In the spring and summer of 2005, the headlines of America’s major newspapers provided a constant reminder of an issue about which Americans have grown increasingly worried: data security. Rather than publicizing the war in Iraq or the buzz over potential Supreme Court nominees, these headlines warned: “Info theft slams chain: 1.4 million card numbers stolen;” “Poll Says Identity Theft Concerns Rose After High-Profile Breaches;” “Data Security Breaches Alarm Consumers.” In the previous few months, a series of high-profile companies such as Bank of America, Reed Elsevier Group’s LexisNexis, PayMaxx, Choice Point, and SAIC had announced that millions of records containing consumers’ personal data in their custody had been lost or stolen, putting these individuals at risk for identity theft and similar injuries. Responding to rising consumer alarm, Senator Patrick Leahy of Vermont, whose own data had been misplaced by Bank of America, and Senator Arlen Specter of Pennsylvania responded with The Personal Data Privacy and Security Act of 2005 (“2005 Privacy Act”). The bill proposed a series of new requirements for corporations’ handling of personal data, new penalties for data theft, and new provisions to notify individuals whose personal data was compromised