California Data Breach Bill, Sans Retail Reimbursement, Awaits Governor's Decision

Almost a year ago, California Gov. Arnold Schwarzenegger vetoed a controversial state breach bill that would have forced retailers to reimburse financial institutions for replacing compromised credit and debit cards.

But in Schwarzenegger's veto message to the State legislature, he specified that it was the reimbursement provision that he objected to, not the bill itself. Although the bill had more than enough votes to sustain an override of the veto, legislative backers opted instead to recraft the bill without that provision.

That watered-down bill—The Consumer Data Protection Act, or AB 1656—passed in the California State Senate 34-3 last Wednesday (Aug. 27) and was then OK'd by the California State Assembly by a 74-1 margin on Saturday (Aug. 30). The governor has until the end of September to decide whether to sign.

If signed into law, one change would prohibit retailers from storing some data types, even if that data is encrypted.

This provision prohibits retailers from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted and any payment-related data that is not needed for business, legal, or regulatory purposes." It also would prohibit the storing of "payment verification code, payment verification value, (and) PIN verification value."

PCI rules had already prohibited such storage for years.

The original bill prevented retailers from retaining any of that data, but that's been changed in Version 2 to allow for retailers with recurring payment systems to retain some information.

If AB 1656 gets the green light, retailers would have to be much more detailed in their notifications to customers after a breach. It would require retailers to include in their notifications "the name of the agency, person, or business that maintained the computerized data at the time of the breach. The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided. A description of the categories of personal information that was, or is reasonably believed to have been, acquired by an unauthorized person." Retailers would also be required to provide a toll free number of a credit-monitoring agency.

Current law only requires retailers to notify customers and doesn't include all of those specifications. The new bill also added the Office of Information Security and Privacy Protection to the list of entities that retailers would have to notify in the case of a breach.

Mark Rasch, the former head of the U.S. Justice Department's computer crimes division, said most retailers already do everything that that provision would call for. "As a general rule, when you notify customers, you generally put in most if not all of these details," Rasch said.

In its first attempt into law, the original bill passed the 40-member State Senate in a 30-6 vote and passed the assembly 73-0. When Schwarzenegger spiked the bill, he said in his veto explanation that the bill "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."

"This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace," Schwarzenegger wrote. "This measure creates the potential for California law to be in conflict with private sector data security standards."

Data security experts have mixed stances on the bill. Michael Maloof, CTO of TriGeo a network security company, said he hopes Schwarzenegger vetoes the bill again, because he said that it creates a conflict with PCI guidelines.

"The concern to me is that as the states get in the business of generating security requirements, many of these retailers are going to be subject to PCI anyway," Maloof said. "To try to take a few minor elements out of PCI in sort of a half-hearted attempt, I just cannot picture it doing much except starting a lot of litigation."

Phil Neray, VP of Guardium, a database security company, praised the bill, saying it would motivate retailers to apply tighter standards to data security.

"I think what we're seeing in California is frustration with the pace in which retailers are being compliant with PCI," Neray said.