Where Did the Data Go?

Computerworld - "Is our data missing?" Does that sound familiar? Just last month, hotel chain Marriott International Inc. disclosed that backup computer tapes containing data on approximately 206,000 customers were missing from a company office in Florida.
Major thefts and misappropriations of computerized personal and financial information are causing legislators nationwide to focus on this issue. Amid rising concern over the problem of identity loss, California and other states have enacted laws to give members of the public prompt notification that their personal information may have been misappropriated. Because the 2002 California law is the model that other states have followed in enacting data security breach notification requirements, several points should be noted with respect to that law.
General scope. The California law applies to any company that does business in the state and that owns or licenses computerized data that includes personal information. "Personal information" is defined as a combination of two categories of information: identifying information (i.e., a person's first name or initial and last name) and any item in a specific list of data elements -- Social Security number, driver's license or California ID card number, or a financial account number in combination with the account password, security code or access code. To constitute personal information, the security breach must involve both identifying information and one of the specified data elements but does not include publicly available information that is lawfully made accessible to the general public from government records.
Encryption. The notification requirements of the California law don't apply if either the personal identifying information or the data elements are in encrypted form.
What constitutes a breach? The term breach of the security of the system is defined as "unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business."
Who must be notified, and how? The California law requires reasonably expedient notification to individuals whose unencrypted personal information "was, or is reasonably believed to have been acquired by an unauthorized person." Notice may be on paper or in electronic form. There is a provision for so-called substitute notice if the cost of notifying individual consumers would exceed $250,000 or if the number of consumers to be notified exceeds 500,000. Substitute notice consists of all of the following efforts: e-mail notice to those consumers for whom the company has an e-mail address, conspicuous posting on the company's Web site and notification to statewide media. If a security breach takes place while the information is in the hands of