Citing overlap with the Payment Card Industry (PCI) Data Security Standard (DSS) and other concerns, Gov. Arnold Schwarzenegger vetoed a California consumer data protection bill on Oct. 13, 2007.
If it had become state law, AB 779 would have made merchants follow data security standards, provide easily accessed information about breaches to affected consumers and compel merchants to pay consumers reimbursement costs for credit or debit card replacement.
In his statement, Gov. Schwarzenegger said, "[T]his bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.
"In addition, the payment card industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. ... This measure creates the potential for California law to be in conflict with private sector security standards."
Much like the PCI DSS, the proposed California bill attempts to limit the amount of consumer data stored by merchants. But, unlike PCI DSS, AB 779 would require "specified reimbursement and notice provisions" to consumers.
The bill states that existing California law already requires merchants to notify consumers if their personal card information had been compromised, but it specifies that merchants must also supply toll-free phone numbers and e-mail addresses, so consumers can obtain more information about data breaches that have affected them.
The bill would also require retailers - as well as public sector government agencies - that are not compliant with the seven provisions specified in the bill to reimburse consumers for credit or debit card replacement if cardholder data had been stolen.
None of the 12 PCI DSS requirements sets forth that merchants must inform customers of security breaches nor mandates reimbursement costs to be footed by them. Added costs to merchants is another reason Schwarz-enegger vetoed the bill.
"[T]he data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses," he said.
The author of the bill, Assemblyman Dave Jones, D-Sacramento, said in response to the veto, "I'm shocked and disappointed that the governor thinks our personal information should be left out in the open for identity thieves and hackers to pilfer.
"If your slack security leads to a data breach then you ought to pay for what you caused - 'you broke it, you bought it,' as retailers like to say. How could anybody disagree with this, let alone the governor?"
AB 779 overwhelmingly passed both houses of the California State Legislature in September. A similar bill has been proposed in Massachusetts by Rep. Michael Costello, D-Newburyport.
In Connecticut, a bill that would make merchants liable to banks for data security breaches was reportedly scuttled by state legislators because of the burden it would impose on small businesses.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next