On the legal front, if your organization is subject to more than a few of these laws (by virtue of having operations or customers in multiple jurisdictions), the wisest strategy probably would be to develop and implement a uniform policy that meets the requirements of the most stringent of the applicable state laws. Ironically, one of the tradeoffs to consider is just how zealous one wants to be in detecting each and every breach, knowing that there is a disclosure obligation for those detected, even if the likelihood of the data being used maliciously is small.