Direct Marketing Services Inc. this month is belatedly contacting approximately 51,000 customers whose credit card account data were exposed last December when hackers broke into the computer systems that store customers' transaction data from major card brands. David Milgrom, president of the Chicago-based online marketing and catalog company, tells CardLine that Direct Marketing addressed the breach immediately, paid fines and now complies with the Payment Card Industry Data Security Standard. But Milgrom says he was unaware of laws in 44 states that require companies to notify customers when hackers breach personal information stored on their computers. "We contacted a dozen different service providers, including Visa and Chase Paymentech LLC, and although we would have been happy to follow up with consumers, no one mentioned that we were required to do so. Call us naive," Milgrom says. An undisclosed computer-security firm under contract with Citigroup initially detected the breach, which exposed the credit card account numbers of customers who had made purchases on Direct Marketing's Wards.com Web site. The breach became public this month when Affinion Group Inc.'s CardCops, a payment card security firm, publicized its interception of e-mail messages about several hundred of the breached records being offered for sale. Milgrom says card issuers already have contacted most of the affected cardholders, but Direct Marketing also has started doing so. In March, Senate Judiciary Chairman Patrick Leahy, D-Vt., and Sen. Arlen Specter, R-Pa., wrote to Senate Majority Leader Harry Reid and Senate Minority Leader Mitch McConnell, urging swift consideration of the Leahy-Specter Personal Data Privacy and Security Act, which includes provisions for protecting consumers' private data and would require breached companies to notify affected consumers on a timely basis. The bill, which was introduced last year and has passed through the committee-discussion process, awaits action by the full Senate.