National Bill Could Require Companies To Report Data Breaches

The legislation, introduced Tuesday by Sen. Patrick Leahy (D-Vt.) and Sen. Bernie Sanders (I-Vt.), mirrors some recent recommendations from the Cyber Security Industry Alliance. It would force data brokers to allow individuals access to their personal information and provide individuals with the ability to correct inaccuracies. It would also require companies retaining personal data to notify law enforcement of data breaches involving personal information.

It would require companies and the government to establish internal controls to protect people's privacy. It would require audits of government contracts with data brokers and impose penalties on contractors failing to meet privacy and security standards.

Leahy said data privacy is a priority because Americans' "most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer."

"This comprehensive bill not only deals with the need to provide Americans with notice when they have been victims of a data breach, but also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," he said in a prepared statement.

Pennsylvania Republican Arlen Specter is co-sponsoring the legislation, which is similar to a bill Specter and Leahy introduced last year. California was the first state to issue a strong disclosure law that requires companies to tell consumers if their personal information had been exposed to possible ID theft.

The Center for Democracy and Technology, which has pushed for data security and privacy legislation issued a statement saying it supports national protections as long as they do not undermine stricter state efforts. Leahy said state legislatures considering data privacy bills could use his proposal as a model.