Landmark Calif. data breach bill awaits Schwarzenegger OK

Computerworld - A closely watched California data breach bill that would require retailers to reimburse data breach-related costs to banks and credit unions is now one signature away from becoming state law.

On Monday, the California State Assembly unanimously ratified amendments to the bill that were incorporated by the state Senate last week. The Consumer Data Protection Act, as the bill is known, now heads to Gov. Arnold Schwarzenegger's desk for his approval.

The measure, authored by Assemblyman Dave Jones (D-Sacramento), was originally approved by the Assembly in early June on a 55-2 vote. It then went to the Senate Appropriations Committee, which passed it 14-1 in late August. An amended version was then passed 30-6 by the Senate last week.

Analysts expect the California bill, if signed into law by Schwarzenegger, to have the same ripple effect on data breach laws as the state's data breach notification law. That law was one of the first such notification laws in the country and has been adopted and imitated in one form or the other by several other states.

The measure now pending was sponsored by the California Credit Union League (CCUL). In its original form, the bill mandated that a breached entity reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards. Retailers would be forced to disclose more details about breaches, including a description of the categories of personal data that might have been compromised. In addition, the law would also explicitly prohibit retailers and other merchants from storing specific types of authentication data taken from the magnetic stripes on the back of credit and debit cards.

Last week's amendments narrowed the scope of potential reimbursement liability from costs "not limited to" notification and card replacement to notification and card replacement costs only, a CCUL spokeswoman said. A new liability mitigation provision was also added that would allow a merchant to be excused for all or a portion of reimbursement costs if it can show that it was in compliance with all security requirements under the law at the time of the breach.

The amended measure would not take effect until July 2008 -- not in January as originally proposed. That would give retailers more time to implement the security controls that are required under the law.

The California law is just one of several data breach laws being eyed by multiple states in the wake of a string of high-profile retail security breaches such as the one at TJX Companies Inc. earlier this year. Minnesota has already passed a law similar to the one in California.