On January 6, 2009, Senator Dianne Feinstein introduced the Data Breach Notification Act, introduced in the Senate as S. 139. Read below for some of the bills notable highlights:

“Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach of such information notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.”

And how about one of the provisions for enforcement of the bill, which states the following:

“Civil Actions by the Attorney General- The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this Act and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.”

To sum it up, compliance, as I stated earlier, is alive and well.

Visit the official SAS 70 Resource Guide and the official PCI DSS Resource Guide to learn more about two of the most well-known compliance initiatives currently affecting organizations in today’s business environment.