Now, there’s no federal breach notification standard for non-financial companies. Instead, they follow a patchwork of notification laws in 48 states, which can vary in the amount of time companies have to disclose any breach and who they’re required to notify. Companies may argue they need time to track down the extent of the breach and repair it before disclosing it to consumers to prevent additional hacks.

Luetkemeyer’s bill would require companies to "immediately notify without unreasonable delay" customers when there’s a risk a data breach could expose them to identity theft or fraud. The proposal, which would preempt state laws, also requires businesses to inform the Secret Service or the Federal Bureau of Investigation if the breach affects more than 5,000 consumers.

“For each state with robust consumer protection laws on the books, there are many others with extremely weak protections," Luetkemeyer said in a statement. "Under my draft legislation, a breached entity is required to notify consumers immediately if their personal information has been accessed and law enforcement has approved. This standard is not required under current law, but the reason for immediate notification is simple: consumer protection.”

‘Swiss Cheese Notification’

Luetkemeyer’s proposal also requires companies to take preventative measures to protect the security and confidentiality of information that are appropriate given the size of the business and the sensitivity of its data. For instance, a pizza parlor wouldn’t have to take the same precautions as a major mobile app storing sensitive payment information.

Lawmakers have tried to pass national data breach notification laws for years. After news of a cybersecurity attack at Target Corp. broke in 2013, lawmakers over the next few years offered an array of bills or amendments addressing data breaches, but not one passed.

David French, the senior vice president for government relations at the National Retail Federation, said the group supports a national standard, but thinks financial firms should be included since the Gramm-Leach-Bliley Act predates modern cybersecurity vulnerabilities.

"If you do a Swiss cheese notification structure, where only some businesses are required to notify and not all, then the consumer doesn’t really know who is putting their data at risk," French said.

‘Acceptable Leaks’

The National Retail Federation is backing an advertising campaign over radio and on digital platforms in the Washington area to push for all industries to be included in a new standard, according to French.