An executive from IDAnalytics wrote an article about data breaches on CNet. It's worth a read to get the perspective of someone from the anti-fraud technology industry. It was written by Thomas Oscherwitz. vice president of government affairs and chief privacy officer of ID Analytics. He argues that data breach laws are being written such that they are obsolete very quickly. Because of how they are worded, fraudsters using sophisticated techniques, are technically not in violation of these laws. So he is advocating that any Federal data breach law needs to take into consideration a heck of a lot more than, for example, California Senate Bill 1386, the original data-breach law, passed in 2002. 

Oscherwitz says,

“This law requires notification for the compromise of a very narrow band of personal information--Social Security number, driver's license number, account number and credit card or debit card number. The law assumed that if a crook had this unique information, he or she could take over your identity. Unfortunately, this assumption is rapidly growing outdated.”