SACRAMENTO, Calif. -- California is poised to become the second state in the country to have a law in place that would move the card industry's data standards into state law. The law would also provide card issuers a way to recover losses from when retailers in violation of data security standards have breaches.
Minnesota passed a similar law earlier this year. Other state initiatives to pass similar legislation have all failed, generally for having run out of time before their legislative deadlines.
The bill is now on Governor Schwarzenegger's desk where many expect it will be signed. However the California Credit Union League is not taking the signature for granted and has kept lobbying to support it.
The state Assembly originally approved the bill in June by a 55-2 bipartisan vote. Then, on Sept. 6, the Senate approved the bill, 30-6, with the amendments, necessitating the move back to the Assembly, the League reported.
"The passage of AB 779 by an overwhelming majority of both houses makes a very strong statement for protection of consumer data," said Bill Cheney, League president and CEO. "We are encouraged this positive momentum will carry forward as the Governor considers this landmark legislation."
If signed, the bill would provide notice to consumers as to which retailers lost their credit/debit card information, and when the information was lost and require retailers responsible for any lost credit/debit card information to assume all costs of notifying affected consumers as well as costs of replacing the compromised cards.
It would also require retailers to follow key provisions of the Payment Card Industry data security standards to ensure proper retention and protection of credit/debit card information.
"We would like to again thank Assemblyman Jones for his successful efforts, as well as recognize the contributions of credit union leaders and league staff in ensuring the passage of this bill in both houses of the state Legislature," Cheney added.
One thing the bill does not contain is a safe harbor provision for retailers, which is one reason Paul Dombrowski, CEO of the California Retailers Association, deplored it.
"Essentially, even if you have complied with the PCI standard, if you have a breach you still will have to go to court to indicate that you complied," Dombrowski said. A safe harbor would allow retailers to avoid having to go to court if the can show that their data security systems could be shown to have been compliant.
Dombrowski also called the measure a "needless intrusion by the state" into the relationship between retailers and the major card brands, suggesting that the penalties and costs of maintaining data security belong to the contract between the card brands and the retailers.
He also predicted it would "open a can of worms" on other contentious issues between card issuers and retailers, such as credit card interchange.
Even though California is only the second state to have passed such a law, the size of the market gives the state an outsize impact that Dombrowski said will only help catapult the issue to the federal level. "How much balkanization of card data standards are we going to have," he asked.