California Passes Data Breach Bill Without Reimbursement Provision
SACRAMENTO, Calif. -- The California Assembly has passed a card data breach bill, but it lacks retailer reimbursement for the card issuers.
Assembly Bill 1656 largely duplicates the card data breach bill that the legislature passed last year but with a few notable differences.
First, where previous bills mandated card data security standards based on card industry standards, this year's bill allows businesses to retain card data necessary to process recurring payments.
Second, this year's bill allows compromised retailers to use a date range, rather than a specific date, in the breach report. This change was made to mitigate the chance that the notification would tip off hackers as to which compromise approach worked best.
Finally, while last year's bill mandated that retailers with compromised systems reimburse card issuers for the costs of closing accounts and reissuing cards, this year's bill dropped the reimbursement requirements.
"That was probably the most significant compromise we had to make to give the bill the greatest chance of passage and being signed into law," explained Elissa Ameluxen, state legislative and regulatory lobbyist for the California Credit Union League.
Credit unions in California and around the country have sought laws mandating such reimbursement, arguing that without it, retailers lack incentives to change their data protection practices.
But Ameluxen said the bill's backers hoped that the increased public notification requirements in the bill will be incentive enough for retailers to protect card data.
"What we're hoping is that now that retailers will have to be ones to contact consumers and say, 'Yes, your card was breached in our store during this time' and own that failure, [it] will provide a sufficient incentive to retailers to put the safeguards in place."
Last year's bill included a reimbursement requirement but Gov. Arnold Schwarzenegger (R) vetoed it, in part because there was not a "safe harbor" provision to that reimbursement requirement. Ameluxen explained that dropping the requirement was considered the key structural change that had to be made to get the measure passed and hopefully signed.
"There is no doubt that there is a lot of widespread disappointment [about the loss of the reimbursement requirement]" Ameluxen said. "But there is also a lot of excitement too about the chance of getting a signature on the bill."
That excitement shone through in a league announcement on the bill's passage and a statement from CUNA Mutual, which also backs similar laws around the country.
"This has been a two-year battle to pass legislation that provides consumers substantial new protection from retail data breaches," said Bill Cheney, CCUL president/CEO. "We urge the governor to acknowledge the solid vote of approval from the California legislature by quickly signing the bill into law."
The bill was passed by a 34-3 margin in the Senate, and a 74-1 margin in the Assembly, the league reported.
"We are very supportive of AB 1656 and the plastic card legislation passed with even greater majorities in the legislature. Because of the California Credit Union League's work to refine the bill in 2008, we are hopeful that the governor will sign this bipartisan legislation and enhance the protections of consumer financial privacy. With data breaches in the news on a daily basis, it is prudent to take this action now," said Christopher Roe, senior vice president of corporate and legislative affairs for CUNA Mutual Group.
"With changes made to the bill and the overwhelming support of Republicans, the legislation is in a better position, and we are hopeful that the governor will sign it," he added.
Ameluxen would not entertain such a prediction. "It's extremely difficult to predict any action on any given bill," she said. She acknowledged that the bill's supporters had been working with the governor's office on the measure, but she was not sure that would be enough. She noted that California retailers have not abandoned their opposition to the measure.
"From their perspective they have little to lose," she said. "Right now they don't have to spend the cost for increased card security; [they] can risk data breaches and not pay."
Gov. Schwarzenegger has until Sept. 30 to sign or veto the bill.