California Bill Aims at Breach Liability
Two California legislators have introduced a bill which could take the strongest stand in the country on retailer responsibility for consumer data breaches.
Assemblyman Roger Dickinson (D-Sacramento), chairman of the Assembly Banking and Finance Committee, introduced AB 1710 along with Assemblyman Bob Wieckowski (D-Fremont), chairman of the Assembly Judiciary Committee.
“Recent breaches emphasized the need for stronger consumer protections and awareness. The retailers affected by the recent mega data breaches are not the first nor will they be the last,” Dickinson said when introducing the measure on April 3.
“AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information,” he added.
“Consumers need increased protection from the large data breaches that are occurring across the country,” said Wieckowski. “By improving the way sensitive information is retained and how consumers are alerted when breaches occur, AB 1710 will better protect customers' personal information.”
The bill would ban retailers from storing consumer data, even when encrypted, past a point where it is actually needed as well as “sensitive authentication data” even if that data is encrypted.
Sensitive authentication data includes the full contents of any payment card’s magnetic stripe, the card verification code or PIN, the bill said.
But it is the bill's liability provisions which have drawn attention. AB 1710 would make a person or business liable for the reimbursement of all reasonable and actual costs of providing notice of a breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, and for the reasonable and actual cost of card replacement as a result of a breach, to the owner or licensee of the information.
The bill follows a joint hearing before members of both committees that outlined the fallout from the breaches at Target and other retailers, a hearing where California Credit Union League CEO Diana Dykstra urged legislators to take action on the issue.
“Where California has stopped, some other states have kept going to address the inequities and lack of responsibility that currently exist in the system," Dykstra observed at the Feb. 18 hearing. “Retailers have no real security standards, no financial responsibility when a breach occurs and no mandate to notify the public and hinder the financial institutions’ ability to inform the consumer where the breach occurred.
“Unfortunately, both state and federal laws, as they exist today, allow merchants to abandon that responsibility, leaving consumers exposed.”