A major new federal data security law (Personal Data Privacy and Security Act of 2009) is gaining steam and is going to set new, more precise rules for the management and safekeeping of corporate and government data.

It may seem like Congress is unable to get anything passed these days, when inter-party wrangling and threats of filibuster seem to tie most federal legislation in knots.  But the new act has just cleared a major hurdle, the Senate Judiciary Committee, with an overwhelming bipartisan vote.

The details are likely to change as the bill progresses, but there is no doubt that new, tougher rules on handling data breaches are on the way. Among the provisions likely to be included:

1. New stiffer federal penalties for identity theft
2. The establishment of an Office of Federal Identity Protection will be established as part of the Federal Trade Commission (FTC), which will monitor data breaches and enforce identity theft laws
3. A new standard for breach notification. Companies and government entities will have to notify all individuals whose data has been compromised. In some cases, credit rating agencies and the US Secret service will also need to be notified
4. New standards for data protection including encryption and safe data storage will allow for some exemptions form the notification requirements, and
5. Executives of companies that willfully avoid indication may be subject to criminal penalties.

While the new strictures might be harsh, they will likely replace a patchwork of 45 state regulations currently on the books, allowing companies to follow one single set of procedures and safeguards nationwide.

For more info look here.

And here.