We'll see if a democrat-controlled Congress is more interested in dictating how companies respond to data breaches than the last Republican-led one was.

Legislation introduced last week by Sens. Patrick Leahy, D-Vt., and Bernie Sanders, I-Vt., mirrors some recent recommendations from the Cyber Security Industry Alliance and is similar to a bill proposed last year. It would require companies to notify law enforcement and the individuals affected when data breaches involve personal information. It also would require companies and the government to establish controls to protect people's privacy.

For data brokers, it would force them to let individuals access their personal information and correct inaccuracies. For the government, it would require audits of agency contracts with data brokers and impose penalties on contractors that fail to meet privacy and security standards.

Leahy says data privacy is a priority because Americans' "most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer" (see story, "How Does The Hacker Economy Work?").

California was the first state with a strong data-breach disclosure law. Today, some businesses might welcome a federal law, if it would eliminate a patchwork of state laws with different rules. The risk, if a law ends up watered down during debate: one weak standard nationwide.