The assessment and audit requirements of the new generation of state data protection laws will force U.S. companies to move beyond mere window dressing and instead require them to develop fulsome data protection programs.