A coalition of industry groups says it supports a national law requiring companies to notify consumers about data breaches -- but only when the breach “poses a significant risk” of identity theft or economic harm. An overly inclusive trigger would cause consumers to be burdened with unnecessary notifications,” the Direct Marketing Association, American Association of Advertising Agencies, Association of National Advertisers, Interactive Advertising Bureau, Online Publishers Association and 11 other organizations say in a letter to lawmakers. The groups are asking Congress to avoid crafting a broad definition of “sensitive personally identifiable information.” The ad organizations specifically say that the type of information that's available in phone directories should be excluded from any definition of sensitive PII. “A balanced bill would also exclude public records and information derived from public records from its scope,” the groups write. Forty-seven states already have laws requiring companies to notify consumers after a data breach. But the DMA and other organizations say that the hodgepodge of laws “frustrate efficient and uniform breach notification to consumers.” The trade associations also say that any new law should prohibit consumers from suing privately. The DMA has long supported a national data breach law, while also vocally opposing laws that would impose new obligations on data brokers. The group has argued in the past that Congress should concern itself with practices that could leave consumers open to fraud, and not those that pose more intangible privacy concerns.