There have been a lot of discussions this past week or two on the potential of ID theft in the exchanges. While people getting their ID stolen is bad, as a business owner my bigger fear would be losing my business because the exchanges allowed someone's ID to get stolen.
When I trade protected info with other firms we have Business Associate Agreements (BAA) and other written contracts that protect me if they fail to protect the data I provide them. If they screw up I would still get sued, which is just as bad or worse than actually losing, but hopefully would have some recourse. Cover my cost and any damages if it is proven to be their fault.
When CMS, IRS, or others require by law I send them data they sign no such agreement. Nor for the most part are they liable or susceptible to individual lawsuits from citizens.
Assume you're an employer who purchases your company health plan through the exchange. In doing so you provide them SSNs, health details, and other PHI. That info becomes compromised and ends up in the public and the hands of criminals. Who do you think gets sued? How much assistance would you expect from Washington in proving it was in fact them that exposed the data and thus your not responsible? How much in Attorney fees to prove it wasn't you and will you ever see that money back?