California Data Breach Bill, Sans Retail Reimbursement, Awaits Governor’s Decision

Written by Evan Schuman
September 8th, 2008

Almost a year ago, California Gov. Arnold Schwarzenegger vetoed a controversial state breach bill that would have forced retailers to reimburse financial institutions for replacing compromised credit and debit cards.

But in Schwarzenegger’s veto message to the State legislature, he specified that it was the reimbursement provision that he objected to, not the bill itself. Although the bill had more than enough votes to sustain an override of the veto, legislative backers opted instead to recraft the bill without that provision.

That watered-down bill—The Consumer Data Protection Act, or AB 1656—passed in the California State Senate 34-3 last Wednesday (Aug. 27) and was then OK’d by the California State Assembly by a 74-1 margin on Saturday (Aug. 30). The governor has until the end of September to decide whether to sign.

If signed into law, one change would prohibit retailers from storing some data types, even if that data is encrypted.

This provision prohibits retailers from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted and any payment-related data that is not needed for business, legal, or regulatory purposes." It also would prohibit the storing of "payment verification code, payment verification value, (and) PIN verification value."

PCI rules had already prohibited such storage for years.

The original bill prevented retailers from retaining any of that data, but that’s been changed in Version 2 to allow for retailers with recurring payment systems to retain some information.

If AB 1656 gets the green light, retailers would have to be much more detailed in their notifications to customers after a breach. It would require retailers to include in their notifications "the name of the agency, person, or business that maintained the computerized data at the time of the breach. The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided. A description of the categories of personal information that was, or is reasonably believed to have been, acquired by an unauthorized person." Retailers would also be required to provide a toll free number of a credit-monitoring agency.

Current law only requires retailers to notify customers and doesn’t include all of those specifications. The new bill also added the Office of Information Security and Privacy Protection to the list of entities that retailers would have to notify in the case of a breach.

Mark Rasch, the former head of the U.S. Justice Department’s computer crimes division, said most retailers already do everything that that provision would call for. "As a general rule, when you notify customers, you generally put in most if not all of these details," Rasch said.

In its first attempt into law, the original bill passed the 40-member State Senate in a 30-6 vote and passed the assembly 73-0. When Schwarzenegger spiked the bill, he said in his veto explanation that the bill "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."

"This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace," Schwarzenegger wrote. "This measure creates the potential for California law to be in conflict with private sector data security standards."

Data security experts have mixed stances on the bill. Michael Maloof, CTO of TriGeo a network security company, said he hopes Schwarzenegger vetoes the bill again, because he said that it creates a conflict with PCI guidelines.

"The concern to me is that as the states get in the business of generating security requirements, many of these retailers are going to be subject to PCI anyway," Maloof said. "To try to take a few minor elements out of PCI in sort of a half-hearted attempt, I just cannot picture it doing much except starting a lot of litigation."

Phil Neray, VP of Guardium, a database security company, praised the bill, saying it would motivate retailers to apply tighter standards to data security.

"I think what we’re seeing in California is frustration with the pace in which retailers are being compliant with PCI," Neray said.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.