California, a leader among states in consumer privacy and protection legislation, is a single signature away from passing a closely watched bill that would require retailers to reimburse banks and credit unions for the costs of data breaches.
The California State Assembly
this week unanimously approved amendments to AB 779 added by the State Senate a week ago. The bill, known as the Consumer Data Protection Act, now requires just the signature of California Gov. Arnold Schwarzenegger, a Republican, to become law.
Schwarzenegger is expected to sign the bill, Keri Bailey, a lobbyist for the California Credit Union League
, an organization in favor of AB 779, told SCMagazineUS.com. If he does - and he has until about mid-October to do so - California will become the second state with such a law; Minnesota has already passed similar legislation.
The latest California bill will have a similar effect on data breach laws as did the state's data breach notification law
(SB1386), with many other states likely to follow, Mari Frank, an expert on identity theft and a victim of the crime herself, told SCMagazineUS.com.
"Every time California has passed a privacy law, it had a ripple effect across the country," Frank said. "California has taken the initiative on all of these - it was the first state to pass security breach legislation in 2003, and California is one of few states that even has privacy in its constitution."
Bailey agreed. "It's important for us to do this in California because Congress has not taken action, so we have no choice [but to tackle key privacy and consumer-protection issues]," she said. "Congress is still fighting over what committee should hear this matter, and we said, 'Enough is enough, we'll do it in California if Washington D.C. won't take action.'"
The original bill, authored by Assemblyman Dave Jones, D-Sacramento, mandated that a breached retailer or government agency reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards. It also requires retailers to disclose complete details about breaches, including a description of the types of personal data compromised, and prohibits retailers from retaining a variety of authentication data stored on magnetic stripes on the back of credit and debit cards.
The amended bill narrows the scope of potential reimbursement liability, Bailey said. Merchants who suffer a breach but who followed accepted security guidelines may be excused from reimbursing the financial institutions impacted by a breach, she explained.
With those costs running from between $12 and $15 per credit card replaced after a breach, reimbursement could have a significant negative impact on retailers who suffer a breach, she said. "Financial institutions will spend $330 million notifying consumers and replacing cards [as a result of the TJX data breach
]," she said.
Schwarzenegger has "been a great governor for consumers, and has shown a lot of initiative with his own agency and other state departments to ensure they're following appropriate data security protocols," Bailey said. "We'll be working over the next month to make sure he hears our message, and ultimately, we think he'll sign" the legislation.