California’s closely watched data-protection bill has hit a bump on its road to becoming state law, following Gov. Arnold Schwarzenegger’s veto on Saturday.
The bill, officially titled Assembly Bill 779, had previously passed both houses of the California Legislature by wide margins.
But AB 779 had been sharply criticized by a number of Internet, telecom and retail companies and business associations, on concerns it would force them to undertake more stringent, and potentially more costly, data protection measures. Meanwhile, consumer protection groups, credit unions and state law enforcement groups supported the bill.
In his veto Saturday, Schwarzenegger sided with industry concerns. Among the problems detailed in his response to the Legislature, the Republican governor said AB 779 would add unnecessarily to existing protections.
“The marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” he said.
The bill, one of the toughest in the nation, would prohibit a company doing business with California residents from “storing, retaining, sending, or failing to limit access to payment-related data … unless a specified exception applies.”
Businesses are also generally forbidden from retaining “sensitive authentication data subsequent to authorization,” including card numbers, PINs, and verification codes. Account numbers are likewise prohibited, unless “in a form that is unreadable and unusable by unauthorized persons anywhere it is stored.”
The bill would be stronger, more specific and require businesses to store far less data from their transactions. California law currently requires businesses to take “reasonable” steps to destroy customer records, maintain security measures, disclose security breaches, and provide customers with information regarding disclosure of personal information to third parties, on request.
Consumers are allowed under current rules to file a civil action to seek damages from companies in violation of the law.
California Assemblymember Dave Jones (D – Sacramento) introduced AB 779 in February, in the wake of the massive, 18-month-long data breach suffered by TJX Companies. During that information loss, it’s estimated that hackers gained access to 45.6 million credit and debit cards.
TJX, which owns more than 2,200 North American stores, including T.J. Maxx and Marshalls, first notified the public about the breaches in mid-January. The full extent of the data loss surfaced only in March.
Last month, a report by Canadian researchers concluded that TJX had failed to take stronger wireless networking protective measures, and stored too much consumer data.
Under AB 779, data may be transmitted over public networks only if “the data is encrypted using strong cryptography and security protocols or otherwise rendered indecipherable.”
The bill also specifies that businesses must alert state authorities, consumers and third-party users of consumer data about a breach in which data may have been acquired by unauthorized parties.
According to the text of the bill, that alert must be “in plain language… [and] immediately following discovery.” Affected businesses also must provide specifics to consumers about the data they lost, and offer a telephone number or e-mail address for consumer questions about the breach.
But Schwarzenegger said in his veto message Saturday that passing AB 779 would add unnecessary burden for businesses, particularly smaller companies. That problem could be worsened by what he described as the bill’s failure to specify when, and for how long, a business is actually responsible for consumer data.
He also said that the payment card industry already bears the brunt of responsibility when it comes to ensuring safety in storing, processing and transmitting credit and debit information.
Credit card companies have established “minimum data security standards” for such activities, he said. The industry can enforce those standards on participating merchants, and can move faster and more effectively to curb problems than can lawmakers.
“This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace,” he said, adding that the bill has “the potential for California law to be in conflict with private sector data security standards.”
Not everyone was thrilled with the development.
“Big business, hackers and ID thieves won today, and consumers and common sense lost,” Jones, the bill’s sponsor, said in a statement. “I’m shocked and disappointed that the governor thinks our personal information should be left out in the open for identity thieves and hackers to pilfer.
“If your slack security leads to a data breach then you ought to pay for what you caused — ‘you broke it, you bought it,’ as retailers like to say,” he said. “How could anybody disagree with this, let alone the governor?” Jones was traveling abroad and could not be reached for further comment.
Similarly, the California Credit Union League, another bill supporter, fired back at the veto.
“We’re a little bit surprised,” said Keri Bailey, a lobbyist for the League. “We sent the governor a solid piece of legislation that enjoyed broad bipartisan support — overwhelming, in fact. So we were a little disappointed with the veto.”
Because of its wide bipartisan support in the California Legislature, however, Saturday’s veto may not mean the end of the bill. AB 779 can be brought back in a vote to overrule Schwarzenegger, although the bill must then receive a two-thirds vote from both the California Senate and Assembly.
That outcome seems likely, considering that in September, AB 779 passed the Assembly and Senate with supermajorities of 73-0 and 30-6, respectively — both well above the 54 and 27 votes needed in each house to overrule a veto.
“This was not a partisan issue,” Jones’ spokesman Robert Herrell told InternetNews.com. “To use the governor’s own terminology, this issue was ‘post-partisan.'”
Herrell said the assemblyman has not yet made any decision whether to push for a possible veto override.
Such a vote could not take place until January at the earliest, once the California Legislature returns from recess.
“The governor did clearly indicate there is a problem and he is looking for that problem to be solved, and we’re looking forward to coming back next year,” Bailey said. “The way we look at it, this is round one and we’re thinking about round two.”