Schwarzenegger vetoes California data protection bill

Governor argues industry self-regulation is protection enough.

October 2008
For the second time in a year, California Gov. Arnold Schwarzenegger has vetoed a bill requiring retailers to follow state-established data protection standards. Approved by a 74-1 vote in the California State Assembly, and a 34-3 vote in the state Senate, the Consumer Data Protection Act sought to incentivize adherence to the proposed standards by requiring more detailed breach notification and by making retailers responsible for data breaches pay for the cost of consumer notification.

    In a veto letter sent to members of the state assembly Sept. 30, Schwarzenegger argued that the bill (Assembly Bill 1656) “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers." And while that may be true—contractual agreements between retailers and major credit card companies indeed stipulate adherence to certain security standards—bill supporters like Bob Arnould of the California and Nevada Credit Union Leagues say the governor's faith in industry self-regulation is striking, given the current financial crisis on Wall Street.

    "It's very similar to a lot of the other abuses we're seeing right now where industries are putting profit ahead of people and where it's a problem that only significant government regulation can fix," says Arnould, the credit union leagues' senior vice president for government affairs. "The industries have proven they can't do this on their own."

    California law already mandates that consumers be notified when financial information like debit or credit card numbers is breached—either due to intrusion by a hacker, or as is often the case, lost or stolen laptops or storage devices. However, that notification usually comes from financial institutions and rarely includes the name of the retailer responsible for the breach, explains Robert Herrell, legislative director for the bill's author, Assemblymember Dave Jones (D-Sacramento). Part of the bill's intent, Herrell says, is to provide consumers with more specific details related to breach disclosures.

    "Consumers have a right to know who is doing a good job of handling their information and who is not," adds Arnould. "They should be able to vote with their feet against retailers who abuse the storage of their information."

    The bill, supported by a coalition that included the credit unions, California State Sheriffs' Association and California Statewide Law Enforcement Association, would have prohibited businesses from storing customer information such as debit and credit card account numbers, PINS and payment verification codes. Other provisions included a rule requiring cardholder data transmitted over public networks to be encrypted.

    Parts of the bill mirrored guidelines already in place via Payment Card Industry Data Security Standards (PCI DSS), which retailers agree to follow when they enter into contracts with Visa, MasterCard and other major credit card companies. The problem with PCI DSS standards, according to Herrell and Arnould, is that while they may exist on paper, the major credit card companies do not actively enforce them. This lack of accountability amounts to a "gift to hackers and identity thieves," Herrell says.

    Though Schwarzenegger vetoed a similar bill in October 2007, AB 1656 proponents were hopeful that the removal of one of the earlier bill's key provisions, a stipulation that would have forced retailers responsible for data breaches to cover the costs of credit and debit card replacement, would make the more recent data protection bill more salable. That didn't sway bill opponents, including Bill Dombrowski, president and chief executive officer of the California Retailers Association. "It's not a privacy bill," Dombrowski says of AB 1656. "It's a fight between two business groups—the credit unions and retailers. The credit unions want legislation to give them standing to sue us when there is a data breach."

    The point of contention, says Melissa Ameluxen, legislative and regulatory lobbyist for the California and Nevada Credit Union Leagues, was the language stating retailers would be responsible for notification costs. While retailers feared that credit unions might trump up these notification costs, Ameluxen says, the intent was only to have retailers guilty of data breaches cover reasonable costs like stationery and shipping. The "biggest motivator" for retailer compliance to standards, she says, would have been the possibility of negative publicity in the wake of breach. "As a credit union, now we would have been able to tell our members where data was breached," she explains.

    Nevertheless, Dombrowski said the increased financial liability the bill would have imposed on retailers could have resulted in an unintended consequence: fear of legal problems might prevent some retailers from reporting data breaches, he says.

    Given California's reputation as an innovator in consumer privacy legislation—the state was the first to pass data breach disclosure and security freeze laws that became effective in 2003-many believe that the governor's approval would have paved the way for other states to follow with similar proposals. Since California's landmark breach notification law, 38 other states have followed suit. As things currently stand, Minnesota is the only state to have passed a law penalizing retailers for failing to comply with data security standards. Signed by Gov. Tim Pawlenty in May 2007, the Plastic Card Security Act, as of Aug. 1, 2008, does allow banks and credit unions to recoup card-replacement costs from retailers responsible for data breaches. "Frankly, the best thing about the law is that we haven't had to use it," says Mara Humphrey, director of government affairs of the Minnesota Credit Union Network.

    Despite the veto, Arnould says the issue is not a lost cause. "It's a big problem that's getting bigger, so we can't walk away from it," Arnould says. "We have term limits that kick in. We'll have a new governor in California in a couple years. That's one option. The other is you know to continue to persuade him or look for other opportunities to pass the legislation that don't require the governor's signature."