An amended version of a closely watched data breach bill that was vetoed by California Gov. Arnold Schwarzenegger last October is once again headed to his desk for approval.
The bill — known as the Consumer Data Protection Act, or AB 1656 (download PDF) — basically would require retailers that accept payment card transactions to take specific precautions for protecting cardholder data and disclose more details about data breaches to consumers affected by them. But an earlier provision that would have required retailers to reimburse financial institutions for the costs involved in replacing credit and debit cards compromised in breaches has been dropped.
The amended bill was approved by the California State Assembly by a 74-1 margin on Saturday, after passing muster in the state Senate by a 34-3 margin last Wednesday.
The California Credit Union League (CCUL), a trade association that is a key sponsor of the bill, welcomed its passage by the legislature. In a statement, Bill Cheney, the CCUL’s president and CEO, expressed his hope that Schwarzenegger would “acknowledge the solid vote of approval” from California’s lawmakers and quickly sign the measure. Cheney added that AB 1656 would help strengthen consumer confidence in payment card security while enforcing increased transparency at retailers that are hit by breaches.
Melissa Ameluxen, a lobbyist for the Rancho Cucamonga-based CCUL, said in an interview today that the removal of the clause requiring retailers to foot the bill for card replacements should go a long way toward countering opposition to the bill. “The governor’s office gave us an indication that removing that part of the bill would help us move closer” to getting it signed into law, she said.
In addition to that change, two smaller modifications have been made to the original bill that Schwarzenegger vetoed. One allows retailers to retain certain kinds of data needed to process recurring payments. The other removes a previous requirement that retailers specify the exact date on which a breach was thought to have occurred. Instead, the bill now mandates that they provide only a range of dates during which a breach might have taken place, Ameluxen said.
Analysts and the retail community have been closely following the progress of the bill, which is one of the first of its kind in the country and would put some strict new requirements on businesses. For instance, AB 1656 would prohibit retailers and other organizations that handle payment card transactions from storing certain types of cardholder data even if the information is encrypted. Prohibited data types include the full contents of the magnetic stripes on the back of cards, as well as PINs and both card and payment verification codes.
Companies also would be required to set formal data retention and disposal policies for limiting the amount of cardholder data they retain and the length of time is stored. And all credit and debit card data transmitted over public networks would need to be encrypted or otherwise rendered indecipherable.
On the notification side, businesses that suffer breaches would have to inform card-issuing banks about the kind of data that was compromised and provide a toll-free phone number or some other type of contact for answering breach-related questions from consumers.
The security controls built into AB 1656 are similar to some of the requirements that retailers are mandated to implement under the Payment Card Industry Data Security Standard, which was developed by the major credit card companies and is informally referred to as PCI.
If Schwarzenegger signs the bill this time around, California will become the second state to have such a law, joining Minnesota. That state’s Plastic Card Security Act, which was signed into law in May 2007, is more stringent than the California bill is. The Minnesota law does require retailers that are found to have been storing prohibited data in their systems when a breach occurs to reimburse banks and credit unions for card-replacement costs. It also allows individuals affected by a breach to sue the company that is responsible for the data compromise.
But the bill in California is the one that interested parties have been keeping an eye on. Most analysts expect that if AB 1656 gets final approval, other states would quickly enact similar statutes — as was the case following California’s adoption of SB 1386, a data-breach notification bill that was signed into law in 2002 and took effect the following year.
Supporters of AB 1656 have claimed that such statutes are necessary to protect financial institutions from fraud and rising card replacement costs stemming from retail data breaches.
But retailers and others opposed to such legislation have argued that it is blatantly one-sided in favor of banks and credit unions. Their position is that proposals like the one in California would unfairly penalize merchants that already pay upfront for fraud-related costs via the so-called interchange fees they’re assessed by credit card companies on each transaction.
The removal of the clause that would have required breached retailers to pay card-replacement costs does little to refute the validity of such arguments, said Avivah Litan , an analyst at Gartner Inc. That’s because if AB 1656 does become law, banks would be able to use it as a means to take retailers to court to try to recoup the cost of replacing compromised cards, Litan said.
It’s also a bad idea for states to legislate data security issues in the first place, according to Litan. “Governments should stay out of the security business,” she said. “They clearly have a role to play in breach disclosure. But it’s totally inappropriate for a state to mandate security controls.”
That’s especially true in this case, she added, because contractual agreements, consumer pressure and requirements such as PCI already are forcing retailers to implement a variety of security controls. And the proposed California law is unfair because it would mandate retailers to implement certain security controls while not requiring the same of financial institutions that also handle payment card data, Litan said.
In a statement explaining his reasons for refusing to sign the bill last fall, Schwarzenegger in fact appeared to agree with such arguments. The bill — which was known as AB 779 in its previous incarnation — “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” Schwarzenegger said.
He also noted that the payment card industry had established minimum data security standards, which were being enforced through contractual agreements. Approving the bill, Schwarzenegger said, would have created the potential for California law “to be in conflict with private-sector data security standards.”