In light of the various ESP-related data breaches we've seen, exposing various email lists to spammers and the world over the past couple of years, it seems this is something the email service industry ought to be keeping an eye on. A friend tipped me that Bill HR2221, the Data Accountability and Trust Act, has passed the House and is now in a Senate subcommittee.
The bill seems to require everyone "engaged in interstate commerce" to establish security policies and procedures, and directs the FTC to promulgate regulations to that effect. It "requires information brokers to: (1) establish procedures to verify the accuracy of collected information that specifically identifies individuals; (2) provide annually, and without cost, to individuals whose personal information it maintains a means to review it; (3) place a notice on the Internet instructing individuals how to request access to such information; (4) correct inaccurate information upon request; and (5) in the case of information brokers that do use data for marketing purposes, allow individuals to decide if their information can be used."
In the case of a data or security breach, it requires the breached entity to notify the FTC and all affected individuals, within 60 days of the breach. It also includes requirements for notifying credit reporting agencies and providing credit monitoring in some instances.
Read all about it here.