According to a new report, small businesses are reluctant to inform data breach victims of their information loss--even though laws in 46 states require them to do so.

While more than half of American small businesses have experienced data breaches, only 33 percent of them notified victims of their personal information loss, according to a report released yesterday by Ponemon Institute, a Michigan-based security research firm. But failing to report a data breach appropriately can cost small businesses both money and reputation, as laws in 46 states require companies to inform the victims if a data breach occurs.

“Some small businesses don’t believe that they will get caught,” said Eric Cernak, vice president for Hartford Steam Boiler (HSB), a Munich Re subsidiary that commissioned the report. “More likely, they are not aware that they are subject to the state laws.”

The report, which surveyed small businesses with annual revenues of less than $10 million, found that the main reasons for data breaches were employee or contractor mistakes, lost or stolen electronic equipment, and procedural mistakes. About 70 percent of the small businesses agreed that the loss of private information caused more damage than the loss of confidential company data, according to the report.

 “The reputation fall-out could be as significant, or sometimes more than the breach,” Cernak said.

Cernak suggested small businesses to seek legal counsel immediately if they find out a data breach. Depending on the specific state laws and the number of breaches, legal procedures of informing data breach victims vary from state to state and the failure to report a breach appropriate can bring serious legal liability.

The best way to avoid a data breach, however, is to take steps before the breach occurs by knowing where the data are stored. Small businesses often tend to store more personal information data than they need to run their businesses, according to Cernak.

Recently, a few high-profile publicly-traded companies, such as Goldman Sachs, Facebook, and the New York Times, have informed shareholders of their vulnerability to cyber-attacks in regulatory filings, according to Bloomberg News.

 “There’s no ‘safe harbor’ for small businesses,” Cernak said.