The law also requires merchants who improperly store this data to reimburse financial institutions for costs such as canceling or reissuing cards, opening and closing any accounts, fraud losses and notifying cardholders. Those requirements take effect

August 1, 2008.

Mark Cummins, president/CEO of the Minnesota Credit Union Network, and Mara Humphrey, director of governmental affairs, note the state's credit unions have been looking at data protection for several years.

"We've been hearing from credit unions that this was a big problem," Humphrey says. "Obviously the T.J. Maxx case was very timely. It was another clear sign information was not being held securely."

When data from almost 46 million credit and debit cards was stolen from T.J. Maxx, Marshalls and other discount retailers, the revelation made headlines as the largest-ever breach.

When something like that happens, credit unions take the hit, Cummins adds.

"There are a number of aspects–the credit union's reputation, the relationship with members, the cost of reissuing cards, and the actual cost of fraud if there was fraud," he says.

Cummins and Humprey indicate the new Minnesota law is quite comprehensive, and what was enacted is very similar to what was first introduced. They add credit unions were really the only financial institutions pushing the bill, but their shove was significant. Credit union members generated more than 1,000 letters supporting the law.

It also didn't hurt that several legislators had been personally affected by the T.J. Maxx breach or similar situations.

Other financial institutions remained neutral. The challenge, Humphrey indicates, was to allay the concerns of retailers, especially small businesses worried about possible costs. Both the state retailers association and grocers association testified against the bill.

However, the MnCUN points out the law doesn't require retailers to do more than they are already pledged to do under terms of the card agreements they signed.

The protection offered in the Minnesota legislation was exactly what was proposed in Texas. However, although a bill protecting consumer financial data passed the Texas House 139-0, time ran out before the legislation could be considered by the Senate. Since the Texas legislature only meets for 140 days every other year, the issue won't be on the floor again until January 2009. In the meantime it will be reviewed by an interim study committee.

Dick Ensweiler, president/CEO of the Texas Credit Union League, notes when the league surveyed member credit unions, protecting consumer financial data proved to be a top issue.

"Although we knew that ideally this would be resolved federally, we also knew it likely wouldn't get done as quickly as we might be able to do something in the state legislature," he says.

As in Minnesota, in Texas credit unions found themselves pretty much alone in seeking the legislation, with bankers sitting on the sidelines. Also as in Minnesota, some members of the legislature had first-hand experience with the issue. The bill received strong support from Rep. Helen Giddings (D-DeSoto), chair of the Business and Industry Committee and a personal victim of identity theft.

In addition, the bill was authored by committee vice chairman Gary Elkins (R-Houston).

"We had a receptive committee," Ensweiler quips.

But by the time the bill left the House and reached a hearing in the appropriate Senate committee, only five days remained. In addition, by then there was significant opposition.

Weighing in against the proposed law were major telecommunications companies such as AT&T and Verizon, Cable Television Association of Texas, Texas Association of Business and Texas Retailers Association.

This created enough confusion the committee decided they wouldn't try to deal with the issue in the few remaining days. Instead they put it into an interim study committee. Unlike the effort in the House, Senate deliberations are expected to draw a lot of media attention.

The league expects the interim study committee will be asked to view this as situation pitting big banks against small retailers. So the league will have to keep pressing the identity theft issue.

"If consumers understood how their data is at risk, I think they would be up in arms," Ensweiler says.

But at the same time the league wants to benefit from the strong grassroots component of the data protection issue, it doesn't want to destroy faith in the overall system and prompt people to shy away from using debit and credit cards.

In the nation's most populous state, California Assembly Bill 779 as approved by the full Assembly or lower house has been forwarded to the Senate, where it passed the Senate Judiciary Committee on a 3 to 1 vote and is headed for the Senate Appropriations Committee. There is no specific timetable, but all bills need to be heard from Appropriations by August 30.

Ron Fong, chief lobbyist and director of state government affairs for the California Credit Union League, notes the bill has enjoyed bi-partisan support so far because–as in other states–several lawmakers have personally experienced identity theft.

Like the other bills, the legislation would put teeth into existing Payment Card Industry Standards. However, "It's been a very controversial bill," Fong says.

Although data theft affects banks in the same way it does credit unions, the California Bankers Association opposes the bill.

In Massachusetts, a bill to curb leaks of personal data is in a legislative conference committee, where lawmakers are trying to assemble several proposals into one.

Rob Kimmett, senior vice president of marketing and public relations for the Massachusetts Credit Union League, explains retailers have been trying to push the blame for data breaches onto other parties, arguing interchange fees should be sufficient to provide any needed security.

"Credit unions in Massachusetts have been four-square behind our efforts. It's a major issue," Kimmett says. Lawmakers indicate it's also a priority for them–but they add there are other issues equally high on their "to do" list.

"We want consumers to understand there are three parties involved–the card [issuer] such as Visa or MasterCard, the merchant and the financial institution," Kimmett says.

–[email protected]