Adding Silent Insult to Injury (Senator Sessions' "privacy" act)
I just skimmed the Sessions’ bill which Chris linked to. It has a great provision for allowing the fox to not only guard the henhouse, but also to control the alarm system:
3(b)(1)(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a reasonable investigation, or notification under paragraph (2), that a significant risk of identity theft exists as a result of a breach of security of the system of such agency or person containing such data, the agency or person shall notify any individual whose sensitive personal information was compromised if such individual is known to be a resident of the United States.
“Significant risk” is not defined, making a loophole large enough to drive an UPS truck through.
[…] if such individual is known to be a resident of the United States.
This is also a rather major loophole. Banks, for instance, verify residence, but not primary residence (I have a bank account in another state, that sends statements to a family member’s house; I happen to primarily live in the US, but also live abroad, and am not a US citizen. Even my local bank has no reason to “know” me to be a resident of the United States.). Not sure if this is intentional, but it is at least sloppy.