I recently read this in a post by Mark Tordoff at the Compliance and Security Connection blog:
"The issue is the variation between the different state consumer notification laws. Of the 38 states who currently have a law on the books, 18 require notification of any breach, while 20 require notification only when risk of harm is present. All 38 provide exemptions if the compromised data was encrypted. Finally, 24 states require that, in addition to the affected consumers, certain government officers or agencies must be included in their notification."
"Another variable is when the consumer must be notified. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami."
A good statement of the situation, but a narrow definition of the problem.
The problem is more extensive. As a nation we seem to be in our infancy regarding data breach notification and identity theft. A year ago, far fewer states had any type of identity theft laws. Before California in 2003, there were none. We still don't have a good profile of the typical identity thief. We still don't have a good profile of the number of companies that employ effective data security processes. (See the TJX debacle.)
Even with the above laws, some states have exceptions where the company is not required to notify identity-theft victims of its data breach. In Massachusetts' new identity theft law, there is one notification exception called "Substitute notification." If notification is too expensive for a company, they can opt for a more general notification approach (e.g., print or online ads) instead of notifying each identity theft victim individually via postal mail.
While a federal breach notification law seems tempting, I don't see it as an effective solution. Too many companies have business units in other countries or employ offshore outsourcing subcontractors -- methods to avoid the laws. Some companies (like IBM) archive employee and former employee data forever -- increasing the risks to the company and to its former employees. And the existing notification laws don't seem to cover the full scope of companies that trade consumers' sensitive personal data, like C.L.U.E. insurance reports from Choicepoint.