Pending state legislation aimed at notifying consumers if companies lose control of their sensitive personal data is too weak and will give Pennsylvania residents a false sense of security, the consumer group PennPIRG contends.

"We think it's a bad bill," PennPIRG's Jim Swoyer said of Senate Bill 712, which was presented to Gov. Ed Rendell on Thursday. The governor's office has indicated that Mr. Rendell will sign the bill, Mr. Swoyer said. No one at the governor's office was available yesterday to confirm that position.

Under the proposed legislation, designed to help residents combat identity theft, a company would be required to notify affected consumers about compromised data if the company "reasonably believes" the security breach has or will cause loss or injury.

Although the goal is to give consumers an early warning so that they could monitor their financial and credit records for suspicious transactions, the proposed law would offer little protection, said Mr. Swoyer, a Harrisburg-based advocate for the Pennsylvania Public Interest Research Group.

"Given the wiggle room provided by the reasonableness trigger, a business could decide that in most cases, it's in their economic interest not to disclose a breach regardless of the risk of identity theft" to avoid negative publicity, he said.

A spokesman for the bill's chief sponsor, Sen. Rob Wonderling, R-Montgomery, said the legislation strikes the right balance between the needs of consumers and businesses.

"The senator doesn't want to overly burden business, but wants to make sure consumers are protected," Mr. Wonderling's chief of staff, John Basial, said yesterday.

PennPIRG believes the bill's language should be tightened to mirror security breach notification laws in nine other states, including California, Texas and New Jersey, that do not include a "reasonableness' trigger, Mr. Swoyer said.

Consumer advocates contend that a rash of high-profile security breaches this year at companies such as Citigroup, ChoicePoint, Bank of America and Lexis-Nexis, may not have come to light if it weren't for California's tough notification law.

Watering down the standard and allowing companies to make their own determination whether a breach reasonably could lead to identity theft weakens the ability of consumers to protect themselves, Mr. Swoyer said.

PennPIRG sent a letter to the governor's office Friday outlining its opposition to the bill.

Federal security breach notification legislation stalled in Congress this year but is expected to be taken up again early next year.