North Carolina is in the club
From North Carolina’s breach notification law, which took effect on December 1, 2005:
(f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.
I have repeatedly said that this sort of central notice is a good idea. I have also repeatedly said that only New York (and later, Maine) required it. I am very happy to stand corrected.
The way I learned of my error illustrates the cooperation among folks interested in this stuff — Beth Givens of privacyrights.org alerted the dataloss folks to a breach that they hadn’t recorded. This was reported to the dataloss mailing list, where I read it. In the referenced article was information about the reporting requirement.