ORLANDO - Whenever security experts talk about the rise in data breaches, they never fail to note that the numbers they cite are no doubt low given that many organizations don't report problems out of concern their reputations will take a hit. But the public might be more forgiving than such organizations think.

"[Customer] notifications have not turned out to be as fatal as we once thought," according to Mike Everist, director of legal and regulatory compliance at American Express Technologies, speaking at this week's Infosec World Conference & Expo in Orlando. "It's not the end of your brand."

Everist spoke on "Ensuring customer notification of unauthorized access," a process that more organizations have been forced to put in place since California's SB 1386 law that went into effect in 2003. That law, which requires organizations to notify customers of data breaches, has spawned many imitators (the notorious ChoicePoint data breach in 2005 also played a huge role in spurring other states into action). Now more than 30 states have rules regarding data breach notifications.

The challenge for organizations trying to comply with the patchwork of laws, including federal banking guidance, is that there are a host of definitions covering what data is covered. For example, some laws say notification is required when a combination of personal information, such as a first name or first initial and last name, are exposed along with a Social Security number or credit card number. Some states have added phone numbers, medical information and even biometric data to the mix.

Different states also have different definitions of what should trigger a notification, Everist said. In California, SB 1386 refers to data that has been acquired by an unauthorized person, whereas other states look for the potential of harm, he said.

The obligations for how to notify those affected by a data breach also vary from state to state, Everist said. In California, notice can be provided in written or electronic form, for example, whereas other states specify that notices can be made by phone or newspaper and that law enforcement needs to be alerted.

Everist said he is encouraged that some commonalties seem to be emerging, such as notifications needing to be based on potential harm and encrypted data loss not necessarily triggering a customer notification.