The House of Representatives approved the Data Accountability and Trust Act (HR 2221) (DATA) on 8 December 2009, and referred the bill to the Senate Commerce Committee. If enacted, DATA would establish sweeping obligations at the federal level for businesses across a wide variety of industry sectors to maintain reasonable security measures to protect Social Security Numbers (SSNs), driver’s license numbers, credit and debit card numbers, and other categories of sensitive personal information. DATA would also require businesses to notify affected individuals, the Federal Trade Commission (FTC), and consumer reporting agencies about data security breaches involving such personal information, unless the information was encrypted or the business could otherwise establish that there was no reasonable risk of harm from the incident. DATA would also, in its current form, require businesses to provide free credit monitoring to individuals affected by a data security breach for two years (a costly obligation that typically has not been required by state laws), and contain other important provisions. DATA would establish strict penalties for non-compliance, up to a maximum civil penalty of US$10 million for violations of DATA’s requirements, and enforcement could be undertaken by the FTC or State Attorneys General. Despite the burdens and costs of DATA, the good news for businesses is that DATA would largely preempt state data security and breach notification laws that have proliferated in virtually all fifty states over the past six years. Further action and consideration of DATA or other federal data security and breach notification requirements are expected in 2010.