WASHINGTON Sens. Thomas Carper, D-Del., and Sen. Roy Blunt, R-Missouri, introduced a bill this week that would establish national data security and notification standards.
The legislation would require financial institutions and other businesses that determine they have been hacked to do a thorough investigation of the breach and inform government officials. The bill also calls for businesses to notify consumer reporting agencies if sensitive personal information is compromised or the breach affects more than 5,000 people.
Under current law, data breaches are governed on a state-to-state basis, leading to fractured oversight.
"Despite the increasing frequency and scope of data breaches, there still is no single federal law that provides clear, consistent, and comprehensive protection to American consumers impacted by a data breach," Sen. Carper said in a statement. "Instead, consumers have to hope that they're covered by a patchwork of state-based data breach laws."
A similar measure was approved by the House Energy and Commerce Committee on Wednesday, but the House bill is less prescriptive than the Senate version and lost some of its Democratic support when its co-sponsor, Rep. Peter Welch, D-Vt. voted against it.
The Senate bill was first introduced in the last Congress and already has the support of financial trade groups. The Financial Services Roundtable said it calls for "the strongest data security standards of any previous legislation," and "lays out clear steps a firm must take in the event it suffers a breach that compromises consumer financial information."
American Bankers Association President Frank Keating applauded that the bill would apply to all industries.
"This comprehensive approach would better serve consumers by requiring businesses to take whatever steps are necessary to adequately protect all Americans from identity theft and account fraud," he said.