But while there's value in informing consumers of security breaches that pose a real risk of identity theft or fraud, little is gained by overnotification, added Nahra, who is also a partner at Wiley, Rein & Fielding LLP in Washington. For instance, the random loss or theft of a laptop or tape containing confidential data poses less of a risk than a targeted attack against a system containing terabytes of customer data, Herath said. Applying the same disclosure standards in both cases may not be appropriate, he said.

Paul Rubin, a former director at the Federal Trade Commission and a professor of economics and law at Emory University, argued for a more precise notification standard, because only about 2 percent of breach victims become victims of fraud and identity theft. Indiscriminate disclosures will only worry consumers, who may place fraud alerts on their accounts or close them, with little real reason, he said.

Allowing breached companies to make judgments on whether data might be misused will never work in favor of consumers, "because the statute of limitations on thieves using stolen data does not expire," said Arshad Noor, CEO of StrongAuth Inc., a compliance management firm in Sunnyvale, Calif.

Todd R. Weiss contributed to this story.