it will happen again.
What I just described is exactly happened with the Sony leak. But it could just as easily be the leak that occurred at UCLA in the last couple of weeks, or any leak that made the national headlines in the last 20 years. In fact UCLA was hacked in 2012, so nothing has really changed.
The non-government situation is identical to government cases. The failure modes and responses are identical. This is unsurprising because the organizational issues, technical requirements and talent involved are the same. It is nonsensical to expect that one side of an arbitrary line will have one kind of behavior and the other side will be different. It's just not going to happen.
The other elephant is the room is that a huge percent of the work is not done by the government, but is done by private contractors. That is what happened with the OPM breach. This was reported when the story first came to light, but is now erased from the narrative. That is a part of the cover up. In fact there were two contractor breaches, one at KeyPoint Government Solutions and the other at USIS.
So what is necessary to address the problem? Legislation and regulation that specifically defines standards for data security for both the government and private sector. This has to include severe criminal and financial penalties if data breaches occur. Individuals should be held personally accountable, specifically those at the highest level of the organization. The penalties for failure affecting national security should at the level of treason; life sentences and even the death penalty.
What will actually happen?Nothing. All you need to do is look at Wall Street to see what will happen. The same companies, and even the same people (Jamie Dimon) who were personally responsible for the 2008 crash are doing better then ever, and continue with out and out criminal behavior. So far no one has been charged, much less put on trial. If you assume that your will not be allowed to withhold your personal information from the "business-government complex", it will be leaked, and you will be left completely vulnerable then you understand what is going on.