The random theft or loss of a laptop or tape containing confidential data, for instance, is likely to pose less of a risk than a more targeted attack against a system containing terabytes of customer data, Herath said. So applying the same disclosure standards in both cases may not be appropriate, he said.

Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath.

Paul Rubin, a former director at the Federal Trade Commission and a professor of economics and law at Emory University in Atlanta, argued that a more targeted notification standard is required because only about 2% of breach victims actually become victims of fraud and ID theft. In the vast majority of cases, there's no evidence to show that breached information is being misused, he said.

With that in mind, indiscriminate disclosures will only worry consumers, who may be induced to place fraud alerts on their accounts or close them entirely, with little real reason for doing so, he said. 'I think all that these notices are doing is scaring people.'

They also expose companies to lawsuits from consumers who may not fully understand the true extent of the risk from security breaches, argued an analyst at a financial services firm who requested anonymity. 'I personally believe that giving as much notice as possible is good behavior. But this is a litigious society we live in.'