When a catastrophic security breach occurs, who is ultimately held accountable by regulators and the public?

When a catastrophic security breach occurs, who is ultimately held accountable by regulators and the public?