But still no federal law. (To find out why, perhaps it would be wise to ask those five hold-out states why they haven't approved similar legislation).
It's not that Congress hasn't tried. Over the past few years, a number of bills have circulated the two houses. But none have found their way to the president.
When President-elect Obama takes office, there surely will be renewed optimism that such a law could get the green light. After all, the Illinois senator seems more interested in cybersecurity than President Bush - and he's receiving detailed guidance from the Commission on Cybersecurity for the 44th President.
But, corporations and consumer-rights advocates will continue to wrangle over what the threshold should be to report. And, remember, Congress will be busy. There's that whole worst-economic-climate-in-80-years thing to deal with.
I'm thinking we're going to have to wait until 2010. Of course, another TJX just may fast-track a federal data security bill right to the Oval Office.
One thing is for sure, though: Creating a nationwide law will standardize and, as a result, simplify the reporting process for companies that experience a breach. And as we all know, it's not "if" but "when" you'll be drafting that "We lost your Social Security number" letter to consumers.