Over and above the standards and punitive measures ensconced in state and federal statutes looms the threat that an aggrieved customer or client can sue you for negligently allowing their SPI to be accessed, corrupted, disclosed or otherwise mishandled.
That’s because it is the owner, not the holder, of the data that is ultimately liable in the event of a data breach. In a “cloud” environment---which more and more of us are now operating in---under U.S. law and standard contractual terms, the data owner is the party that faces liability in the event of a data breach loss. 
As hard as it may be to believe, this is so even if the security failures are caused by the data holder, or cloud provider. Why is this? Because the standard vendor agreements which cloud providers require you to sign include terms excluding consequential damages and limiting direct damages.
And in the majority of cases, the damages caused by a data breach of the data (cloud) holder will be considered consequential damages. For this reason, those damages, e.g., loss of customers, lost profits, damages to reputation, will be barred by standard provisions foreclosing all liability for consequential damages.
 The exception to this rule is HIPAA- protected Private Health information (PHI), which places responsibility on the holder of the information.