Time to head back to school: your information about corporate IT legal liability is about 25 years out-of-date.
Who cares, you ask? Lots and lots of government regulatory agencies, especially in Western Europe. Did you fail to take the minimum standard of care to protect data deemed sensitive by your local regulatory authorities? Congratulations! Your data leak just earned the company a big fat fine or, in extreme cases, jail time!
BUT WAIT, THERE'S MORE! Who else cares? The payment industry! Good luck getting approved to take electronic payments when your answer to "How are you securing our customer's payment PII" is a blank stare and a piece of paper.
BUT THAT'S NOT ALL! Do you know who else cares? Your customers! I guarantee that if they're not asking for it now, your customers will soon be asking you to demonstrate that you're taking industry standard measures to secure their confidential information. Failed to implement commercially reasonable information security? Loss of revenue! Loss of customers! Lawsuits! What fun!