FTC chairwoman Edith Ramirez testified at the hearing to repeat the agency's call for a vigorous federal data security and breach notification law. "Never has the need for legislation been greater," she stated, while adding, "To help ensure effective deterrence, we urge Congress to allow the FTC to seek civil penalties for all data security and breach notice violations in appropriate circumstances."

Sen. Rockefeller has already introduced legislation (S. 1976) authorizing the FTC to write and enforce new rules requiring retailers and other companies to protect consumers' personal data, while notifying individuals in the event of a breach. Violators would face civil penalties.

The same day, less than a mile away at Securities and Exchange Commission headquarters, business executives and officials participating in a cybersecurity roundtable discussion offered a more nuanced point of view.

Although attendees agreed that companies are required to report data breaches likely to affect investor decisions, several voices suggested the potential damage to shareholder value from an attack is sometimes unclear and open to interpretation. What's more, the amount of harm attributable to a disclosure, from broadcasting internal vulnerabilities and subsequent reputational damage, can often exceed the limits of the initial attack. The disclosure itself can decrease company value, potentially calling into question company leaders' responsibilities to shareholders.

As if to second these concerns, Cowen & Co.'s Consumer Tracking Survey, conducted quarterly and for the first time since Target's security breach news in mid-December, reported finding "meaningful decreases" in year-over-year customer satisfaction with both the total shopping experience and customer service at Target stores in March.

Satisfaction with the overall shopping experience at Target was down almost 2% in March, with declines "most acute" among desirable middle-and-upper-income shoppers. On the scale of customer service, Target's scores dropped 3.3% to 71% with the score among upper-income shoppers falling 9% to 70%.

To make matters worse, S&P recently cut the firm's credit rating, as it expects the data breach to decrease store traffic at least through June. This, of course, will increase the company's borrowing costs, further decreasing shareholder value.

Read related: "Target Warns Data Breach Could Hurt Future Profit."

During the Securities and Exchange Commission Roundtable discussion, Douglas Meal, an attorney on the panel, offered the opinion the majority of data breaches are immaterial to investors. "If the company doesn't have a legal obligation to disclose, it's often not in their interest," he said. The Cowen & Co. Survey does nothing to contradict his observation.

Since Target reported its data breach in December, consumers and banks have filed dozens of lawsuits. Many complainants fault the timing and scope of Target's disclosures. These lawsuits have been filed even though, according to a Target spokesperson, the retailer alerted the public within days of confirming the attack. As its internal investigation uncovered more stolen customer data , the company made additional disclosures, although it was not legally required to do so.

Although he was not specifically addressing the Target situation, attorney Meal said in an interview following the SEC Roundtable, "if you never disclose the breach at all then you don't have the class action suits…it's the disclosure of the breach that creates the firestorm of litigation."

Or, in other words, "no good deed goes unpunished."

Report? Don't report? That is the question. Eventually, lawyers and legislators will answer the dilemma captured by this soliloquy through regulation and legislation. Meanwhile, we in the insurance industry must guide our insureds regarding risk management and transference.

When it comes to cyber reporting, especially following a cyber-event, our own advice is to seek the advice of counsel with expertise in this area. If you have insurance coverage, contact your insurance professional to trigger the notification requirements of your policy and get your carrier support team engaged. Because these reporting choices are complicated, seek the advice of others to fully explore the impact of your decision making.

When it comes to cyber risk, we can build up your internal practice and offer expertise to help insureds anticipate and prevent cyber events.

When it comes to cyber insurance, the choices available to insureds from underwriters are growing in number. As traditional coverages increasingly adopt language specifically excluding damages arising out of cyberattacks, the need for stand-alone cyber insurance only becomes greater.  The activities and events will not be less this year than last year.  We can be certain of one thing; there will be a greater need for coverage going forward.

Our work has just begun.