BACKGROUND

Given that the data breach disclosure laws aim to ameliorate identity theft and privacy concerns, we start with an overview of other legislation in these areas. The first U.S. law that specifically addressed identity theft was passed in 1998 - the Identity Theft and Assumption Deterrence Act. The law was passed in response to the dramatic rise in identity theft in the 1990s. Prior to this act, ID theft was not regulated per se.

With regard to privacy, there is no provision for privacy in the U.S. constitution. There is no independent privacy oversight agency in the United States, and the United States has no comprehensive privacy law. Instead, the United States has taken a sectoral approach to privacy regulation so that records held by third parties (such as financial and personal records at banks, educational and personal records at universities, membership and personal information at associations, medical and personal records at community hospitals) are generally not protected unless a legislature has enacted a specific law. As a result, we have a patchwork of laws enacted to address privacy and data security. These are outlined next, starting with the laws that pertain to the federal government, followed by laws that pertain to the private sector and finally, state laws.