This week the House passed legislation that would set national standards for notifying potential victims of identity theft when their personal information that is stored electronically is improperly exposed. Under the bill, HR 2221 (Rush D-IL) businesses that hold consumers' personal data would be required to notify individuals within 60 days when their personal information has been breached. However, covered businesses would be exempt from the notification requirements if they determine there is no "reasonable" risk of identity theft. Businesses utilizing encryption technology are also deemed to be exempt from notification requirements. The bill also requires the Federal Trade Commission (FTC) to put in place regulations to require businesses to protect the personal information that they hold. Similar legislation in the Senate has yet to be brought up for a vote. NAR staff is working with the Senate to reduce the burden of such legislation on small businesses and independent contractors.