Modeled after California's S.B. 1386, the California Security Breach Notification Act, many states have adopted similar laws that require any person, business, or state agency that collects and stores personal customer information to notify individuals when their unencrypted personal information was, or is reasonably believed to have been, put at risk by a data security breach.