What our country needs is a national data protection law--one that individual states and industries could opt to expand. This law would define baseline protections that must be afforded to personal information regardless of who is collecting, storing and using the data. Such a law would also mandate that the government define exactly what data elements are to be considered personal data. Anyone familiar with the existing regulations knows that what is considered personal in HIPAA is not the same for GLBA. And pending federal legislation--most of it focused on breach notification--doesn't definitively list the data types to be protected. Senate Bill 495, the Per-sonal Data Privacy and Security Act of 2007, is fairly comprehensive in the protection of sensitive personal information, but also fails to define protected data elements.