The new version of California's law requires organizations that are the source of the breach to offer free identity-theft and other mitigation services for 12 months to the people affected by the breach. However, as Blackman points out, there is uncertainty about the circumstances under which such an offer must be extended to affected consumers.
On November 6, 2014, a coalition of service and retail industry associations sent a letter to the leaders of the U.S. Congress calling for a single federal regulation setting the standard for data-breach notification requirements nationwide. Francine Friedman and Matthew Thomas write in a November 7, 2014, article on JD Supra Business Advisor that the coalition's letter presents retailers and service providers as victims and points the finger at the failure of the payment cards.
The U.S. trails Europe in the use of "chip-and-pin" technologies to secure credit-card payments. On October 17, 2014, the White House issued an Executive Order requiring in part that as of January 1, 2015, all new payment processing terminals must support chip-and-pin and other "enhanced security features."
Considering the speed of government, we can't expect any federal breach-notification standards or widespread use of chip-and-pin-enabled credit cards until well into 2015 -- if not later. Until then, anticipate that the data breaches will continue to grow in terms of the number of and size of attacks, the number of companies and consumers affected, and the amount of damage inflicted by the attacks.
This holiday shopping season, park your debit card, mind those credit-card digits, keep a close watch on your financial statements, and buy with cash when you can.