Schwarzenegger says 'Hasta la vista' to bill on data breach costs

Computerworld - In a move that is likely to come as a major relief to retailers nationwide, California Gov. Arnold Schwarzenegger on Saturday vetoed legislation that would have made merchants in his state financially liable for the costs incurred by financial institutions because of retail data breaches.

In a statement explaining his reasons for refusing to sign the bill, formally known as AB 779, Schwarzenegger said that it "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."

The measure, which was approved last month by both the California State Assembly and Senate, would have required retailers in California that get hit by data breaches to reimburse banks and credit unions for the cost of alerting customers and reissuing credit and debit cards. It would also have prohibited merchants from storing specific types of authentication data taken from the magnetic stripes on the back of payment cards, while requiring the use of so-called strong authentication technologies for protecting cardholder data.

In addition, the bill, which was authored by Assemblyman Dave Jones (D-Sacramento), would have forced retailers to disclose more details about any data breaches, including a description of the categories of personal data that might have been compromised.

Prior to Schwarzenegger's veto, AB 779 had enjoyed broad bipartisan support in the state legislature. It was originally approved by the Assembly in early June on a 55-2 vote, then went to the Senate Appropriations Committee, which passed it 14-1 in late August. The full Senate voted 30-6 in favor of an amended version of the bill in early September, and the Assembly unanimously ratified the Senate's amendment.

The California Credit Union League, a Rancho Cucamonga-based trade association that was the chief proponent of AB 779, today expressed disappointment at the governor's veto but promised to continue its efforts to pass the measure in the next legislative session.

"This is disappointing news for consumers throughout California who remain without protection from data and credit card thefts," Bill Cheney, the CCUL's president and CEO, said in a statement. "Credit unions believe strongly about protecting consumer data, and we pledge to renew our efforts to help pass this important measure as soon as the legislature reconvenes."

The California legislation's sudden death is good news for the retail industry, which in the past has complained that such bills are blatantly one-sided in favor of financial institutions. Opponents have argued that proposals like the one in California would unfairly penalize merchants that are already paying upfront for fraud-related costs via the so-called interchange fees they're assessed by credit card companies on each transaction.