Microsoft thinks it's very important to have clear and balanced laws in both areas. "We are supportive of this because we see it as essential in the long term for building a healthy marketplace," Smith said.
Laws around the use of personal data by companies would help track down security holes, said Chris Hoofnagle, a professor at the University of California Berkeley School of Law.
"We have no ability to tell how personal information traverses the market economy," he said. As a result, if someone tries to sue a company because of identity theft, the company has a great defense because hundreds of organizations likely have the same personal information about the person. That means the person can't prove where the data leak happened.
Companies are notoriously reticent to say who they sell customer data to. Hoofnagle and his students sought to collect a list of companies that the top 100 websites sell customer data to. They reached out to the websites and most didn't respond, others declined to share the information and others said they didn't know, he said.
While it might be complicated to put systems in place to govern the flow of personal data, the concept isn't unprecedented, said Jan Whittington, assistant professor at the University of Washington. "We have put in place extravagant systems to protect consumers," she said. For instance, the U.S. has elaborate systems to ensure that clean water flows through taps in people's homes, she said.
While all of the panelists agreed that some reform is necessary to at the very least clarify existing laws, most thought such reforms are likely under the current Congress.
Sign up for CIO Asia eNewsletters.