With the recent passage of the Identity Theft Red Flags Rules by the SEC (in effect, applying existing rules specifically to investment advisers), the topic of identity theft has once again moved front and center. However, whatever their obligations on a federal level, advisers cannot lose sight of the fact that they also have obligations on a state level. Almost all states have some type of identity theft notification requirements. Only South Dakota, New Mexico, Alabama and Kentucky have not yet enacted breach notification requirements. In the event of a breach, advisers must check the laws of each state in which an affected client resides.