A California bill that would have placed liability on merchants to protect credit card data was rejected late last week by Gov. Arnold Schwarzenegger.
The bill, (AB779) would have prohibited merchants from storing payment related data without a data retention and disposal policy, even if the data was encrypted. It would have prohibited sending unencrypted credit card data over public networks. And it would have made businesses financially liable for losing customer credit card data, entitling customers a reasonable reimbursement for the costs associated with a breach.
Currently, businesses notify card issuers when a data breach is suspected and they have no liability themselves.
Schwarzenegger said the bill would have placed a heavy financial burden on small businesses in the state. He said the Payment Card Industry Data Security Standards (PCI DSS) already set guidelines for merchants that handle credit card data.
"This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger said in a statement. "This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses."
The governor urged legislators to take a more "balanced" approach to legislation.
In 2002, California was the first state to enact a data breach notification law. The law has been a model for nearly 40 other states and a mixture of consumer groups and technology firms are lobbying members of Congress to enact a similar data protection laws.
The massive data security breach at Framingham, Mass.-based TJX Cos. helped fuel the movement. Data breaches have become more public in recent years as a result of legislation in more than a dozen states that require companies and government agencies to notify consumers if their data is lost.
Industry groups in other countries are also seeking similar data protection rules. A trade association representing hundreds of technology firms in the UK is also pushing lawmakers there to develop a breach notification law and rigorous data protection rules. The group, called Intellect, has formed a data breach notification working group and is monitoring the affect of US-based data protection rules.