"We are concerned that a bill so fundamentally and structurally flawed may be brought up for markup," the letter said. It also called for amendments to make the legislation more consumer-friendly.

According to Mierzwinski, one major problem with the bill is that it sets a notification trigger that would give companies too much flexibility in disclosing data breaches. Unlike state laws, such as California's SB 1386, which requires companies to notify consumers whenever there is a data breach, H.R. 3997 would require companies to do so only if they think there is a reasonable risk of harm.

"This bill has such a high trigger for determining when a breach might cause harm that consumers will never receive notice," he said.

Other major issues with the bill are that it would not regulate the activities of data aggregators such as ChoicePoint Inc. and would preempt stronger state laws that are already in place, he said.

"We want to make sure the bill won't wipe out all of the good state legislations that are already in place," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego-based advocacy group.