During the past four years, 38 states have enacted laws mandating consumer notifications if there is a theft of personal data from the company computers that can be used by thieves to perpetrate identity theft. The Federal Trade Commission has also brought enforcement actions against companies for not properly protecting sensitive personal data. The challenge, of course, is how to comply with 38 state laws and to avoid an FTC determination that a failure to protect personal data amounts to an unfair business practice in violation of 15 U.S.C. 45(a). This article will provide an overview of these various state laws and the FTC regulation and suggest the proactive measures a company can implement before and after a data breach to minimize its potential liability under this new regulatory scheme.

California was the first state to legislate a response to identity theft in 2003 by enacting Calif. Civ. Code � 1798.82, et. seq., requiring any business or person “that maintains computerized data that includes personal information that the person or business does not own … [to] notify the owner or licensee of the information of any breach of the security of the data, immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Id. at � 1798.29(a). The statutory purpose is to provide sufficient notice to individuals whose personal information has been stolen so they can take steps to prevent thieves from using it to empty their bank accounts or use their credit cards.