to subscribers who did not have a permissible purpose.17

Based on the current state laws it is clear that businesses should, at the very least, ensure that all names, addresses, account numbers, and other personal information of consumers is encrypted. This will minimize the risk that the business will have to notify consumers or law enforcement agencies should a breach occur. Until federal legislation is enacted, businesses must also be aware of the various state law statutes governing the protection of data to determine whether they meet the standards. It may be useful to regularly consult with your attorneys regarding the requirements in the relevant jurisdictions. Ensuring that you comply with the statutes governing the storage of information will also decrease the risk of liability.

Although many state laws do not allow private causes of action based on the security breach laws, other claims based on breach of contract, misrepresentation, or negligence may not be precluded. For instance consumers in many states can file lawsuits against companies whose security was breached, claiming that the companies negligently stored or protected the information. In addition to being diligent about data protection, companies should also review their contracts and sales materials to ensure that in addition to meeting all the statutory requirements, they are also fulfilling all of their promises to their customers.

Conclusion
Until federal legislation creates a uniform standard and possibly prohibits private causes of action for security breaches or notifications thereof, businesses must constantly familiarize themselves with the ever-evolving notification requirements for each state in which they do business. With diligent efforts, companies can reduce the possibility of liability for breaches in security.

Notes

1 Cal. Civil Code, § 1798.82(e).

2 Connecticut General Statutes § § 36a-701b(a); 6 Delaware Code § 12B-101, Florida Statutes § 817.5681(d)(5); 815 Illinois Compiled Statutes §

530/5; Louisiana Revised Statutes § 51:3073(4); 10 Maine Revised Statutes § 1347(6); Minnesota Statutes § 325E.61(e); Montana Statutes § 30-14 - 1704(4)(b); Nevada Revised Statutes §603A.040; New Jersey Statutes § 56:8-161; 73 Pennsylvania Statutes § 2302; Rhode Island General Laws § 11-49.2-5(c); Tennessee Code § 47-18-2107(a)(3); Texas Business & Commerce Code §§ 48.002, 48.103; Washington Revised Code § 19.255.010(5).

3 Indiana Code § 4-1-11-3; Ohio Revised Code § 1349.19(A)(7).

4 Ark. 4-110-103;

5 Georgia Code § 10-1-911(5), 10 Maine Revised Statutes § 1347(6).

6 North Carolina General Statutes §§ 75-61(10), 14-113.20(b).

7 North Dakota Statutes § 51-30-01(2)(a).

8 New York General Business Law § 899-aa(1)(a)-(b).

9 Louisiana, New York, North Carolina, Ohio, and Texas have enacted statutes that require notification even if the personal information data is encrypted.

10 Notification of Risk to Personal Data Act, S.B. 1326, 109th Cong. (2005).

11 Identity Theft Protection Act, S.B. 1408, 109th Cong. (2005).

12 Personal Data Privacy and Security Act, S.B. 1789, 109th Cong. (2005).

13 Financial Data Protection Act, H.R. 3997, 109th Cong. (2005).

14 Data Accountability and Trust Act, H.B. 4127, 190th Cong. (2005).

15 In the Matter of Superior Mortgage Corporation, FTC Docket No. C-4153 (December 14, 2005).

16 In the Matter of DSW, Inc., FTC Docket No. C-4157 (March 7, 2006).

17 United States v. ChoicePoint, 1:06-CV-0198 (N.D. Ga. 2006).