"H.R. 2205 would establish a new law to require businesses to take reasonable steps to protect personal information they maintain in electronic form. Further, H.R. 2205 would require those entities, in the event of a breach in their security systems, to notify individuals whose personal information has been accessed and acquired as a result of the breach. Forty-seven states have laws that govern data security; H.R. 2205 would pre-empt many of those statutes. Finally, H.R. 2205 would require the Federal Trade Commission (FTC) and many of the financial regulatory agencies to enforce the requirements of the bill."
Congressional Budget Office: https://www.cbo.gov