In the past, the burden fell squarely on the banks.
It should be no surprise that California is leading the way on this change. After all, the state was responsible for the nation's first ever data breach notification law. Remember SB-1386, which took effect way back in 2003?
Since then, some 40 states have followed suit with their own version of the law.
It will be interesting to see how many states quickly approve similar legislation to the new bill, especially in light of the massive TJX data breach. Lawmakers in Massachusetts, for one, are considering a similar measure.