The recent rash of security breaches, including those at Sony and Lockheed Martin, have helped to galvanize the focus of the U.S. government towards business practices regarding safeguarding consumer data and notifying the general public about data breaches. Senator Patrick Leahy, a Vermont Democrat, said in a statement: “The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

Senator Leahy introduced a bill, known as the Personal Data Privacy and Security Act of 2011, which would set a national standard for notifying consumers of a data-breach. Senator Leahy summarized the legislation in his press release:

  • Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the breach causes economic damage to consumers;
  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;
  • An update to the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and
  • A requirement that the government ensure sensitive data is protected when the government contracts with third-party contractors.

The current state of the law regarding data breach notification requirements is unclear and difficult to comply with because most states have a slightly different reporting requirement. Robert Holleyman, the president of the Business Software Alliance, urged Congress to pass “a single, national standard to replace the unwieldy state patchwork we have today.” The Business Software Alliance represents software makers.

Co-sponsors of this bill are Senator Chuck Schumer (D-NY), Senator Ben Cardin (D-MD) and Senator Al Franken (D-MN).