October 26, 2007 - This week California Governor Arnold Schwarzenegger vetoed a bill that would have toughened California law regarding data breaches. The law would have forced businesses that store credit card data to implement stringent data storage procedures and follow strict data security protocols. The alternative would have been to risk the prospect of having to reimburse banks and individuals for the costs associated with data breaches.

The new law would not have been the first of its kind. Minnesota has already enacted similar legislation. But had the bill become law in California, other states would likely have followed suit quickly.

In his veto statement, Schwarzenegger said that the bill "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers." He went on to say that had the bill become law, it would have put California law at odds with accepted data storage procedures.

Merchants had complained that they already pay for data breaches through transaction fees. Unfortunately, as long as those transaction fees are spread out among retailers, there is little incentive for individual retailers to take more expensive corrective actions to protect the data they store.

Word of Schwarzenegger's veto came at about the same time that it was revealed that the data breach by retailer TJX, operator of TJ Maxx and Marshall's Stores, was much larger than previously thought. TJX has been saying that the data breach may have affected as many at 45 million people in the United States and Canada.

But in court papers filed by banks, Visa and MasterCard - who are also suing TJX - as many as 94 million Visa and MasterCard holders in 13 countries may have also been exposed. The papers indicate that Visa's fraud losses alone due to the breach may be as high as $83 million. It is also clear from the filings that the banks and credit card companies expect these losses to continue to accumulate as more and more of the breached data is used by criminals.

A Canadian government investigation conducted by Privacy Commissioner Jennifer Stoddart concluded last month that hackers had intercepted wireless transfers of customer information at various Marshall's stores in the Miami, Florida area. The break in allowed the hackers to have undetected access to TJX's entire customer databases for more than a year.

The TJX case makes it clear that retailers have a clear responsibility to protect the data of their consumers. When they don't, they should be held accountable. At ACCESS it is our hope that California and other states will revisit this issue in the near future. As it stands today, Minnesota is the only state with a data breach law that assigns financial responsibility for data breaches to the person or company that actually was responsible for the breach in the first place.

by Jim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Only registered users can write comments.
Please login or register.