Notification of Risk to Personal Data Act - Requires any agency or person that owns or licenses electronic data containing personal information, following the discovery of a breach of security of the system containing such data, to notify any U.S. resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires any agency or person who possesses but does not own or license such data, to notify the information owner or licensee about such an unauthorized acquisition. Allows delay of notification in connection with authorized law enforcement purposes. Provides authorized methods of notification and alternative notification procedures. Provides: (1) civil penalties and rights and remedies in connections with violations; and (2) for enforcement by State attorneys general.