Breach notification laws fall into two different categories: volume based and threat based.
Volume based notification laws require notification to all potential victims if a certain number of records has been compromised.
Threat based notification laws require a threat assessment to determine how likely the information that was lost is going to result in an identity theft. The threat assessment will look at what sort of information was stolen, and how likely that information will be used.
Most breach notification laws say that if a certain number of records are compromised, a public announcement of the breach is all that is necessary. In other words, you may not receive notification about the breach unless you watch the news or read the newspapers.
Breach notification laws almost always have a “loophole”. If the data is “encrypted” and the encryption key has not been lost, the information is considered secure even if it is lost. This means you may not ever find out the company lost your information, but it makes little difference since it cannot be accessed anyway.
