How can a 21st century U.S. company do its best to comply with data-security-related obligations imposed by the various laws of 46 states? (Only Alabama, Kentucky, New Mexico, and South Dakota have not enacted laws requiring companies to provide notice of a data breach.) A company can implement practices and procedures designed to achieve maximum compliance with the laws adopted by the two states widely acknowledged to impose the strictest obligations: California and Massachusetts. In 2012, in different ways, these two states’ respective regulatory schemes addressing data breaches have become even stricter.

Over the past decade, California has enacted, and then amended incrementally, notice-of-breach laws designed to prevent identity theft. The first of such laws, enacted in 2002, is commonly referred to as S.B. 1386. California’s notice-of-breach statutes, including S.B. 1386, apply to all companies that conduct business in California (as well as to state and local governmental agencies). From day one those statutes, including Cal. Civ. Code § 1798.82, have protected every California resident’s electronic personally identifiable financial information (PII) by requiring notice to the affected individuals whose sensitive PII stored in unencrypted form is hacked, lost or otherwise compromised (a “data breach”).

The geographical location of that information is irrelevant, as is whether the PII possessor outsources storage to a service provider. Thus, the protection cuts a broad swath in the borderless universe of 21st century e-commerce in which most every company stores, or outsources storage of, information on consumers from all over the country. As with the notice-of-breach laws in most other states, California’s statutes have always had an automatic notice trigger once certain PII – a name coupled with other sensitive confidential information – has been compromised. There is no requirement that the company owning the data first assess the extent of the risk of identity theft created by the data breach.