Citi did admit the breach promptly, however, which was a problem with Sony and other companies, which delayed admitting they'd been breached often for weeks after the initial break-in.
That will become illegal if a bill proposed by Sen. Patrick Leahy (D-Vt.) becomes law.
This is the fourth year Leahy, chair of the Senate judiciary Committee, introduced the bill now called the Personal Data Privacy and Security Act of 2011.
It would require companies to report data breaches involving customers and carry criminal and financial penalties for anyone who "intentionally or willfully" hides a breach.
It parallels many of the requirements of the National Strategy for Trusted Identities in Cyberspace that the Obama administration introduced in April.
Leahy's bill is also similar to a set of security specifications and best practices the Commerce Dept. proposed should be provided as a voluntary set of guidelines to standardize minimum-level security standards.
Its report, with details on its suggestions and the scope of the threat against the $10 trillion spent online globally every year, is called Cybersecurity, Innovation and the Internet Economy (PDF).
The specifics are less important than to create a single federal standard to "replace the unwieldy state patchwork we have today,” the BSA announcement read.
There's no real indication from inside the Senate of whether the bill's chances are better this year than any previous attempt, or whether either the Obama administration or the Commerce Dept.'s proposals will go anywhere.
Citigroup, Sony, bulk emailer Epsilon, Gawker Media, RSA, Google and Lockheed Martin are working as hard as they can to get it passed. Each has recently demonstrated security poor enough to allow high-profile data breaches causing the loss of hundreds of thousands or millions of customer records apiece,