Following revelations that Cambridge Analytica gained illicit access to data on 87 million Facebook users, many were left with a simple question: Was this a data breach? The distinction matters because companies must report data breaches. In a column for Government Technology, Daniel Castro outlines ways states can update their data breach notification laws to cover misuse. He writes that, while policymakers shouldn’t restrict companies from sharing data with business partners, they should hold companies accountable for the commitments they make and the business partners they use. Doing so will reward companies that use responsible data handling practices and provide consumers more choice.