New ID theft laws are now taking effect in Pennsylvania and Hawaii to join the over 30 other states that have already enacted legislation similar to California’s groundbreaking laws like those discussed in Forrester’s report "California Law Establishes Duty Of Care For Information Security". Just as Michael Rasmussen predicted in 2004, the number and variety of information security and privacy laws are getting worse in the United States, and around the world. For your business, your best bet is to adhere to the strictest rules in your US operating jurisdictions, which often means California.
Ideally the federal government will act soon to unify identity laws and provide a reasonable minimum of protection and information loss reporting requirements. Until then, separate state rules will continue to terrorize corporate privacy execs.