Just two years ago, the number of privacy and security laws was limited and applied only to companies in certain industries, or those that had international operations. Today the number of laws is staggering. Many states have stepped into the breach and enacted legislation requiring data security, as well as notice to consumers when security breaches occur. Moreover, although there is no federal law that generally requires information security, recent Federal Trade Commission actions indicate that the FTC is, for the first time, imposing a generalized duty to establish information security via the Federal Trade Commission Act.

Compliance with these laws is not only a legal reality, but also a business one, as the frequent and well-publicized data security incidents demonstrate. New notice laws require companies to advise customers of the high-profile data security incidents that frequently make headlines. Companies must now deal with increasingly complex requirements that are not consistent across all states. The price of failure can be high — including significant penalties as well as unfavorable press coverage.