Calif. bill holding retailers responsible for data breach costs moves ahead

But several hurdles remain before it becomes law

A California bill that would hold retailers responsible for the costs associated with a data breach moved one step closer to becoming a law when it was approved 3-1 by the state's Senate Judiciary Committee yesterday.

The bill (AB 779) now moves to the Senate Appropriations Committee where it is scheduled to be heard before Aug. 31. The measure, authored by Assemblyman Dave Jones, (D-Sacramento), won overwhelming approval (58-2) in the State Assembly in early June.

If passed, the bill would require retailers in California to reimburse credit unions and banks for the costs associated with alerting customers and reissuing cards after a data breach. It would also prohibit merchants from storing specific types of authentication data taken from the magnetic stripe on the back of credit and debit cards. In addition, AB 779 would require all entities accepting payment card transactions to use strong encryption routines and access controls while storing and transmitting data such as card verification values and personal identification numbers.

Retailers would also be forced to disclose more details about breaches, including a description of the categories of personal data that might have been compromised.

The bill is officially sponsored by the California Credit Union League (CCUL), which yesterday hailed its approval in the Judiciary Committee. "We are encouraged that the momentum created by the bipartisan passage of the bill in the assembly has continued to this point in the Senate," League President and CEO Bill Cheney said in a statement. "This is a vital measure for California consumers and the credit unions that serve them."

In an interview, Ron Fong, the league's director of state government affairs, said that the legislation was needed to force retailers to adopt the same kind of data security measures financial institutions must follow by law. "If you store customer debit and credit card information, you must take steps to ensure that the data is secure," he said. This includes "basic steps" such as data encryption and data destruction. The continued failure by many retailers to take such measures costs banks and credit unions every time a breach occurs, he said.

Still, Fong said, the bill is a long way from becoming law. It has to win approval by the Senate Appropriations Committee and then the full Senate and be signed by Gov. Arnold Schwarzenegger before it becomes law. In the meantime, it faces fierce opposition from a variety of special interests and the National Retail Federation, he said.

"This is by no means a slam-dunk," Fong said. "The opposition is huge. We have a lot of people opposing this."

If AB 779 becomes law, it will be the second one of its kind in the country. Earlier this year, Minnesota became the first state in the country to pass a similar law. Under that state's new Plastic Card Security Act, any company that suffers a data breach and is found to have been storing prohibited card data on its systems will have to reimburse banks and credit unions for the costs associated with blocking and reissuing cards.

Attempts at passing similar bills in other states, including Texas, Massachusetts and Connecticut, have not been as successful. In all three states, local versions of the California measure failed to win needed support from the lawmakers.

If passed, AB 779 could have much the same impact that California's landmark SB 1386 bill had on data breach notification standards nationwide, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. "California is a bellwether state when it comes to consumer rights, so other states will look to California to set the tone."

At the same time, such laws go too far in penalizing retailers for data breaches and is a reflection of the strength of the banking lobby and the failure by state legislators to understand security issues in the payment industry, she said.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon