A legal obligation to adopt reasonable information security procedures exists in a variety of laws around the world, such as the EU Data Directive (Directive 95/46), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and sectoral and state privacy laws in the U.S. The latter include security breach notification laws, and laws establishing a general duty of security. This paper compares and contrasts the privacy and information security landscape inside and outside the U.S. and offers suggestions for corporate “best practices” in data security designed to enhance consumer trust and minimize liability.