Emergent Chaos

Yeah, I like that part, but they're setting a high standard for triggering notification:

" "Breach of the security of the system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth."

"Access" is better (in my opinion) than "access and acquisition."

I'm still in communications with two states, trying to get them to post their notifications online like NH does.

Agree.

Apparently a simple XORing of the data counts as encryption:

"...or the securing of the information by another method that renders the data elements unreadable or unusable."

Have I understood that correctly?

Agreed. Once again the law presumes all encryption is equally strong.

There's a partial remediation in that disclose must occur if the key is compromised and the entity determines that there is intent to commit ID theft, but the effectiveness of this clause is entirely dependent on the AG's ability to smell a rat.

C. An individual or entity shall disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.

A better approach is to force the entity to assess the risks in front of the AG and disclose if abuse of the data is reasonably possible (not probable) as does GLBA.