The proposed law specifies that companies must have policies and procedures, but it does not explicitly call for any controls, Noor said. "Does this mean that I can have paper documents that reflect my policy and procedures but not have to do anything about it -- and yet be compliant?" he asked.

As with most legislation, H.R. 4127 has both good and bad elements, said John Pescatore an analyst at Gartner Inc. in Stamford, Conn. For example, strengthening the FTC's enforcement capabilities is a good thing, he said. So, too, is a provision that exempts companies from reporting breaches if they have encrypted sensitive data, he said.

The proposed law is also very explicit about the consumer notification process and what information must be disclosed, Pierson said.

Raising the bar for disclosure is not automatically a bad thing, Pescatore said. "There does need to be some kind of balance about disclosure." He said existing laws have resulted in a kind of "disclosure overload," with companies being forced to publicize every security incident involving customer data, even though in 99 percent of the cases no fraud results from the incident.

"A lot of today's disclosures have simply gotten ridiculous," he said.