Other states have enacted similar laws, and so could Congress. As of August of last year, at least 17 other states have enacted data-breach security notification laws similar to that in California. Although many of those states followed the California model without any essential changes, it's important to be aware that there are a few state enactments with significant differences from the California law.

In particular, companies with multistate operations or that maintain databases that are likely to contain information about consumers in more than one state should scrutinize these individual laws to determine applicability and requirements specific to those states. (Some of the differences in the laws enacted by other states include adding to the list of specific data elements that may comprise personal information and exempting certain "technical breaches" of security from the notification requirement.) Congress is considering bills that would impose a national standard for notification of security breaches that involve consumer data.