"It isn't a far stretch of the imagination to think that if the industry cannot regulate itself and cannot follow commercial standards such as PCI, that government will step in," he said. And the consequence of government intervention could wind up being "something like" the information security requirements required by the Sarbanes-Oxley law, he said.

"It's impressive that Massachusetts has taken the first step forward" in dealing with retail security issues, said Alex Bakman, CTO at Ecora Software Inc., a security vendor. Despite a considerable push by credit card companies such as Visa International and MasterCard Worldwide to push adoption of the Payment Card Industry (PCI) Data Security Standard, a large number of retailers remain non-compliant, he said.

"Unfortunately, in the retail community they are all trying to keep a lid on any kind of expenditures" and have paid scant attention to information security, he said. "I am very much for this legislation. I think it was inevitable."

Others though had a different take.

Jon Hurst, president of the Massachusetts Retailers Association, blasted the idea and said it is unreasonable to assign 100 percent of the costs incurred from security breaches on the retailers alone.