This Note argues that current law is inadequate to protect consumers in light of the prevalence and severity of data breaches in recent years, and that a unifying federal legislation combining portions of state law and the DSBNA should be enacted. Part I of this Note analyzes the DSBNA for notification requirements when data breaches occur, the requirements for the implementation of security policies, regulatory mechanisms for monitoring compliance with these requirements, and criminal penalties for failing to comply. Part II summarizes the various state laws that exist for notification of data breaches. Part III proposes a model federal statute that combines aspects of the DSBNA with current state law. Specifically, Part III argues that a preemption provision is important for creating a unified federal standard, but that provision should create exceptions for robust protections that consumers already enjoy under state law. It also argues for the inclusion of a private right of action for consumers, the removal of a reasonable risk of harm analysis, and a provision that mandates cyber risk insurance for certain covered entities.