"Data breaches unfortunately appear to be an inevitable part of business in the information age and a data breach notification law could help businesses deal with this risk and respond to this breach."
Yes! This is exactly the case - data breaches are inevitable, as I have said multiple times. But that doesn't mean there is nothing to do but accept it. If a shop-owner in a 'dodgy' neighborhood accepts that being robbed is possible and difficult to entirely prevent the he/she doesn't just shrug his shoulders and install some cameras. What that shop owner would - or should - do is to limit the amount of cash in the till and make sure that, if there is an onsite safe, employees can't open it.
The first thing that needs to happen is a serious review of exactly what data is being kept.
Take companies/services/websites that prompt you to enter your mother's maiden name. This should never be a requirement, except where it is necessary to establish some critical point of identity. Even then, the data should be kept in a separate 'identity verification' system and purged once it has been used to establish whatever it is. Thereafter the verification status is signified by a token that contains no useful information beyond the flag state.
One of the reasons that there are so many breaches is that there is so much information to steal - companies have giant troves of customer data, all cross-referenced and ready to be put to use. If companies only kept the bare minimum then far, FAR less of our personal information would get out, first because if it did get out it wouldn't be that damaging but also it's just not worth stealing.
Yes, it would mean that companies couldn't run their analytics engines to profile customers or on-sell this information for profit, but that is, essentially, what we are dealing with here: the play-off between the privacy of the customer and the value to the company of that information. In other words, them putting profit above privacy.
The second thing that needs to happen is for a set of regulations to be drawn up governing how personal data is handled by companies that collect it. I mean proper technical regulations, such as the correct way to store particularly sensitive information including passwords and credit card details and secure database design to limit what can be access in the event a system is compromised.
This is all, of course, a wild pipe dream but my point is that, once you accept that breaches WILL happen, the focus can then turn to making sure those breaches gain as little sensitive information as possible, not on simply telling people that it was stolen and, hey, whatareyougoingtodo? Sorry, that's the Internet, buddy!