You can make 3rd parties sign all kinds of agreements, but even if they are held responsible, it diminishes your brand too. An entity as large as Comcast could afford to make an API instead of providing direct access to raw data.
Not like you as a delinquent customer willingly shared your information with that shitty debt collector organization that leaked it, so who's really responsible?
I'm sure the bottom feeders of the debt collection world don't exactly employ best practice security and data storage, color me shocked. Hope their E&O insurance is paid up at least.
Some recent hack exposed my name, address, email, and phone number. Now I regularly get emails that are just all these details and an attachment.