Bohannon also called for greater clarity on the definition of "sensitive personal information" for the purposes of breach notification and recommended that the definition exclude information that is otherwise available from public sources.

The SIIA's testimony comes amid some concerns that national disclosure laws -- which would override tougher state laws -- would be full of loopholes that would allow companies to avoid breach notifications.

One example is a proposed bill called the Data Accountability and Trust Act (DATA), or H.R. 4127, that won approval recently by a subcommittee of the House Energy and Commerce Committee. Like H.R. 3997, the DATA bill seeks to set a national standard for security breach notifications. But since it would require companies to inform consumers of data breaches only if they believed that a significant risk of fraud exists, the bill is seen as too vague to be effective.

Some critics support the need for a minimum breach disclosure standard and said that without it, companies could be required to disclose even breaches that involve no risk of fraud.

Disclosure laws such as those in California, for instance, use a so-called acquisition standard that requires companies to notify consumers each time their data is acquired by an unauthorized person, said an analyst at a New York-based insurance company who requested anonymity. That sort of trigger has resulted in an onslaught of notifications and has created a "ludicrous situation," he said.