Breach notification policy would apply to for-profit and not-for-profit businesses that use, access, transmit, store, dispose of or collect sensitive PII about more than 10,000 individuals during any 12-month period. The Federal Trade Commission would be responsible for enforcing the law, along with state attorneys general, and civil penalties for non-compliance could total $1 million. The proposal would trump existing state notification laws currently on the books in 46 states, the District of Columbia, Puerto Rico and the Virgin Islands.”]
Source: https://www.healthcareinfosecurity.com/breach-notification-proposal-lacks-teeth-a-3650