Governor rejects data security law

By Robert Westervelt, News Editor 15 Oct 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A California bill that would have placed liability on merchants to protect credit card data was rejected late last week by Gov. Arnold Schwarzenegger.

This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. Arnold Schwarzenegger Gov., California

The bill, (AB779) would have prohibited merchants from storing payment related data without a data retention and disposal policy, even if the data was encrypted. It would have prohibited sending unencrypted credit card data over public networks. And it would have made businesses financially liable for losing customer credit card data, entitling customers a reasonable reimbursement for the costs associated with a breach.

Currently, businesses notify card issuers when a data breach is suspected and they have no liability themselves.

Schwarzenegger said the bill would have placed a heavy financial burden on small businesses in the state. He said the Payment Card Industry Data Security Standards (PCI DSS) already set guidelines for merchants that handle credit card data.

"This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger said in a statement. "This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses."

The governor urged legislators to take a more "balanced" approach to legislation.

In 2002, California was the first state to enact a data breach notification law. The law has been a model for nearly 40 other states and a mixture of consumer groups and technology firms are lobbying members of Congress to enact a similar data protection laws.

The massive data security breach at Framingham, Mass.-based TJX Cos. helped fuel the movement. Data breaches have become more public in recent years as a result of legislation in more than a dozen states that require companies and government agencies to notify consumers if their data is lost.

Industry groups in other countries are also seeking similar data protection rules. A trade association representing hundreds of technology firms in the UK is also pushing lawmakers there to develop a breach notification law and rigorous data protection rules. The group, called Intellect, has formed a data breach notification working group and is monitoring the affect of US-based data protection rules.

Tags: State data security breach laws,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT State data security breach laws Keeping up with state data protection laws Massachusetts data protection law has mixed impact on financials Download presentations from Financial Information Security Decisions 2009 Understanding the impact of new state data protection laws Data breaches jumped in 2008, ITRC report finds Complying with breach notification laws Opinion: Government misses its chance to protect data Flurry of state disclosure laws creates confusion for CISOs Data breach law could put financial burden on retailers

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary