I'm surprised there has been no leak of purchases from major restaurants or retailers, just credit card datasets.
Does the California law only require disclosure of leaks of financial information, or do businesses finally start taking proper security measures (and/or airgapping) when there is business intelligence at hand?
Its the former. Laws cover payment info. Also, payment info is more valuable to steal, and more compact to transmit and easier to decode from the raw storage data.
Once you have any security in place, it's probably more complicated to NOT include your payment database in it. PCI auditer will actively inspect your payment database attack surface.
