In a nutshell: don't keep private data (credit cards, SSNs, medical records, etc) keyed to users; rather, key these data from a hash of the username and password. This means one needs a username/password to match any secret data back to any individual.
If hackers managed to compromise such a database, they'd end up with gigabytes of disconnected facts, making identify theft much more difficult.
Most online retailers have poor security practices (for example, experts advise never storing credit card numbers; most online retailers do).
Barney Frank, Chairman of the House Financial Services Committee, is proposing legislation to hold retailers more accountable for data breaches.
Tightening up your data security procedures makes good business sense, even if not yet required by law. The privacy wall concept is worth considering.