Did you hear about the Whole Foods data breach?

Shoppers at various Whole Foods locations found out in late September they may have been the latest victims of a data breach, which in recent years have become infuriatingly common.

The grocer announced on Sept. 28 that it had “recently received information” about a third party having “unauthorized access” to payment card information at venues including taprooms and restaurants within Whole Foods stores. It created a database consumers can check, to determine whether a location they visited was impacted.

This announcement came just a few weeks after credit agency Equifax announced its own breach that potentially impacted some 145 million U.S. adults, and caused concern and confusion among consumers who were informed their personal data was at risk.

In comparison, the breach at Whole Foods was met with relatively little outcry, likely because it impacted fewer consumers. But publications including Gizmodo have pointed out that Whole Foods has provided little information about the breach.

Consumer advocates have called for companies to notify consumers “as soon as possible” about data breaches, including Justin Brookman, the director of consumer privacy and technology policy for Consumers Union, the policy and mobilization division of Consumer Reports.

Whole Foods did not respond to MarketWatch’s question about when it originally discovered the breach and how long it took to tell consumers about it.

The news, regardless of the size of the breach, was lost amid the bigger Equifax news, and may indicate a larger problem: Consumers have become desensitized as more breaches have occurred and sometimes feel helpless. “Consumers are getting breach fatigue,” said Rick McElroy, a security strategist at the firm Carbon Black.

But many consumers are worried about their personal data, and lawmakers are growing weary of the slew of data breaches, McElroy said. Between incidents at the Internal Revenue Service, insurance company Anthem and most recently at Equifax

EFX, +1.88%

it has become increasingly likely that American consumers have had a personal brush with a data breach.

Companies’ responses to these breaches have come under scrutiny, especially after reporters uncovered that Equifax discovered its breach July 29, but waited until September to tell consumers. Several Equifax executives sold almost $2 million of their Equifax stock, after the breach was discovered but before consumers knew about it.

There can also be legitimate reasons for not telling consumers immediately after a breach is discovered, McElroy said. A delay in telling them sometimes happens because of behind-the-scenes investigations that help companies determine the extent of the damage. “Until the company knows exactly the data set that went out, they’re probably not going to make an announcement,” he said. “That does add time.”

Amazon also announced in June that it was buying Whole Foods, so it was potentially a sensitive time for the grocery store chain to announce a breach. But it’s difficult to speculate whether that impacted the timing of the breach announcement, McElroy said. He also said it’s hard to say whether the aftermath of the Equifax breach impacted how Whole Foods or any other companies have handled their own breaches.

Here’s what consumers should know about the aftermath of these recent breaches.

Lawmakers call for federal rules to hold companies responsible

As breaches have become increasingly common, some lawmakers have called for national laws to regulate companies’ responses and responsibilities to consumers. There are currently two bills that have been introduced, one from Edward Markey, a Democrat from Massachusetts, and one from James Langevin, a Democrat from Rhode Island, designed to protect consumer data. But it’s unclear when or if Congress will vote on them.

There have been previous efforts to pass similar laws, which Congress did not vote through.

“Over the years, Congress has acted to establish better communication and coordination between the government and private companies to thwart attacks,” said House Majority Leader Kevin McCarthy after the Equifax breach. “We must…recommit to a comprehensive approach to defend against and defeat cybercriminals and terrorists.”

Whole Foods began an investigation with the help of “a leading cybersecurity forensics firm” and law enforcement when it first learned of the breach, the company said. And despite Amazon’s announcement in June about acquiring Whole Foods, Amazon’s

AMZN, -1.20%

and Whole Foods’s systems were not connected.

But for many consumers that explanation falls short, said Adam Levin, the chairman and founder of security firm CyberScout, and the author of “Swiped.” He says companies should show “urgency, transparency and empathy” when they discover a data breach, and the lack of details surrounding this one is concerning.

Individual states have their own laws about data breaches

Some critics have said the laws regulating data breaches in the U.S. are confusing, because they vary by state and there is no nationwide standard.

The New York Times reported that Equifax has actually lobbied against efforts to create more regulations on cybersecurity issues. Equifax did not immediately respond to MarketWatch’s request to comment.

U.S. states and territories, with the exception of Alabama and South Dakota, have their own laws about how quickly and in what ways companies must inform state residents about data breaches when they occur.

Vermont, for example, requires companies to notify consumers of security breaches “in the most expedient time possible and without unreasonable delay,” and states that cannot happen “later than 45 days after the discovery or notification, consistent with the legitimate needs of the law enforcement agency.” The state did not clarify what consequences businesses would face for not informing consumers promptly.

Michigan requires companies to contact the individual who has been breached, either at their postal address or electronic notice.

And Arizona has made identity theft a felony charge, whereas many other states have not.

There are also payment organizations that have their own standards for payment card security, such as the PCI Security Standards Council, which was founded by major payment companies including American Express

AXP, +0.43%

 , Discover

DFS, +1.13%

 , Mastercard

MA, +0.18%

and

V, +0.24%

 

Some states, including California, also have their own online databases.

Although some members of Congress have expressed desire to create more national laws about data breaches, it could take years for that to become reality, McElroy said.

You can sue companies for data breaches

Consumers who are upset in the wake of data breaches sometimes choose to sue the companies that mishandled their data. After the Equifax breach, several individuals filed class-action lawsuits against Equifax.

But the amounts consumers are awarded in those types of suits can be small, McElroy said.The Consumer Financial Protection Bureau announced a final version of a rule in July that would guarantee consumers the right to sue such financial institutions, rather than forcing consumers to use arbitration outside of court instead.

The House voted in July to repeal that rule, and it now faces a vote in the Senate. Depending on the Senate’s schedule, it’s unclear when or if the vote will take place.

As long as Senate does not also vote against the rule, it will go into effect in March 2018.

Consumers should be on high alert right after breaches

Because data breaches have become so prevalent, consumers should check their bank account and credit-card statements constantly for any suspicious charges, McElroy and Levin said.

Consumers should actually be on high alert right after breaches, Levin said, because those tend to be times when hackers use “phishing” scams. After a breach at a retailer like Whole Foods, fraudsters might email pretending to be the grocer and send consumers a malicious link. (In fact, a similar problem occurred last week on Equifax’s website.)