For starters, the 1.25 Billion estimate of Sony's lost is pure bullshit.
Even the TJX numbers are not likely a realistic representation. If you go back and review their stock price in the time frames which the breach was announced and subsequent news was released, a small hit seemed to occur, but it did not have a long term impact. The sad reality is that their security efforts were a joke, and yes it costs them, but quite likely not more than it would have cost them to have put forth a considerable effort on security in the first place.
Where things could get interesting would be if companies were legally held liable for failures to secure information of others which they opted to hold. Make the cat painful, to the point where the impact could shake even a very strong company. This would force a real discussion in board rooms, is the default behavior of trying to capture everything on everyone really in the best interest of the company? Should we dump info we do not have a use for? Should we limit what we gather in the first place?
If this were the starting point, then insurance could be interesting. Once a company has completed their first level pruning, then insurance could be sought. The insurance company would then insist to know what data you have? Where is this data? Who has access? How is it defended? Then they could set a rate based on the risk and the liability cost faced by stepped up legislation. In most cases this quote would be high, very high, which should be the tip of that a company should then prune more data, reduce access, and improve security, thus hopefully getting the company to a reasonable position that they should have been with at the begging, but have not been because it was not in their financial interest to do so.