Privacy is currently a critical topic in the media, and a number of major privacy breaches have come to light. This has meant that consumer awareness of privacy has increased over the past few years. However, privacy breaches continue to occur and the associated costs are often not incurred by those responsible. In this paper, we discuss the connection between privacy, identity theft and externalities. In particular, we look at two examples of market solutions to address such privacy externalities. With the example of the California Security Breach Information Act, SB1386 we argue that market failures in the guise of privacy externalities can be addressed with economically rational legislation. We demonstrate this with two examples and show how the law has resulted in these firms internalising the cost of customer privacy breaches.