From The WallStreetJournal:
U.S. companies wouldn’t have to disclose some cybersecurity breaches under proposed legislation introduced in both chambers of Congress in recent months. Under the proposed legislation, companies would be allowed to decide whether a breach of consumer data merits notifying customers. Under the proposals, companies would need to quickly notify customers about an intrusion if they believe there is a risk that the breach would lead to serious identity theft or fraud. But if companies believe there is no reasonable chance that a breach will hurt customers, the proposed legislation would allow them to keep it under wraps. The proposed law would override current state laws on notification, many of which compel companies to tell customers if there is any unauthorized access of their personal data, regardless of perceived harm...
... Companies spent an average of $145 for each sensitive record exposed in a breach, according to a study last year sponsored by International Business Machines Corp. And a flood of class-action suits, which often follow revelations of a breach, can dog companies for years.
If you don't have a subscription, you can locate the article through Google.