"who do carry liability when things go wrong" -> unless one pierces the corporate veil, it's just money. Not even their money. HIPAA - unless basically stealing data - will not generate personal liability. And even for SOX will only generate liability in limited amounts for limited people - and executives will go a long way towards avoiding the entire thing.
From what I have seen - most executives would rather shut down the business and quit than accept the possibility of personal liability - and just avoid the regions of the world in which they do have it.
From what I have seen - most executives would rather shut down the business and quit than accept the possibility of personal liability - and just avoid the regions of the world in which they do have it.