The Ultimate Cyberthief Gift: CA’s Veto

Written by Evan Schuman
October 16th, 2007

Wondering what to get that cyberthief on your list who seems to have already taken everything? California’s data breach bill veto is just the thing and it’s in time for the holidays.

When Gov. Arnold Schwarzenegger this weekend vetoed California’s data breach bill, it was much more important than a single state’s governor veto. Much more important.

That bill would have made a California law mandating compliance with what is roughly the PCI requirements today. The bill doesn’t mention the Payment Card Industry Data Security Standard (familiarly known in retail circles simply as PCI) by name, but the bill’s authors tried to mimic the current PCI requirements as much as practical.

It also would have forced retailers with breaches to reimburse banks for any replacement and related costs.

For the most part, this is very similar to a law passed by Minnesota. And only Minnesota and that is the point. Shortly after the TJX data breach—widely considered the worst ever data breach reported, where the credit card data of some 46 million consumers fell into unauthorized hands—many states tried passing similar anti-data breach laws, including Texas, Massachusetts and Connecticut.

All of those efforts fizzled at some point in their legislative process, often thanks to retail lobbying efforts that made the true—and convenient—argument that such a bill would likely penalize the multi-billion-dollar retailers of the world a lot less than they would hurt small retailers. Fearing that those mom-and-pop merchants would file their merchandise return requests at the ballot box, most legislators backed off.

Minnesota’s passage was crucial to the movement, but it couldn’t stand alone. It needed several other states to do the same thing or else it’s laws wouldn’t have much nationwide impact, As state after state backed off, most eyes were on California. The nation’s most populated state—which had already been the leader of data breach notification laws—was the best shot of keeping the movement alive. In other words, if this could be made into law anywhere, it would be California.

But a lot more was at stake than merely getting a second state to fall in. California’s proposed law specified that California residents would be covered. This is as opposed to merely saying that it only impacted stores in California.

By making the law cover the 37 million residents of California (remember that the total U.S. population is barely 300 million), it posed a legal challenge for retailers.

What rules does a Rite-Aid in Illinois have to follow? What if a California resident happens to be visiting Chicago and walks in to buy some shampoo and uses his credit card? Is the cashier supposed to ask what state the customer is from and code the transaction differently?

Even worse, what about a Rite-Aid in Minneapolis? If a San Jose resident walks into that pharmacy in the Twin Cities, which PCI-like set of rules is the store supposed to follow?

That kind of state conflict would place extreme pressure on the U.S. House of Representatives to pass federal legislation. Potentially, the federal courts could get involved and require some federal standard. And that is precisely what the industry needs.

Many retail IT execs very much want to invest more heavily in security, but they can’t justify it in the true return-on-investment (ROI) sense. As we’ve noted many times before, the CFO has a fiduciary obligation to the board of directors and to shareholders to not approve any spending unless there’s a clean argument why it will either generate more profits than it costs or why failing to spend that money will cost the company far more if anything goes wrong.

Without a federal law—which Congress has thus far given a very low priority—there is little incentive for retailers to truly invest in security. As the recent TJX settlement makes clear, the law does not prohibit retailers from acting recklessly with consumer data as long as the consumer doesn’t lose any money. Current credit card zero-liability plans are quite effective at preventing that.

Identity theft is another issue, but the courts only recognize monetary loss. Federal legislation is needed for that and California’s bill was the last best shot for that.

Is the bill necessarily dead? Not quite. The bill had sailed through both the California legislature and the senate with overwhelming percentages, more than enough to over-ride the governor’s veto. But political realities in California make that unlikely but not impossible. As one California legislative aide involved in the discussions said Monday night, "It’s more than a theoretical possibility."

But there are many likely scenarios. First, no one has successfully orchestrated a gubernatorial over-ride in California in decades. And the number of legislators who voted for the bill might slim down when the vote is instead an over-ride vote.

Schwarzenegger—now to be known in data security circles as Veto Corleone–also hinted that he’d be open to signing the bill if it had some modifications made, so making a few minor tweaks to the bill and sending it back for signature might be more politically attractive. (I’ll try and be strong and not have the bill telling the governor: "I’ll be back." Given that I found the strength to not say that Schwarzenegger terminated the bill, I should succeed.)

Of course, there’s always the bigger legislative picture to consider. Some politicians might want to get the governor’s backing on some other priorities in exchange for not supporting an over-ride fight.

That’s apparently what happened, according to the California legislative aide, with this data-breach bill. The banking lobby had initially been supportive of the bill, but retail groups cut a deal where the retail groups agreed to back some higher-priority banking efforts in exchange for the bank lobby’s support on this one.

Either way, the bill couldn’t re-emerge in any form until Jan. 7, which likely means a decision no sooner than November.

In the meantime, though, data thieves can rest easy and celebrate. They might even buy a round or two for the celebrating retail lobbyists at the other end of the bar. They finally have something they can agree on: mandatory security rules are a bad thing.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.