Sagar also pointed that all the current bills in the House remained flawed from the point of view of credit unions since none of them contain any provision for making retailers whose data breach caused harm to credit card issuers pay for some or all of those costs.

Things appeared optimistic on June 9 when the financial services version of the legislation appeared poised to move to the House floor for debate and a vote, only to be pulled when Congressman Joe Barton (R-Texas) chairman of the House Committee on Energy and Commerce, objected, indicating that the stalemate continues.

Much of the problem rests in the strongly different approaches each of the bills takes to the problem of what to do when there is a data security breach and which agency should be the lead regulator, the analysts say. Credit unions support the version coming out of the Financial Services Committee, in part because it recognizes that financial institutions are already regulated on data security and don't need yet another layer of rules.

Debbie Kwon-Moore, NAFCU's associate director of legislative affairs, went as far as to predict that neither NAFCU nor other CUs nor banks would back the measure coming out of the Commerce committee.

"This is one of those rare areas where there is a completely united front between banks and credit unions," Kwon-Moore said. "Our bottom lines for whatever bill that comes out is that it offer a national standard for how to handle data security breaches and that it not duplicate regulations that are already in place for financial institutions."

Kwon-Moore took a more optimistic stance toward the possibility the House might pass a data security bill, contending that NAFCU was working the House leadership to bring a bill forward. But she conceded that the disputes, which are most responsible for blocking progress, have yet to be resolved.

One of the bill's challenges is the complexity of the issue. Sagar pointed out that something as apparently uniform as a national standard could be problematic. Any federal law will preempt the state laws, Sagar noted, adding that this may not always be the best thing for consumers.

"One of the reasons we are even where we are with this issue is because of the California laws," Sagar said, explaining that neither CUs nor consumers would be well served if a weaker federal law superseded the strong California statute. The California data security law is considered so strong because it mandates disclosures to consumers and doesn't allow knowledge of the breach to remain confidential except in certain limited circumstances. Sagar said he regretted the failure to include a reimbursement clause in at least one of the bills that would mandate at least some of the costs of a security breach be paid by the entity that caused the breach. But he also observed that the bill was controversial and will be difficult to pass already without adding another controversial aspect to it.

"I think our best bet may be to try to attach an amendment of that sort in the Senate version or in the conference committee," Sagar said, "on the grounds that it just makes so much sense."

Not only would a reimbursement amendment help issuers recapture some of the losses that the breaches bring, it would also help focus the attention of retailers and others on the dangers and costs of not sufficiently caring for other people's personal data.

He also noted that Congressman Barney Frank, on whose staff he served, is not thrilled with even the Financial Services version of the bill and he expected that if push came to shove Frank would support doing nothing with the legislation until after the November elections. [email protected]