According to Privacy Rights Clearinghouse, a consumer organization, nearly 50 million people have had personal information exposed in 44 incidents this year.
Last month, MasterCard International revealed that 40 million credit cards of all brands were potentially exposed to fraud when an intruder broke into the network of payment processor CardSystems Solutions.
In June computer tapes with data on 3.9 million CitiFinancial customers were lost en route to a credit bureau.
Alarmed by the breaches, federal lawmakers have proposed nearly a dozen measures to boost privacy.
At a June 16 Senate hearing on identity theft, Sen. Gordon Smith (R-OR) said he planned to introduce bipartisan legislation that would include “a national obligation” for firms to safeguard sensitive data and a “balanced breach-notification trigger.”
A survey by the Cyber Security Industry Alliance showed that more than seven in ten respondents said new laws are needed to protect consumer privacy on the web, and almost half said they avoid buying on the internet for fear their financial data might be stolen.
There are defensive steps businesses can take, said Jeff Smith, Tumbleweed Communications’ CEO, including not storing sensitive data unless necessary, and encrypting it.
“This is a red-hot issue for the public. They want Congress to act,” stated Dan Burton, Entrust vice-president of government relations.
“They are curtailing online transactions, so there’s a real market impact that’s being felt.”
The private sector wants a national breach notification law, he said, which would supersede the growing number of state notification laws.
Chris Voice, Entrust’s vice-president of technology, said industry is pushing for the law to include a “safe harbor” provision for encrypted data.
But this debate misses the need for a privacy debate, said Mark Rasch, chief security counsel at Solutionary.
“There’s no concept of what information should be private and what shouldn’t be, or what people should be allowed to collect and use and for what purposes,” he said.