This bill was introduced last year, and is making the rounds again. Some of the wording that IT Management might want to read very carefully, centers on their accountability when certain data breaches occur:
Key features of the bipartisan legislation include increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data, giving individuals access to, and the opportunity to correct, any personal information held by commercial data brokers, requiring entities that maintain personal data to establish internal policies that protect the personal data of Americans, requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data ...
Are you an IT Manager?
Do you have a defined set of policies in place that define how you are "protecting" personal data? If so, how are you sharing that with your organization.
Do you have a documented security incident response plan in place if a problem occurs? How will you communicate with your customers? Do you know if corporate council would be needed to help put together such a communique?
In many of the companies I have visited, the answer to these and other questions is "sort of".
Corporations (large and small) who deal with personal data, need to take steps to firmly establlish these types of policies, procedures and guidelines throughout their orgranization.