Companies could soon be required to inform their customers when information such as credit card or Social Security numbers is hacked. Today most businesses are under no legal obligation to alert customers when data is compromised -- and experts believe that the occurrence of security breakdowns is wildly underreported. Last year, however, California became the first state to mandate full disclosure after a hacker made off with personnel and financial information for some 265,000 state employees. Democratic Sen. Dianne Feinstein introduced a federal version of her state's law last June. It would impose stiff penalties on companies that "keep mum about security breaches, either for fear of bad publicity or liability," says Lee Tien, of the Electronic Frontier Foundation, a nonprofit that specializes in consumers' online rights. One defensive tactic: Corporations like Verizon and American Airlines are adding language to their online terms and conditions that asks customers to waive their right to sue if their personal information is breached.