California moves closer to making retailers responsible for data breaches

Share this article:

California, which has the most stringent consumer and data privacy laws in the country, has moved a step closer to forcing retailers — rather than financial institutions — to notify consumers when theyve suffered a data breach.

The state Senate Judiciary Committee passed AB 779 on a 3-to-1 vote, bringing it into step with the state Assembly, which in June approved a matching breach notification bill, authored by Assemblyman Dave Jones, D-Sacramento.

As with California SB 1386, which requires financial institutions to notify California consumers when they lose personal information, the bill would apply to all companies doing business with state residents.

"This is good for consumers. It's a bill that's long overdue," said Joe Ridout, a spokesman for Consumer Action, a non-profit consumer-advocacy group. "Putting the responsibility on retailers is appropriate when there's been a data breach because retailers simply shrug off the burden and pass the mess they've made off to consumers."

The assembly bill, passed with overwhelming bipartisan support, would require retailers to notify consumers after losing credit or debit card information. Retailers would be required to pay for the cost of notifying consumers and replacing their cards, and they would be forced to follow Payment Card Industry (PCI) standards, which mandate security for credit and debit card information.

California's legislation is "the reason why many people in other states have been notified" of data breaches in the last couple of years, Ridout said. He pointed to the ChoicePoint data breach of February, 2005, which became well known because of SB 1386.

The bill faces approval by the Senate Appropriations Committee this summer, then a vote by the full Senate. The bill then must be signed into law by Gov. Arnold Schwarzenegger, a Republican.

Such a law could serve as a model for federal policy, although efforts to pass similar federal legislation have stalled in committee in both houses of Congress.

Minnesota legislators passed a similar bill, the Minnesota Plastic Card Security Act, which regulates the storage of consumers’ personal information after a purchase.

Get more IT security news. Click here for SC Magazine Blogs.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.