Breyault said the suicides that have reportedly been linked to the hack were examples of how devastating it is for individuals to see their personal data released to the public, and believes it's time for Congress to act on a bill that would require a baseline of protection for any company that collects consumer data.

"Regardless of whether you think it's sensitive or not, it can be misused against you," he said.

As an example, he said a thief could view a Facebook user's list of family members, call up the user's elderly relatives, and say their grandson or granddaughter is in jail and needs bail money.

"Obviously you can make a moral judgment or not about whether the people at Ashley Madison deserved it, but certainly I think we should all be concerned that the data was not protected and we're seeing the harm that was caused by that," he said. "What happened at Ashley Madison could just as very easily have happened, and could happen, at a site that was used by grandmothers to exchange recipes, and they could still suffer harm from that. Data is sensitive regardless of where it's placed, and that's why we think it's so important that we have national data security standards. Because right now, they really don't exist except for certain types of data like financial data or health data, which are covered by federal law."

Prior to the Ashley Madison hack, Americans had already been hit by massive breaches targeting retailers and the government, including a compromise of records belonging to more than 22 million Americans who had submitted sensitive information to apply for security clearances. In response, the House passed an expansive bill in July that would force companies to share access to their computer networks and records with federal investigators. However, some members of Congress are worried that this approach to the bill will be ineffective. Breyault said the NCL stands behind Sen. Patrick Leahy's (D-Vt.) efforts to address the balance between cybersecurity and the privacy rights of Americans.

"I agree that we must do more to protect our cybersecurity, but we should not rush to pass legislation that has significant privacy implications for millions of Americans," Leahy said in a statement. "We must be thoughtful and responsible. Attempting to stifle meaningful debate and pass this bill as an amendment to the defense bill is the wrong answer. That is not how the United States Senate should operate."

As the Senate prepared to take up the Cybersecurity Information Sharing Act, Leahy and Sen. Mike Lee (R-Utah) worked together to "protect Americans' emails and other private information stored in the cloud."

Lee and Leahy filed the bipartisan Electronic Communications Privacy Amendments Act of 2015 as an amendment to bill, which requires law enforcement agencies to obtain search warrants based on probable cause before accessing private data. It also replaces the obsolete "180-day rule," which allows warrantless access to older emails.

This bill is now sitting in the Senate, awaiting Congress' return from the August recess, but only a handful of amendments to the bill will be heard.

Breyault said the current law is not adequate enough to force companies to implement baseline standards that would protect them from hackers.

"We're talking about huge amounts of data that are being put out there by consumers and collected by companies," he said. "There are no data security requirements for most of them, at least in law. We think that's completely unacceptable. We think there should be a national law, perhaps regulated by the FTC. You must have reasonable data security because right now, as I read the law, as long as you don't say you're going to protect the data, there are no consequences if somebody gains access to it in an authorized way."

Breyault said that while consumers should hold companies accountable if they fail to protect their data, that doesn't replace the need for legislation.

"I think that's an important part of any national security data standard," he said. "And you see that in states like California, for example. But access to the courts isn't the end all, be all of national data security protection because frankly, most consumers don't have the means to bring these suits on their own. Not all trial lawyers are going to be interested in every data security suit. So we think it's important to have cops on the beat in federal enforcement agencies and states' offices of attorney general who can be there to ensure businesses are protecting that data."

Breyault said as companies focus on mining data to provide more relevant advertisements and better coupons, they should be forced to invest in security as well.

"Ashley Madison marketed itself as a discreet place where adults who are interested in cheating on their spouse also could find others who are interested in the same thing," he said. "They were very clear in their marketing materials that this was private, this was discreet – all, I think, language that would give consumers the impression that the service they're providing is going to be protected."

He said even consumers who took steps to protect their data while using the site (such as government employees) through burner credit cards and faux email addresses, for example, were still exposed because their IP addresses were discovered.

He added the data hack targeting the Office of Personnel Management was another wake up call for Congress that a bill needs to be passed.

"The OPM breach I think is in many ways even more disappointing in terms of what the expectation was in regard to securing data than the Ashley Madison hack was," he said. "Consumers were actively asked to provide extremely sensitive data that was used for security clearances about their lifestyle choices and debts they may have, and the fact that the government would not protect that data with some really rudimentary security protections is inexcusable."