'What I would prefer to see is something that would be uniform and preemptive [of state laws],' Herath said. 'Otherwise, you have a very inconsistent application of the law, with some states requiring you to do nothing [and] some hammering you to the point of being unfair.' He added that it would be better to have a single law managed by a central regulatory authority, in much the same manner that the CAN-SPAM Act and the National Do Not Call Registry are.

'We're hoping a federal law will help clarify the situation,' said the director of information security at a specialty retail chain based in California.

Until that comes to pass, the retailer plans to continue to use the SB 1386 breach-disclosure law that went into effect in California more than two years ago as a 'baseline' for developing its security incident response and notification strategy, said the director, who asked not to be identified.

The retail chain also plans to develop an information grid that will help it quickly go through a checklist of requirements for each state in case it triggers a notification statute. Nationwide already has such a grid, according to Herath.

'What the situation is crying out for is a federal version of the state laws,' said Arshad Noor, CEO of StrongAuth Inc., a compliance management services firm in Sunnyvale, Calif. But such a law would have to be at least as strong as the existing state regulations are for it to win approval from federal legislators, Noor said.