Schwarzenegger again terminates California data breach bill
Governor says state has no business mandating IT security controls on card data for retailers
October 2, 2008 12:00 PM ETComputerworld - For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed proposed legislation that would have required retailers and other businesses operating in the state to take specific steps to prevent credit and debit card data from being compromised.
The latest version of the bill — known as the Consumer Data Protection Act, or AB 1656 (download PDF) — would also have required retailers that accept payment card transactions to disclose more details about any data breaches to the individuals affected by them. The bill was approved by the California State Assembly on a 74-1 vote last month, a week after the state Senate passed it by a 34-3 margin.
But in a veto message that he sent to state legislators on Tuesday (download PDF), Schwarzenegger said he was refusing to sign the bill for the same reasons he turned down the original version of the measure last October.
"As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger wrote.
The governor said that requiring companies to notify consumers about breaches, even when there is no evidence of any personal data actually being stolen, would result in "significant costs" for businesses and the state government. In addition, he said, the controls mandated in AB 1656 would lock companies into current security best practices, creating a disincentive for them to adopt new and more comprehensive industry standards and ensuring that the law would remain "static in the face of future, unseen concerns."
Schwarzenegger's refusal to sign the breach bill on its second go-round is likely to be a deep disappointment to supporters of the legislation, especially the financial institutions that had lobbied for it. For instance, the California Credit Union League (CCUL), a trade association that was a key sponsor of the bill, last month voiced optimism that Schwarzenegger would sign AB 1656 because of some modifications made since last year's version was vetoed.
The biggest change was the removal of a provision that would have required retailers hit by data breaches to reimburse banks and credit unions for the cost of replacing credit and debit cards. That requirement was thought to have been the biggest reason why Schwarzenegger didn't sign the original bill, which was known as AB 779. Melissa Ameluxen, a lobbyist for the CCUL, said in September that the governor's office had indicated that removing the reimbursement clause would move the bill closer to being signed into law.
In a statement issued yesterday, Bob Arnould, the CCUL's senior vice president of government affairs, said that Schwarzenegger should have followed the lead of the state legislature on the bill, especially because of the broad support it received there.
Schwarzenegger
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Learn how you can meet the detailed technical requirements of HIPAA and delivers continuous compliance.
Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!
Confidently Meet Compliance Requirements
Download this Resource Now!
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Getting in Compliance with Government Data Regulations
Learn about various regulations and how to comply with them when you read this white paper from VeriSign.
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Maximizing Site Visitor Trust Using Extended Validation SSL
Provide site visitors visual cues that indicate your site is legitimate with Extended Validation (EV) SSL available from VeriSign.
Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Register for this webcast!
Authentication as a Service by Forrester Research
Learn more about Authentication-as-a-Service today!
The Commercialization of ITIL: Lessons Learned
Register for this event today!
