The proposed Data Security Act of 2006 seeks to create a national data protection and breach notification standard.
"This bill would require all financial institutions, retailers and government agencies to maintain strong internal safety protections for the data they hold," Carper said in a statement. It would also require them to "quickly investigate" security breaches and to notify law enforcement, regulators and customers when there is a real risk of harm, he said.
The proposed bill would expand the reach of current laws that require only financial institutions to protect the security and confidentiality of customer information, Bennett said in a separate statement.
The Bennett-Carper legislation is modeled after the Gramm-Leach-Bliley Act of 1999 and will require federal and state regulators to enforce compliance with the law and to make sure that data security procedures are uniformly applied.
If covered entities fail to comply with the measure's requirements, regulators would be allowed to levy fines, impose corrective measures or "even bar individuals from working in their respective industries," according to a statement on Carper's Web site.
The latest proposal comes amid heightened calls for some sort of federal data security legislation in the wake of recently disclosed breaches at the U.S. Department of Veterans Affairs and several other government agencies.
There are already at least 10 other pieces of legislation pending before Congress, all of them introduced before the VA breach. Among them is the Financial Data Protection Act of 2005, which the House Financial Services Committee passed in March. That bill is designed to give financial services companies a national standard for securing personal data and notifying customers in the event of a breach.
That proposed legislation has drawn intense criticism from privacy advocacy groups who say it would undermine stronger state laws already in place by giving companies too much leeway in deciding when to disclose breaches.
Another example of pending legislation is the Data Accountability and Trust Act (DATA), which was introduced in October by Rep. Cliff Stearns (R-Fla.). That bill would require companies to notify consumers of security breaches involving their data and would give the Federal Trade Commission the authority to enforce compliance.
The measure would also require data aggregators, such as ChoicePoint Inc., to keep the FTC informed about plans for safeguarding private data and to submit to periodic audits in the event of a breach. Stearns' legislation has also drawn fire for allowing companies too much discretion in deciding when to notify regulators and others about breaches.