In January, the White House proposed a plan that would effectively establish a 30-day notification requirement after discovery of a data breach. The proposed legislation would standardize data breach notification requirements, which are now governed by more than 45 varying state laws. The proposal would apply to businesses that collect sensitive personal information regarding more than 10,000 individuals during any 12-month period. Under the proposal, a "safe harbor" from the requirement to provide breach notifications would apply if a business that has experienced a breach conducts a risk assessment that concludes there is no reasonable risk of harm to individuals as a result of the breach. Another proposed safe harbor would apply if the business participates in a security program that would effectively block the use of sensitive personal information to initiate unauthorized financial transactions. The proposal would give enforcement authority to the Federal Trade Commission and state law enforcement agencies but would not include a private right of action. You can read the White House proposal here as well as a section-by-section analysis here