In addition to the legal obligation to implement security measures to protect corporate data, many laws enacted during the past few years impose an obligation to disclose security breaches to the persons affected. But unlike laws that impose a duty to provide security, these laws typically require only that companies disclose security breaches to those who may be adversely affected by such breaches.^[1]

For the most part, laws imposing an obligation to disclose security breaches began as a direct reaction to a series of well-publicized security breaches involving sensitive personal information over the past few years,^[2] and as part of an effort to address the problem of identity theft. A total of 44 states ...