The insurance payouts for a breach could go to the affected users or to the government, I don't think it would matter much. The important part is that companies need to pay to retain user data. The insurance would have to be mandatory for large companies.
I agree there needs to be a cost to companies who lose user data but I fear insurance would be a way to compensate users for the loss without incentivizing corporations to mitigate the risk.
