Around the globe, countries are coming to face the need of legislative enforcement of personal privacy and information security issues. The state of California has enacted the Security Breach Notification Law in July 1, 2003, stating that organizations must notify California customers if personal information maintained in computerized data files have been compromised by unauthorized access. This law is apparently the reason we saw so many security breaches reported in the past few years, the companies involved, it's safe to assume, would have preferred to keep it quit.

A new law introduced in the 109th U.S. congress could create a loophole that would change the rules of the game. At the first glance, the Data Accountability and Trust Act seems like the national version of the local Californian law, but a closer look at the definitions following the body of the act reveals a somewhat different picture. The term "breach of security" is defined as an incident "that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates." In other words, companies that have experienced theft of digital personally identifiable information could decide whether or not that constitutes a security breach that should be reported.