In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.