California is a single signature away from passing a closely watched US bill that would require retailers to reimburse banks and credit unions for the costs of data breaches.
The California State Assembly this week unanimously ratified amendments to its assembly bill added by the state senate a week ago.
The bill, known as the Consumer Data Protection Act, now requires just the signature of California Governor Arnold Schwarzenegger to become law.
He is expected to sign the bill, and Keri Bailey, a state legislative and regulatory lobbyist for the California Credit Union League, said if he does - and he has until about mid-October to do so - California will become the second state with such a law; Minnesota has already passed similar legislation.
The latest California bill will have the same effect on data breach laws as the state's data breach notification law , Mari Frank, an expert on identity theft, said.
"Every time California has passed a privacy law, it has a ripple effect across the country," said Frank. "California has taken the initiative on all of these - it was the first state to pass security breach legislation in 2003 - and California is one of few states that even has privacy in its constitution."
The original bill mandated that a breached retailer or government agency reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards.
It also required retailers to disclose complete details about breaches and explicitly prohibit retailers from retaining a variety of authentication data stored on the magnetic stripes on the back of credit and debit cards.
The amended bill narrows the scope of potential reimbursement liability, noted Bailey. Merchants who suffer a breach but who followed accepted security guidelines may be excused from reimbursing the financial institutions impacted by a breach, she explained.
Reimbursement could have a significant negative impact on retailers who suffer a breach, she said.