Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs.

'We clearly have a responsibility to safeguard customer information,' said Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio. 'If we lose information, it's our responsibility to inform consumers because that's the only way they can protect themselves.'

However, many existing state laws have 'hair-triggers' when it comes to disclosure requirements, he said. 'I really think the standard for disclosure should be a clear risk of danger or harm to the consumer.'

But others argue that allowing companies to decide when to disclose a breach is unworkable.

'Breaches should not be tied to the potential criminal use of the information,' said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. 'I find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.'