Congress held a series of high-profile hearings after the massive data breach at Target Corp., but it has shown little interest in legislating.
Across the country in California, state lawmakers appear to have a stronger appetite for action. The legislature began consideration this week of a number of bills aimed at strengthening protections for consumers who use debit and credit cards.
The outcome of the data security debate in Sacramento has implications far beyond California, since the nation's most populous state has a reputation as a first mover that other state legislatures often copy.
As the California legislative process gets under way, state lawmakers are sending a message to banks, retailers and other affected businesses nationally that now is the time to contribute in a constructive way.
"I need to work with the private sector on solutions here, but the private sector has to work with us," Sen. Lou Correa, a Santa Ana Democrat who chairs the state Senate banking committee, said in an interview. "I kind of put the challenge out to the private sector, saying: If you guys don't want us to legislate a certain technology, if you don't want us to legislate a certain solution, then implement one immediately."
"Don't wait. Don't stall. Move ahead, and show us that you're actually taking action to help alleviate these problems."
One legislative proposal from a Democratic state senator would require banks and retailers to complete the planned conversion to more secure chip cards, often called EMV cards, by Oct. 1, 2015. Essentially a legal mandate would replace the financial incentives that Visa (NYSE: V) and MasterCard (MA) are using to encourage conversion.
The measure's sponsor, Democratic state Sen. Jerry Hill, a former chairman of the California Senate banking committee, declined an interview request through a spokesman. Hill's spokesman said the bill is still in flux.
At a legislative hearing Tuesday in Sacramento, Rachel McGreevy, MasterCard's vice president of state government affairs, said that she believes the card network-led push toward chip cards will be effective, suggesting that the states don't need to impose mandates.
Under the road map laid out by MasterCard and Visa, retailers and banks that make certain upgrades by October 2015 will face less liability for fraud losses than those that do not. Whichever company is the weakest link in the chain the card-issuing bank, the retailer, or the retailer's bank will bear responsibility for the losses.
During Tuesday's hearing, California lawmakers and industry witnesses both acknowledged that microchip technology is not a panacea since it does nothing to prevent fraud on online purchases. At the same time, everyone also agreed that there is an urgent need for the U.S. to follow other countries in adopting chip cards, because they will cut down on in-store fraud.
"Bad guys go where the money is, and they look to go where the easier path is," testified Paul Tomasofsky, executive director of the Debit Network Alliance, which represents numerous debit card networks.
One thorny question raised by the conversion to chip cards is how to split the costs of upgrades among banks, retailers and other links in the payments chain.
Responding to a retail trade group's statement that upgrades will cost merchants $500-$1,000 per checkout location, Sen. Correa said: "That's a lot of money. So we want to make sure that the costs are shared and distributed throughout the system."
Tuesday's hearing, a four-and-a-half hour affair that drew witnesses from across the country, was the first of several sessions that California lawmakers are planning to hold on data breaches. California politics are currently dominated by Democrats the party holds more than two-thirds of the seats in both chambers, and Gov. Jerry Brown is also a Democrat.
Some of the lawmakers' comments suggested they hope to shape nationwide improvements in data security. "We've got about twice as many witnesses as our counterparts in Washington were able to bring together," boasted Sen. Hannah-Beth Jackson, D-Santa Barbara, who chairs the chamber's judiciary committee, at the start of the hearing.
A state Senate aide, who spoke on condition of anonymity, acknowledged that California lawmakers will face certain challenges if they decide to write data security legislation. The aide noted that because any state legislation would affect banks, it raises the issue of federal preemption authority.
"I think it's safe to say any 'state solution' in this area would have to be crafted very carefully to survive constitutional challenges," the aide said.
If California does decide to act, it would not be the first time the state has taken a lead role in the national data security debate.
In 2003, California became the first state to enact a law that requires businesses where a data breach occurs to notify affected consumers. Forty-five other states quickly followed suit.
Richard Holober, executive director of the Consumer Federation of California, argued during Tuesday's hearing that those state notification laws are a key reason why there is currently a robust national debate about data breaches. In the past, businesses were not required to inform consumers when their personal information was compromised. But that's not the case today.
"It does appear Target was quite prompt in its notification of consumers," Holober said.
The most prominent legislative response in Washington to the recent data breaches at Target and other retail chains is a bill co-sponsored by Sens. Thomas Carper, D-Del., and Roy Blunt, R-Mo., which would establish national standards for notifying consumers about data breaches.
That measure, which has the support of various banking trade groups, is currently under consideration by the Senate Banking Committee.
Outside of California, much of the state-level legislative response to the Target breach has also focused on the post-breach notification of consumers. In New Mexico and Kentucky, which are among the four states that don't currently have notification laws, the issue is now getting another look.
Kentucky state Rep. Steve Riggs, a Louisville Democrat, said that opposition to a notification bill from parts of the business community appears to have faded since the recent high-profile data breaches.
"I've actually been working with them so that they can make amends," Riggs said. "I don't anticipate any or much opposition."