Failing to make such distinctions can push consumers to undertake unnecessary efforts to protect themselves and can impose burdens on corporations, said Mary Monahan, author of the Javelin study.

"Our opinion is that consumers do need to be protected by data breach laws, and we do want to see a federal law to protect all consumers," Monahan said. But given the low risk of ID theft from such breaches, any such law would need to give the breached entity the opportunity to conduct a risk assessment before they are required to disclose it publicly; The absence of such a trigger could result in indiscriminate notifications.

"And then all you get is white noise" that few people pay attention to, Monahan said.

Currently, many of the 30-plus states that have breach disclosure laws require companies to notify customers of any data breach involving the potential compromise of personally identifiable information. Several industry groups have been lobbying lawmakers for a preemptive federal law that would add some sort of a breach notification trigger that is based on an assessment of the risk of ID theft or other fraud.

Privacy advocates, on the other hand, have been arguing for broad disclosure, saying that few companies are likely to publicly notify consumers of a breach if they are allowed to make their own risk assessments.