Cyber-theft has become a regular feature of the daily news, and recent events suggest we may have seen only part of a much more pervasive threat. Even without being hacked, companies with private customer or client data frequently find themselves coping with unintended security breaches. Most states now have statutes requiring companies to provide notice of data breaches in a variety of circumstances. This has magnified the media attention, regulator scrutiny, and private litigation risk that an affected company confronts. Managing and perhaps limiting data breach exposure is possible when sufficient compliance steps and crisis management responses are in place. If a breach occurs, what government enforcement and private litigation liabilities do companies face?