In case there wasn't already enough confusion regarding cyberliability, data breach events, cyber coverage and cyber reporting,recent events suggest we have officially reached the fork in theroad.

On March 26, the Senate Committee on Commerce, Science, andTransportation, chaired by Sen. John D. Rockefeller IV(D., W.Va.), held a hearing titled "Protecting Personal Consumer Informationfrom Cyber Attacks and Data Breaches."

At the hearing, committee members examined consumer risksemanating from recent data breaches, the current lack of federaldata security protections, and several data security bills pendingbefore the Senate Commerce Committee that would establish federalstandards.

The committee also released a report asserting Target Corp.failed to take adequate steps to prevent the recent payment cardhacking breach affecting up to 110 million customers.  Thereport went on to charge Target with missing numerous opportunitiesto detect and stop the attack, including multiple automatedwarnings sounded by the company's anti-intrusion software.

FTC chairwoman Edith Ramirez testified at the hearing to repeatthe agency's call for a vigorous federal data security and breachnotification law. "Never has the need for legislation beengreater," she stated, while adding, "To help ensure effectivedeterrence, we urge Congress to allow the FTC to seek civilpenalties for all data security and breach notice violations inappropriate circumstances."

Sen. Rockefeller has already introduced legislation (S. 1976)authorizing the FTC to write and enforce new rules requiringretailers and other companies to protect consumers' personal data,while notifying individuals in the event of a breach. Violatorswould face civil penalties.

The same day, less than a mile away at Securities andExchange Commission headquarters, business executives and officialsparticipating in a cybersecurity roundtable discussion offered a more nuancedpoint of view.

Although attendees agreed that companies are required to reportdata breaches likely to affect investor decisions, several voicessuggested the potential damage to shareholder value from an attackis sometimes unclear and open to interpretation. What's more, theamount of harm attributable to a disclosure, from broadcastinginternal vulnerabilities and subsequent reputational damage, canoften exceed the limits of the initial attack. The disclosureitself can decrease company value, potentially calling intoquestion company leaders' responsibilities to shareholders.

As if to second these concerns, Cowen & Co.'s Consumer Tracking Survey, conducted quarterlyand for the first time since Target's security breach news inmid-December, reported finding "meaningful decreases" inyear-over-year customer satisfaction with both the total shoppingexperience and customer service at Target stores in March.

Satisfaction with the overall shopping experience at Target wasdown almost 2% in March, with declines "most acute" among desirablemiddle-and-upper-income shoppers. On the scale of customer service,Target's scores dropped 3.3% to 71% with the score amongupper-income shoppers falling 9% to 70%.

To make matters worse, S&P recently cut the firm's creditrating, as it expects the data breach to decrease store traffic atleast through June. This, of course, will increase the company'sborrowing costs, further decreasing shareholder value.

Read related: "TargetWarns Data Breach Could Hurt Future Profit."

During the Securities and Exchange Commission Roundtablediscussion, Douglas Meal, an attorney on the panel, offered theopinion the majority of data breaches are immaterial to investors."If the company doesn't have a legal obligation to disclose, it'soften not in their interest," he said. The Cowen & Co. Surveydoes nothing to contradict his observation.

Since Target reported its data breach in December, consumers andbanks have filed dozens of lawsuits. Many complainants fault thetiming and scope of Target's disclosures. These lawsuits have beenfiled even though, according to a Target spokesperson, the retaileralerted the public within days of confirming the attack. As itsinternal investigation uncovered more stolen customer data , thecompany made additional disclosures, although it was notlegally required to do so.

Although he was not specifically addressing the Targetsituation, attorney Meal said in an interview following the SECRoundtable, "if you never disclose the breach at all then you don'thave the class action suits…it's the disclosure of the breach thatcreates the firestorm of litigation."

Or, in other words, "no good deed goes unpunished."

Report? Don't report? That is the question. Eventually, lawyersand legislators will answer the dilemma captured by this soliloquythrough regulation and legislation. Meanwhile, we in the insuranceindustry must guide our insureds regarding risk management andtransference.

When it comes to cyber reporting, especially following acyber-event, our own advice is to seek the advice of counsel withexpertise in this area. If you have insurance coverage, contactyour insurance professional to trigger the notificationrequirements of your policy and get your carrier support teamengaged. Because these reporting choices are complicated, seek theadvice of others to fully explore the impact of your decisionmaking.

When it comes to cyber risk, we can build up your internalpractice and offer expertise to help insureds anticipate andprevent cyber events.

When it comes to cyber insurance, the choices available toinsureds from underwriters are growing in number. As traditionalcoverages increasingly adopt language specifically excludingdamages arising out of cyberattacks, the need for stand-alone cyberinsurance only becomes greater.  The activities and eventswill not be less this year than last year.  We can becertain of one thing; there will be a greater need for coveragegoing forward.

Our work has just begun.