Security breach notification laws

Starting with the first such statute enacted in California in 2002, 35 states have statutes patterned on the California law. These statutes generally require any entity that has suffered a security breach (i.e., an unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information (“PI”)) promptly to notify any state resident whose unencrypted PI was or is reasonably believed to have been acquired by an unauthorized person.