Calif. bill holding retailers responsible for data breach costs moves ahead

Computerworld - A California bill that would hold retailers responsible for the costs associated with a data breach moved one step closer to becoming a law when it was approved 3-1 by the state's Senate Judiciary Committee yesterday.

The bill (AB 779) now moves to the Senate Appropriations Committee where it is scheduled to be heard before Aug. 31. The measure, authored by Assemblyman Dave Jones, (D-Sacramento), won overwhelming approval (58-2) in the State Assembly in early June.

If passed, the bill would require retailers in California to reimburse credit unions and banks for the costs associated with alerting customers and reissuing cards after a data breach. It would also prohibit merchants from storing specific types of authentication data taken from the magnetic stripe on the back of credit and debit cards. In addition, AB 779 would require all entities accepting payment card transactions to use strong encryption routines and access controls while storing and transmitting data such as card verification values and personal identification numbers.

Retailers would also be forced to disclose more details about breaches, including a description of the categories of personal data that might have been compromised.

The bill is officially sponsored by the California Credit Union League (CCUL), which yesterday hailed its approval in the Judiciary Committee. "We are encouraged that the momentum created by the bipartisan passage of the bill in the assembly has continued to this point in the Senate," League President and CEO Bill Cheney said in a statement. "This is a vital measure for California consumers and the credit unions that serve them."

In an interview, Ron Fong, the league's director of state government affairs, said that the legislation was needed to force retailers to adopt the same kind of data security measures financial institutions must follow by law. "If you store customer debit and credit card information, you must take steps to ensure that the data is secure," he said. This includes "basic steps" such as data encryption and data destruction. The continued failure by many retailers to take such measures costs banks and credit unions every time a breach occurs, he said.

Still, Fong said, the bill is a long way from becoming law. It has to win approval by the Senate Appropriations Committee and then the full Senate and be signed by Gov. Arnold Schwarzenegger before it becomes law. In the meantime, it faces fierce opposition from a variety of special interests and the National Retail Federation, he said.

"This is by no means a slam-dunk," Fong said. "The opposition is huge. We have a lot of people opposing this."