Starting April 4, 2017, Tennessee has passed an amendment to its state data breach notification statute which states that businesses that experience a breach of encrypted data do not need to notify affected residents unless the encryption key was also compromised.

Then, on June 6, 2017, New Mexico's new Data Breach Notification Act signed by Governor Susana Martinez will go into effect removing it as one of three (South Dakota anad Alabama) of the 50 states in the United States to lack breach notification legislation. 

On July 1, 2017, Viriginia's data breach notification statute shall include an amendment under italicized language in § 18.2-186.6(M) which affects employers or payroll service providers if they experience an unauthorized access and acquisition of unencrypted taxpayer's personal information.  In that situation where they determine ID theft is likely then they will be required to notify the VA Attorney General of their name, federal employer ID number. The VA Attorney General will then notify the Department of Taxation.