Federal and state laws require companies to notify the government and the affected customers when hackers compromise the network and steal customer’s private data.
The Gramm-Leach-Bliley Act ("GLBA") applicable to financial institutions, and the American Recovery and Reinvestment Act (ARRA), widely known as the economic stimulus act of 2009 have clauses concerning customer privacy rights. GLB covers non-public personal information, including any personally identifiable information.
The GLBA require covered establishments such as financial institutions, health care providers, businesses that provide services to health care providers, and others to have a policy in place to protect private information they collect from foreseeable threats in security and data integrity. It also requires providing customers with a privacy notice that explains the nature of private information collected, the persons or agencies having access to such information, and methods adopted to safeguard such information. Companies also need to maintain a written security plan, entrusting at least one employee to manage the safeguard and review the plans periodically. In the event there is a breach the security of the personal information that they maintain, the company has to notify the affected patients and the government
Apart from the federal laws, almost all state and territories have "data breach notification" statutes that require businesses collecting and storing personal information of their customers to notify such people an unauthorized person acquires such information, in any manner.