The Justice Department is investigating the data theft, and Holder urged Congress in a video statement last month to adopt a national notification standard that would include exemptions for harmless breaches.
"This would empower the American people to protect themselves if they are at risk of identity theft. It would enable law enforcement to better investigate these crimes and to hold compromised entities accountable when they fail to keep sensitive information safe," he said in the statement.
Such proposals have been around for years.
An Obama administration plan from 2011 would have required businesses that collect personal information on more than 10,000 people in any 12-month period to disclose potentially harmful breaches and for breaches that affect more than 5,000 people to be reported to consumer credit reporting agencies and the federal government.
Past congressional efforts to agree on a standard have failed. Currently, 46 states and the District of Columbia have their own breach notification laws, according to the National Conference of State Legislatures.
Proposals now before Congress would require notification. But there are differences in what information the notification would provide, the threshold for notifying regulators and law enforcement, and the proposed enforcement. Some bills seek criminal penalties for deliberately concealing a breach; others do not.
Consumer groups fear that any national standard could turn out to be weaker than the strongest state laws, such as one in California that requires a business or state agency to notify any state resident whose data was improperly obtained. Other state laws are more lenient, requiring notice only in cases where a risk analysis determines that the breach is likely to have actually harmed consumers.
"From industry's perspective, whether you're a bank or a merchant, you don't want to have to notify consumers," said Ed Mierzwinski, consumer program director at the U.S. Public Interest Research Group. "They want to pre-empt, or override, the best state laws."