The debate comes at a time when there are growing calls for a national breach disclosure law that would preempt a patchwork of laws in more than 40 states that are already in place or proposed. Many of those state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom and when.

California, for instance, uses an 'acquisition standard' that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas and Florida, require companies to notify consumers of breaches only if the companies believe there's a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others don't.

Despite the compliance headaches caused by such disparities, the laws appear to be forcing companies to pay more attention to how they handle confidential data, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

'The good news with these laws is that security incidents are more public and more visible -- and that's really motivating companies to do a better job of protecting data,' said Kirk Nahra, a board member of the International Association of Privacy Professionals, a York, Maine-based association of IT security and privacy workers.

But while there's value in telling consumers about security breaches that pose a real risk of identity theft or fraud, little is gained by overnotification, said Nahra, who is also a partner at Wiley Rein & Fielding LLP, a Washington-based law firm. 'There are some laws that if you read them would require notice in ridiculous situations.'