Others argue that allowing companies to make disclosures based on their assessment of the risk posed to consumers is unworkable.

"Breaches should not be tied to the potential criminal use of the information," said Christopher Pierson, a lawyer at Lewis and Rocca LLP in Phoenix. "I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified."

There is a growing call for a national breach-disclosure law that will preempt the patchwork of more than 40 state laws that are in place or in the works. Many state laws specify different triggers for notification and set varying requirements on what must be disclosed to whom and when.

California, for instance, requires companies to notify consumers each time their data is compromised. Other states, such as Delaware, Arkansas and Florida, require that consumers be notified of breaches only if the companies believe there is a reasonable risk of harm.

"The good news with these laws is that security incidents are more public and more visible, and that's really motivating companies to do a better job of protecting data," said Kirk Nahra, a board member of the International Association of Privacy Professionals, a group of IT security and privacy workers in York, Maine.