Schwarzenegger again terminates California data breach bill

Computerworld - For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed proposed legislation that would have required retailers and other businesses operating in the state to take specific steps to prevent credit and debit card data from being compromised.

The latest version of the bill — known as the Consumer Data Protection Act, or AB 1656 (download PDF) — would also have required retailers that accept payment card transactions to disclose more details about any data breaches to the individuals affected by them. The bill was approved by the California State Assembly on a 74-1 vote last month, a week after the state Senate passed it by a 34-3 margin.

But in a veto message that he sent to state legislators on Tuesday (download PDF), Schwarzenegger said he was refusing to sign the bill for the same reasons he turned down the original version of the measure last October.

"As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger wrote.

The governor said that requiring companies to notify consumers about breaches, even when there is no evidence of any personal data actually being stolen, would result in "significant costs" for businesses and the state government. In addition, he said, the controls mandated in AB 1656 would lock companies into current security best practices, creating a disincentive for them to adopt new and more comprehensive industry standards and ensuring that the law would remain "static in the face of future, unseen concerns."

Schwarzenegger's refusal to sign the breach bill on its second go-round is likely to be a deep disappointment to supporters of the legislation, especially the financial institutions that had lobbied for it. For instance, the California Credit Union League (CCUL), a trade association that was a key sponsor of the bill, last month voiced optimism that Schwarzenegger would sign AB 1656 because of some modifications made since last year's version was vetoed.

The biggest change was the removal of a provision that would have required retailers hit by data breaches to reimburse banks and credit unions for the cost of replacing credit and debit cards. That requirement was thought to have been the biggest reason why Schwarzenegger didn't sign the original bill, which was known as AB 779. Melissa Ameluxen, a lobbyist for the CCUL, said in September that the governor's office had indicated that removing the reimbursement clause would move the bill closer to being signed into law.

In a statement issued yesterday, Bob Arnould, the CCUL's senior vice president of government affairs, said that Schwarzenegger should have followed the lead of the state legislature on the bill, especially because of the broad support it received there.