Email the Editor    Email a Friend    Print this Page 

If Schwarzenegger signs the bill this time around, California will become the second state to have such a law, joining Minnesota. That state's Plastic Card Security Act, which was signed into law in May 2007, is more stringent than the California bill is.

The Minnesota law does require retailers that are found to have been storing prohibited data in their systems when a breach occurs to reimburse banks and credit unions for card-replacement costs. It also allows individuals affected by a breach to sue the company that is responsible for the data compromise.

But the bill in California is the one that interested parties have been keeping an eye on. Most analysts expect that if AB 1656 gets final approval, other states will quickly enact similar statutes - as was the case following California's adoption of SB 1386, a data-breach notification bill that was signed into law in 2002 and took effect the following year.

Supporters of AB 1656 have claimed that such statutes are necessary to protect financial institutions from fraud and rising card replacement costs stemming from retail data breaches.

But retailers and others opposed to such legislation have argued that it is blatantly one-sided in favor of banks and credit unions.

Their position is that proposals like the one in California would unfairly penalize merchants that already pay upfront for fraud-related costs via the so-called interchange fees they're assessed by credit card companies on each transaction.

The removal of the clause that would have required breached retailers to pay card-replacement costs does little to refute the validity of such arguments, said Avivah Litan, an analyst at Gartner Inc.

That's because if AB 1656 does become law, banks would be able to use it as a means to take retailers to court to try to recoup the cost of replacing compromised cards, Litan said.

It's also a bad idea for states to legislate data security issues in the first place, according to Litan. "Governments should stay out of the security business," she said. "They clearly have a role to play in breach disclosure. But it's totally inappropriate for a state to mandate security controls."

That's especially true in this case, she added, because contractual agreements, consumer pressure and requirements such as PCI already are forcing retailers to implement a variety of security controls.

And the proposed California law is unfair because it would mandate retailers to implement certain security controls while not requiring the same of financial institutions that also handle payment card data, Litan said.

In a statement explaining his reasons for refusing to sign the bill last fall, Schwarzenegger in fact appeared to agree with such arguments. The bill - which was known as AB 779 in its previous incarnation - "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger said.

He also noted that the payment card industry had established minimum data security standards, which were being enforced through contractual agreements. Approving the bill, Schwarzenegger said, would have created the potential for California law "to be in conflict with private-sector data security standards."

share: