This should already be in practice but since it obviously isn't, the law is needed. The part that bothers me is this: "(C) is first made accessible to the public and collects or stores personally identifiable information of individuals, on or after October 1, 2012." Why shouldn't it apply to ALL sites and not just the newer sites? The older sites are likely to be less secure than the newer sites. There should also be something in the bill stating that the site's security must be constantly maintained (just like banks etc...) as new vulnerabilities are revealed every week. Just because it is secure on day X doesn't mean it is secure on day Y.