A lot of what's required here is just pure transparency. It's saying to businesses, tell the consumers what you're doing. Don't do it behind the scenes; tell them if you've had a data breach and that they might be the subject of identity theft.
These are all pretty common-sense kinds of things that I think most businesses who have thought about it are already doing, or would do in those circumstances.