Requiring disclosure of data breaches is one of those consumer-friendly goals that gets talked about a lot. But passing it into law? That's another story.

The 2009 Data Accountability and Trust Act passed the U.S. House of Representatives but died in the Senate. The Obama Administration, meanwhile, unveiled an expansive cybersecurity proposal last year that included a data breach provision.

It read:

"Any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual."

The White House fact sheet on the proposal said the disclosure requirement "helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements."

"The president put a lot of effort into developing a comprehensive and generally widely-praised privacy protection platform," said Ed Mierzwinski, consumer program director for the U.S. Public Interest Research Group. "We want it stronger; industry wants it weaker, but it is pretty substantive."

But Obama's platform remains in the proposal stage. Other aspects of the cybersecurity debate have kept Republicans and Democrats from passing legislation.

"The privacy issue is tied up on the Hill for a variety of reasons -- partly because privacy and consumer groups do not want it to preempt stronger state laws, but industry special interests do; because those industry groups also want it to be watered down as well as ensure that it preempts ALL stronger state laws," Mierzwinski said. "Those special interests want to defeat any privacy law that might impact their wild-west use of personal information on the Internet."

The fight in Congress has dragged on so long that the Obama administration is reportedly considering an executive order on cybersecurity, although it's not clear that such an order would include a data breach disclosure requirement.

The executive order "only initiates agencies to start policies and practices. Most likely it won't require public disclosure. It may not even mandate private disclosure to the government," said Mark Jaycox, policy analyst with the Electronic Frontier Foundation, a think tank dedicated to free speech, privacy and consumer rights issues.

With no new requirement on the books for companies to disclose data breaches, we rate this a Promise Broken.