According to CSO merchants in California may end up liable for data breaches.
I think this is a good thing but I also think it is a bad thing.
Its good because a lot of large companies pay lip service to Information Security and don't take it seriously enough. This will make sure that they do. It is good because it is not the poor customer who takes the risk when he does his shopping.
Its bad because it attacks companies for essentially being victims of crime. Not does the company suffer from the crime itself but it suffers from the after effects of the crime.
On the other hand, (I think we are up to 3 by now) there is always a risk in doing business and especially a risk of crime, it has just moved online now. Companies make good profits or else they would not be doing what they are doing so they need to offset some profits into protecting themselves and their customers' information from the criminals rather than ignoring the issues and pushing the risk onto the very customers that give them money.
I guess its kinda like me locking my expensive car and keeping the keys in my pocket but borrowing a friend's cheap car and leaving it unlocked and motor running in the street because, hey, its not my car.
This law is receiving strong opposition but I think it will be passed. If it is you can bet that somehow the cost will be passed on to the customers who will pay for protecting their own information.