That could allow companies to avoid reporting certain breaches of customer data that some state laws currently require them to report, he said.

"I believe that 98 percent of the time companies are not going to disclose breaches" if the law goes into effect, Paller said. "Only 2 percent are going to be good citizens and report breaches" if there is nothing to suggest imminent fraud, he said.

"It will be the absolute decimation of the impact of the California [law]," he said. "This is corporate lobbying at its worst."

What makes it likely that companies will choose not to report some breaches if the bill becomes law is the fact that it is often next to impossible to link cases of identity theft and fraud with a specific security breach, said Christopher Pierson, a lawyer with Lewis and Roca LLP in Phoenix. "By including this language about significant risk, the bill will leave it entirely up to the companies themselves" to decide when to report a breach, Pierson said. In contrast, "California's SB 1386 empowers people to be able to receive information about a breach and do something about it," he said.

There are other ambiguities, too. The bill, as proposed, does not set a time period within which a company must disclose a breach, Pierson said. Moreover, it appears to target only companies that do business across state lines, and it's vague about the obligations of companies that operate within just one state, said Arshad Noor, CEO of StrongAuth Inc., a compliance management firm in Sunnyvale, Calif.