Article

Governor rejects data security law

Robert Westervelt, News Director

A California bill that would have placed liability on merchants to protect credit card data was rejected late last week by Gov. Arnold Schwarzenegger.

    Requires Free Membership to View

 This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.
Arnold Schwarzenegger
Gov.California

The bill, (AB779) would have prohibited merchants from storing payment related data without a data retention and disposal policy, even if the data was encrypted. It would have prohibited sending unencrypted credit card data over public networks. And it would have made businesses financially liable for losing customer credit card data, entitling customers a reasonable reimbursement for the costs associated with a breach.

Currently, businesses notify card issuers when a data breach is suspected and they have no liability themselves.

Schwarzenegger said the bill would have placed a heavy financial burden on small businesses in the state. He said the Payment Card Industry Data Security Standards (PCI DSS) already set guidelines for merchants that handle credit card data.

"This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger said in a statement. "This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses."

The governor urged legislators to take a more "balanced" approach to legislation.

In 2002, California was the first state to enact a data breach notification law. The law has been a model for nearly 40 other states and a mixture of consumer groups and technology firms are lobbying members of Congress to enact a similar data protection laws.

The massive data security breach at Framingham, Mass.-based TJX Cos. helped fuel the movement. Data breaches have become more public in recent years as a result of legislation in more than a dozen states that require companies and government agencies to notify consumers if their data is lost.

Industry groups in other countries are also seeking similar data protection rules. A trade association representing hundreds of technology firms in the UK is also pushing lawmakers there to develop a breach notification law and rigorous data protection rules. The group, called Intellect, has formed a data breach notification working group and is monitoring the affect of US-based data protection rules.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: