The winner of the last state to enact a breach notification law is…South Dakota! On July 1, South Dakota’s breach notification requirements went into effect, meaning that all 50 states have their own laws (in addition to HIPAA). The second-to-last state was Alabama; its breach notification law went into effect May 1 (see story, p. 1). In addition to all 50 states, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands all passed laws “requiring private organizations or government entities to notify individuals of a security breach involving their personally identifiable information,” says Joseph J. Lazzarotti, principal in the Morristown, New Jersey, office of Jackson Lewis P.C.