On one side are those calling for consumers to be notified of any breach that could expose sensitive data. Others, however, say a high disclosure threshold should be required to prevent overnotification and needless costs.

Franklin, N.J.-based Medco Health Solutions Inc. has come under fire for waiting more than a month to report the theft of a laptop computer containing unencrypted Social Security numbers and birth dates of about 4,300 Ohio state workers and 300 dependents.

The company, which handles prescription drug benefits for state employees in Ohio, reported the Dec. 28 theft to state officials on Feb. 8. The incident prompted Ohio officials to call for a review of the US$4 million contract.

Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio, said that companies "clearly have a responsibility to safeguard customer information." However, he said many state laws have "hair triggers" when it comes to disclosures.

"I really think the standard for disclosure should be a clear risk of danger or harm to the consumer," Herath said.