But lawyers working on data breach cases estimate that perhaps only one in 10 breaches are ever made public, according to Fred Cate, a law professor at Indiana University. "We actually have very poor data on data breaches," he told conference attendees.

Part of the problem is that, while consumers must be notified of breaches, most states do not require any kind of centralized notification.

That would change under California's proposed new law. By requiring the attorney general or other central agency to keep track of breaches, observers would get a "better understanding of the nature and scope of the problem," Simitian said.

Some states already require that breach notification letters be sent to a central state agency, but Simitian's bill would centralize that information in the largest state in the U.S., potentially creating the country's largest repository of breach data.

Simitian said he hopes to see California Governor Arnold Schwarzenegger sign the bill by year's end. "That would make a good law , a groundbreaking law, even better," he said.