It has been a bad year for data security. The Privacy Rights Clearinghouse, a consumer advocacy group in San Diego, has counted 80 data breaches since February, involving the personal information of more than 50 million people. The sensitive data--names, Social Security and credit card numbers, dates of birth, home addresses and the like--have either been lost by or stolen from companies and institutions that compile such data.

In response, more than a dozen bills have been introduced in Congress this year.

Companies that compile, trade and store consumer data, while largely resigned to the idea that new legislation will hold them to a higher standard for security, want to minimize the impact of any new law, maximize their discretion when it comes to notifying consumers of breaches and limit their liability when they do spring leaks.

A bill introduced by Sen. Jeff Sessions, Republican of Alabama, for instance, simply requires businesses to improve security on the data they carry and to notify consumers only if there is a "significant risk of identity theft."

But proving a "risk of identity theft" is nearly impossible, said Chris Jay Hoofnagle, senior counsel with the Electronic Privacy Information Center in Washington, a public interest research center.