"Simply put, data cannot be kept private unless it is also secured," he wrote.

Senate Banking Chairman Mike Crapo (R-Id.) and the committee's ranking Democrat, Sherrod Brown of Ohio, have asked stakeholders about how best to deal with data privacy and protection.

"Americans are rightly concerned about how their data is collected and used, and how such data is secured and protected," the senators said, in soliciting the opinions. "The collection and use of personally identifiable information will be a major focus of the Banking Committee moving forward."

Credit union trade groups said that merchants and financial institutions should be subject to the strict protection regime that financial institutions must follow. That regime is included in the Gramm-Leach-Bliley Act.

Thaler said that while financial institutions have had a national standard on data security more than 20 years ago, others who handle consumer financial information do not.

That position traditionally has been opposed by merchant groups and that dispute often has led to legislative gridlock on the issue.

And Thaler said that in cases of a data breach, the cost associated with the breach should be borne by those who caused the breach.

Nussle said that any federal law should preempt state requirements to make compliance easier and provide equal protection for all consumers.

He said Congress should examine state laws and adopt the best provisions of the statutes.

"A patchwork of state laws with a federal standard as a floor will only perpetuate a security system littered with weak links," he wrote.

State officials are likely to push back on any plan that preempts state law. California, in particular, has adopted a strict data security regime.