The Governator nixes required protections
Last modified on Friday, 03 October 2008 08:02
For the second time in one year Arnold Schwarzenegger, the Governor of California, has vetoed legislation that would have mandated businesses to take uniform, required steps to help prevent credit and debit card data information from being compromised.
The Consumer Data Protection Act, or AB 1656, would also have required retailers that accept payment card transactions to disclose more details about any data breaches to the individuals that would be affected by such breaches.
The legislation was strongly supported by the California State Assembly, yet The Governator went out on a limb to veto it, stating that he was refusing to sign the bill due to the same reasons he had not supported the original version of the legislation last fall. He stated, "As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."
In other words, he thinks it costs too much for the state government and for businesses to implement. Additionally, he expressed concern that the controls mandated in AB 1656 would lock companies into current security best practices, basically disincentizing them to adopt new and more comprehensive industry standards and ensuring that the law would remain "static in the face of future, unseen concerns."
One of the provisions opposed by Governor Schwarzenegger was that retailers whose data has been breached would be required to reimburse banks and credit unions for the cost of replacing credit and debit cards, a very expensive proposition.
By vetoing the legislation, however, the privacy regulations are not uniform as to what is required to protect Americans’ data. A harsh statement was issued by the head of California’s Credit Union group: "The governor's veto guarantees that millions of additional Californians will have their privacy invaded in the future."
Schwarzenegger's veto means that the only state so far to have passed a law penalizing merchants for data breaches is Minnesota. The legislation, known as the Plastic Card Security Act, became law in May 2007 and requires retailers that are found to have been storing prohibited data in their systems when a breach occurs to reimburse banks and credit unions for card-replacement costs. It also allows individuals affected by a breach to sue the company that is responsible for the data compromise.