"This was a case of politics," Arnould said. "We knew from his office the decision would come down to a fight between politics and policy. He is very close with the Chamber [of Commerce] and retailers and in the end he went with his friends."

In a statement accompanying the veto, Schwarzenegger cited both the costs of the bill to retailers and remedies he maintained already exist in law.

"Clearly, the need to protect personal information is increasingly critical as routine commercial transactions are more and more exclusively accomplished through electronic means," Schwarzenegger wrote. "However, by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state. In addition, by locking in today's best practices, this bill would assure that the law remains static in the face of future, unseen concerns. Moreover, this bill would create a disincentive for businesses to adhere to new, more comprehensive industry standards," he said.

Schwarzenegger added that "existing law already contains a comprehensive penalty scheme for identity theft that details with great particularity the numerous ways in which it can occur, and imposes criminal sanctions. These provisions cover both identity thieves and retailers who are complicit in their crimes."

Those behind the bill pointed out that the purpose of the law was not to address identity theft against individual consumers as it was to make sure retailers lived up to their existing responsibilities in the marketplace.

Arnould reached into the current news stream for a metaphor. "This reminds me of the wave of corporate irresponsibility that led to our current financial mess," he said. "Sometimes big players in the market cannot be counted upon to regulate themselves and government is the only regulator that can make sure they do what is right."

Banking interests that had been opposed to the bill were quieter this time about the measure than in the past but still were not supporting it. "They don't want to vote for anything that is going to out their friends as not protecting consumer data," he observed. And Visa, though headquartered in San Francisco, also sat out the fight, torn between credit unions and other small issuers and major retailers that opposed it, Arnould explained.

Even though the bill passed with overwhelming bipartisan support–even more the second year than the first–Arnould said the prospects of overriding the veto were slight; the legislature would have to decide to come back into session to override vetoes.

Instead, Arnould said the league would continue to press the bill and use different strategies to get it passed and signed into law. For example, Arnould said, those who support it in the legislature could attach it to other legislation that Schwarzenegger would want to sign. Or, in the longest view, they could just wait him out.

"Schwarzenegger is term limited so he can't run in 2010," Arnould said. "If we don't manage to pass it before then, we will wait for him to leave office."

Arnould acknowledged there was a possibility that technology and the industry's PCI standards might end up solving the problem and making legislation unnecessary, but he also noted that the incidence of data breaches in California is still rising.

In a way this also provides the issue with something of a hair trigger, he explained, since he believed Schwarzenegger was close enough to signing it that another major card breach in the state would make the difference.

Referring to the New England grocery chain that recently experienced a large data breach, Arnould predicted, "A breach the size of the Hannaford Brothers in California and he would have signed it."

–[email protected]