Home » Data Protection » PCI and Compliance

News

Vetoed Data Breach Bill Goes to Schwarzenegger Again

An amended version of a closely watched data breach bill that was vetoed by California Gov. Arnold Schwarzenegger last October is once again headed to his desk for approval.

By Jaikumar Vijayan, Computerworld

September 04, 2008 — CSO — An amended version of a closely watched data breach bill that was vetoed by California Gov. Arnold Schwarzenegger last October is once again headed to his desk for approval.

The bill -- known as the Consumer Data Protection Act, or AB 1656 (download PDF) -- basically would require retailers that accept payment card transactions to take specific precautions for protecting cardholder data and disclose more details about data breaches to consumers affected by them. But an earlier provision that would have required retailers to reimburse financial institutions for the costs involved in replacing credit and debit cards compromised in breaches has been dropped.

The amended bill was approved by the California State Assembly by a 74-1 margin on Saturday, after passing muster in the state Senate by a 34-3 margin last Wednesday.

The California Credit Union League (CCUL), a trade association that is a key sponsor of the bill, welcomed its passage by the legislature. In a statement, Bill Cheney, the CCUL's president and CEO, expressed his hope that Schwarzenegger would "acknowledge the solid vote of approval" from California's lawmakers and quickly sign the measure. Cheney added that AB 1656 would help strengthen consumer confidence in payment card security while enforcing increased transparency at retailers that are hit by breaches.

Melissa Ameluxen, a lobbyist for the Rancho Cucamonga-based CCUL, said in an interview today that the removal of the clause requiring retailers to foot the bill for card replacements should go a long way toward countering opposition to the bill. "The governor's office gave us an indication that removing that part of the bill would help us move closer" to getting it signed into law, she said.

In addition to that change, two smaller modifications have been made to the original bill that Schwarzenegger vetoed. One allows retailers to retain certain kinds of data needed to process recurring payments. The other removes a previous requirement that retailers specify the exact date on which a breach was thought to have occurred. Instead, the bill now mandates that they provide only a range of dates during which a breach might have taken place, Ameluxen said.

Analysts and the retail community have been closely following the progress of the bill, which is one of the first of its kind in the country and would put some strict new requirements on businesses. For instance, AB 1656 would prohibit retailers and other organizations that handle payment card transactions from storing certain types of cardholder data even if the information is encrypted. Prohibited data types include the full contents of the magnetic stripes on the back of cards, as well as PINs and both card and payment verification codes.

Companies also would be required to set formal data retention and disposal policies for limiting the amount of cardholder data they retain and the length of time is stored. And all credit and debit card data transmitted over public networks would need to be encrypted or otherwise rendered indecipherable.

On the noti