Atlanta, Georgia (CNN) -- Like most college students, Jake McCoy had to apply for several loans to pay for his education.
After a rigorous check of his credit, he secured the loans and has been paying them back since graduating from Baylor University in May 2006.
Then, in October 2008, he received a letter from Baylor with bad news: A laptop computer with his account information had either been stolen or misplaced.
"They told me my information was on it, and that's pretty much it," McCoy said. "I assumed that my information was in good hands; it was so hard to get the loans that I figured surely they'd protect it very well."
The university set up a credit monitoring service for McCoy, now a first-year medical student at Baylor. The service expired in a year, and McCoy worries that he's still at risk for being on the hook for thousands of dollars that someone using his identity could spend.
"The biggest concern is always that you don't know what someone is going to do with your financial information," said McCoy. "I was really worried that someone out there was going to be ruining my credit and how big of a headache it would be to resolve it."
And McCoy is not alone. In March, a portable media device with personal data for more than 3 million people was stolen from Minnesota-based Educational Credit Management Corp. It is believed to be the largest breach of its kind.
The thieves who stole the USB drive, like in other cases, may not commit identity thefts themselves, according to Jonathon Giffin, a system and software security researcher at the Georgia Institute of Technology.
"They may sell the information to others who have the knowledge of making money from those identities," Giffin said.
Most credit card companies and banks offer some recourse if a customer becomes the victim of internet fraud. But when personal information is lost because a company is the victim of crime, it is often unclear who is ultimately responsible.
There are U.S. laws that hold companies accountable when major breaches occur, and new legislation is being considered. The Personal Data Privacy Act of 2009 would require companies to notify, in writing, anyone affected by a security breach.
Under the act, which is still pending a vote in Congress, companies would also be required to notify major media outlets if there are more than 5,000 people affected by a security breach.
The company that carried McCoy's loans simply provided him with a basic $15 credit monitoring service that lasted for one year.
"For me, it's not a one-year ordeal," said McCoy. "If I had ruined my credit, it would have taken me forever to get back on track. One year was a nice gesture, but I definitely wish it would have been more than just a year."
More than 350 million personal records at hundreds of universities, government agencies and businesses have been at risk because of data privacy breaches since 2005, according to the Privacy Rights Clearinghouse, a nonprofit group that publishes reports on cybercrimes.
Sometimes, that's a result of simple mistakes, and other times, it's the result of a criminal act. Either way, Giffin says everyone needs to protect their personal identity.
"We can encourage organizations to try to protect our data using mechanisms such as data encryption, so that if a USB drive or a laptop is stolen, the data is encrypted and cannot be retrieved," he said. "But we would be relying on companies to do that for us."
Encryption causes a slowdown for companies. System users would have to encrypt and decrypt the data every time they access it, which creates extra work, and companies may not have an incentive to pay for safer data.
New legislation could change the way companies look at data safety costs. The Data Accountability and Trust Act, which has been passed by the House and awaits a vote in the Senate, would protect consumers by requiring companies to take reasonable measures to protect data containing personal information.
If a security breach occurs, companies would be required to provide nationwide notice. But even if the bill is enacted, it may not be enough. Many laws dealing with internet protection haven't always been able to catch up to evolving cybercrimes.
But that doesn't mean there hasn't been any progress in the ongoing battle to protect personal data, according to Adam Palmer, the lead adviser on cybersecurity issues for Norton.
"There are some very good, tough laws right now on both the state and federal level, and there's a lot of legislation in the pipeline to try to address some of these crimes," said Palmer, a former cyber-crime prosecutor.
But new challenges exist for fighting crime in a virtual world. Palmer says cybercriminals often use sophisticated technology to launch attacks.
"You can't go to a crime scene and take pictures and interview witnesses, so it's in some ways a very old crime that still relates to stealing money, stealing people's identities," he said. "It's done with such complexities, that makes it very difficult for prosecutors."
Giffin says there has been a significant shift in cybercrime over the last decade, including new techniques such as "botnets," which are computers that can transmit viruses to other computers without the knowledge of the owner.
Although cybercriminals continue to develop new methods of attack, there are no new ways for users to protect themselves other than what experts have advised for years:
• Maintain good security practices
• Exercise greater awareness of how your information could be used
• Check credit reports
• Tell your financial institutions to track your accounts
• Report any cybercrimes to law enforcement
But even in doing so, consumers -- like McCoy -- still face a potential risk when their personal information is in the hands of others.
McCoy says he is more careful with his information, and he hopes that businesses take more precautions with their customers' personal data.
"It still put that doubt in my mind about how easy it could be for businesses that I trust to lose my information or have it stolen," McCoy said.
"I don't know why they were carrying around information on a laptop. I feel like they should be a little more protective with information than that."