After years of bipartisan cooperation on laws to protect consumer privacy, debates in Congress over protecting Americans\u2019 personal information are becoming more partisan and, thus, more controversial. As a result, the outcome of future privacy legislation is less certain, making it harder for CIOs to predict what they will have to do to comply with new rules.In November, the House Energy and Commerce Committee voted along party lines to send a consumer privacy bill\u2014the Data Accountability and Trust Act (DATA)\u2014to the House floor. It was the first time any federal security or privacy legislation had caused such a divide, observes Behnam Dayanim, a privacy attorney with Paul, Hastings, Janofsky & Walker. The bill, sponsored by Rep. Cliff Stearns (R-Fla.), would establish nationwide rules for companies when notifying customers of a data security breach that exposes their personal information such as names, addresses, credit card numbers and Social Security numbers. The Senate is considering a similar bill. The law would preempt existing state laws and, according to privacy experts and Democrats, would weaken them. For example, unlike California\u2019s notification law, which requires that companies tell customers of any security breach, DATA would require notification only if company executives determine there is \u201ca significant risk\u201d that information has been stolen. As such, scoffs Rep. John Dingell (D-Mich.), DATA\u2019s notification provisions are actually \u201cno notice\u201d provisions.Many companies, because they have customers in California, base their notification practices on the California law. Republicans say their bill will provide relief for these companies because it would cut down on notices about breaches that do not expose consumers\u2019 data. But the bill could make work for CIOs because it requires companies that store consumers\u2019 personal data to identify security vulnerabilities and a method to mitigate them, something state laws do not demand.Lawmakers will continue to wrangle over the measure this year. Meanwhile, Dayanim says, companies that store data from individuals from multiple states need to err on the side of caution and consider any security breach as requiring notification.