"The protection of data, particularly data that can be used to identify individuals, has become an issue of great concern to Congress. There is no comprehensive federal law governing the protection of data held by private actors. Only those entities covered by the Gramm-Leach-Bliley Act, 15 U.S.C. §§6801-6809, (certain financial institutions) and the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §1320d et seq., and amendments to HIPAA contained in the Health Information Technology for Economic and Clinical Health Act (HITECH Act), P.L. 111-5, (certain health care facilities) are required explicitly by federal law to report data breaches. If private companies have indicated in their privacy policies that they will notify individuals upon a suspected data breach, failure to provide such notification may be considered to be an unfair and deceptive trade practice under Section 5 of the Federal Trade Commission Act (FTC Act). However, the FTC does not explicitly require private actors in possession of data related to individuals to notify individuals or the federal government should a data breach occur. Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification upon a data security breach involving personal information. However, these laws may vary in their application. They may only apply to certain entities or to certain data. Furthermore, companies maintaining stores of personal data may find it difficult to comply with the potentially different requirements of various state laws."
CRS Report for Congress, R42474