When Gov. Arnold Schwarzenegger this weekend vetoed California's data breach bill, it was much more important than a single state's governor veto. Much more important.
That bill would have made a California law mandating compliance with what is roughly the PCI requirements today. The bill doesn't mention the Payment Card Industry Data Security Standard (familiarly known in retail circles simply as PCI) by name, but the bill's authors tried to mimic the current PCI requirements as much as practical.
It also would have forced retailers with breaches to reimburse banks for any replacement and related costs.
For the most part, this is very similar to a law passed by Minnesota. And only Minnesota and that is the point. Shortly after the TJX data breach—widely considered the worst ever data breach reported, where the credit card data of some 46 million consumers fell into unauthorized hands—many states tried passing similar anti-data breach laws, including Texas, Massachusetts and Connecticut.
All of those efforts fizzled at some point in their legislative process, often thanks to retail lobbying efforts that made the true—and convenient—argument that such a bill would likely penalize the multi-billion-dollar retailers of the world a lot less than they would hurt small retailers. Fearing that those mom-and-pop merchants would file their merchandise return requests at the ballot box, most legislators backed off.
Minnesota's passage was crucial to the movement, but it couldn't stand alone. It needed several other states to do the same thing or else it's laws wouldn't have much nationwide impact, As state after state backed off, most eyes were on California. The nation's most populated state—which had already been the leader of data breach notification laws—was the best shot of keeping the movement alive. In other words, if this could be made into law anywhere, it would be California.
But a lot more was at stake than merely getting a second state to fall in. California's proposed law specified that California residents would be covered. This is as opposed to merely saying that it only impacted stores in California.
By making the law cover the 37 million residents of California (remember that the total U.S. population is barely 300 million), it posed a legal challenge for retailers.
What rules does a Rite-Aid in Illinois have to follow? What if a California resident happens to be visiting Chicago and walks in to buy some shampoo and uses his credit card? Is the cashier supposed to ask what state the customer is from and code the transaction differently?
Even worse, what about a Rite-Aid in Minneapolis? If a San Jose resident walks into that pharmacy in the Twin Cities, which PCI-like set of rules is the store supposed to follow?
That kind of state conflict would place extreme pressure on the U.S. House of Representatives to pass federal legislation. Potentially, the federal courts could get involved and require some federal standard. And that is precisely what the industry needs.
Many retail IT execs very much want to invest more heavily in security, but they can't justify it in the true return-on-investment (ROI) sense. As we've noted many times before, the CFO has a fiduciary obligation to the board of directors and to shareholders to not approve any spending unless there's a clean argument why it will either generate more profits than it costs or why failing to spend that money will cost the company far more if anything goes wrong.
Without a federal law—which Congress has thus far given a very low priority—there is little incentive for retailers to truly invest in security. As the recent TJX settlement makes clear, the law does not prohibit retailers from acting recklessly with consumer data as long as the consumer doesn't lose any money. Current credit card zero-liability plans are quite effective at preventing that.
Identity theft is another issue, but the courts only recognize monetary loss. Federal legislation is needed for that and California's bill was the last best shot for that.
Is the bill necessarily dead? Not quite. The bill had sailed through both the California legislature and the senate with overwhelming percentages, more than enough to over-ride the governor's veto. But political realities in California make that unlikely but not impossible. As one California legislative aide involved in the discussions said Monday night, "It's more than a theoretical possibility."
But there are many likely scenarios. First, no one has successfully orchestrated a gubernatorial over-ride in California in decades. And the number of legislators who voted for the bill might slim down when the vote is instead an over-ride vote.
Schwarzenegger—now to be known in data security circles as Veto Corleone--also hinted that he'd be open to signing the bill if it had some modifications made, so making a few minor tweaks to the bill and sending it back for signature might be more politically attractive. (I'll try and be strong and not have the bill telling the governor: "I'll be back." Given that I found the strength to not say that Schwarzenegger terminated the bill, I should succeed.)
Of course, there's always the bigger legislative picture to consider. Some politicians might want to get the governor's backing on some other priorities in exchange for not supporting an over-ride fight.
That's apparently what happened, according to the California legislative aide, with this data-breach bill. The banking lobby had initially been supportive of the bill, but retail groups cut a deal where the retail groups agreed to back some higher-priority banking efforts in exchange for the bank lobby's support on this one.
Either way, the bill couldn't re-emerge in any form until Jan. 7, which likely means a decision no sooner than November.
In the meantime, though, data thieves can rest easy and celebrate. They might even buy a round or two for the celebrating retail lobbyists at the other end of the bar. They finally have something they can agree on: mandatory security rules are a bad thing.