Theft of more than 45 million credit- and debit-card numbers from the owners of Marshalls and T.J. Maxx clothing stores in 2005-06 has sparked California legislation designed to thwart hacking and identity theft.

The push for tighter standards comes at a time when the security of electronic databases is under close scrutiny, sparking a recent experiment that found California's electronic voting machines could be vulnerable to manipulation by hackers.

Assemblyman Dave Jones' bill, Assembly Bill 779, would restrict the personal information that could be held by businesses or public agencies that accept credit- or debit-card payments. It also would expand notification requirements if hackers break into databases.

"In the modern economy, we have to give personal financial information to strangers," said Gail Hillebrand, senior attorney for Consumers Union.

"If we want to shop, we have to turn over our debit card or our credit card number. This measure has very simple protections."

Opponents claim AB 779 would be costly for retailers, inadequately distinguish between massive firms and mom-and-pop stores, and impose standards that could be outdated as technology evolves.

They say database requirements should be consistent nationwide -- not vary from state to state.

"This is injecting government into private business contractual agreements," said Vince Sollitto, California Chamber of Commerce spokesman.

The California Retailers Association and the California Bankers Association are leading the fight against AB 779, which awaits action in the Senate after passing the Assembly, 58-2.

State law currently requires businesses to take reasonable efforts to prevent the theft of personal information and to notify consumers immediately when a breach occurs.

AB 779 is much more explicit, prohibiting merchants, firms or public agencies from doing things like storing sensitive personal data, such as personal identification numbers; sending unencrypted financial information over open networks; or providing a wide range of employees with access to customer records.

Jones' bill also would expand notification requirements. Consumers would be told where the breach occurred and be given an estimated date, a description of what personal data may have been stolen, and a telephone number or e-mail address for additional information.

Under AB 779, retailers -- not financial institutions -- would be liable for costs of notifying consumers and reissuing credit cards.

Opponents of Jones' bill claim that government intervention is unnecessary because the industry polices itself: Merchants must sign contracts to protect databases as a condition of accepting credit card payments.

"We have master agreements with Visa and MasterCard," said Bill Dombrowski of the California Retailers Association.

Jones counters that AB 779 simply restates some of the industry's own standards.

State law is needed, however, because many firms ignore the safeguards they commit to, the Sacramento Democrat said.

"It's everywhere," he said of lax security. "It's a big problem."

Nationwide, 40 percent of the largest retailers -- those with 6 million transactions annually -- fully comply with the industry's security standards, Visa USA reported last month.

Jones said multimillion-dollar losses from the hacking at TJX Cos. a Massachusetts-based firm whose holdings include Marshalls and T.J. Maxx stores, illustrate the potential for widespread harm.

Investigators believe that hackers used a telescope-shaped antenna and a laptop computer to pluck customer data from open airwaves at one Marshalls store, then used that information to hack into TJX's central database in 2005 and 2006, the Wall Street Journal reported.

Sherry Lang, TJX spokeswoman, declined to confirm the details or discuss the hackers' methods.

The crime was committed by "highly sophisticated cyberthieves" who evaded database protections that cost TJX millions of dollars, she said.

More than 45 million credit card numbers were stolen, but 75 percent of them were expired or had their numbers masked in a way that would render the information useless, Lang said.

Thieves obtained personal information, such as driver's license numbers, from 451,000 customers who had returned merchandise to TJX stores, Lang said.

Some of TJX's hacked data was used to steal millions in merchandise from Wal-Mart and other stores in Florida, the Wall Street Journal reported.

Eleanor Dunning, an 85-year-old Orange County retiree, said officials concluded she was a victim of the TJX theft.

Her credit card number was used to buy nearly $45,000 in gift cards, at $450 apiece, from a Florida Wal-Mart.

Dunning said the charges were removed once she contacted her bank.

"Somehow, I don't care to go shop at Marshalls anymore -- and if I did, I'd use cash," she said. "But I'm sure that would probably be one of the safest places now" because of publicity about the hacking.