California Gov. Arnold Schwarzenegger, with strong urging from a lobbying alliance, has vetoed a stringent data protection bill that would have made merchants, not banks, responsible for reissuing credit cards and alerting customers following a breach.
The surprising Saturday veto of the Consumer Data Protection Act, known as AB 779, which only weeks earlier had unanimously passed the California State Assembly, also would have required breach notification letters to include details on who lost the data and what type of information was stolen.
"Legislators felt people have a right to know who is not doing a good job protecting their information," Bob Arnould, senior vice president of government affairs at the California Credit Union League, which lobbied for the bill's passage, told SCMagazineUS.com today.
But a powerful coalition — including the state Retailers Association, Chamber of Commerce and Bankers Association — actively petitioned the governor to veto the legislation.
Schwarzenegger, a Republican, said in a message to the assembly that he decided to veto the measure because guidelines already exist that mandate merchants to protect cardholder data.
"This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," he said. "In addition, the Payment Card Industry (PCI) has already established minimum data security standards when storing, processing or transmitting credit or debit cardholder information."
Arnould said the measure would have more teeth than PCI [standards], the enforcement of which is left up to the card brands, such as Visa and MasterCard.
"The reason that legislation is needed is a majority of retailers are thumbing their noses at PCI standards and not complying," Arnould told SCMagazineUS.com today. "They decided they're going to save a buck and not protect people's data. Government is probably the only entity that is going to be able to solve the problem."
Plus, Arnould said, the bill would prevent costs related to reissuing cards or notifying consumers from being slid onto the banks.
Bill Dombrowski, president of the California Retailers Association, told SCMagazineUS.com today that merchants already pay the card brands for beach-related costs as part of "interchange fees" each time they process a transaction.
He said there is no reason to initiate a measure that would supersede the PCI standard.
"Our view is that this is done better privately through contracts [with payment brands] and not through legislation," Dombrowski said.
Robert Herrell, legislative director for Dave Jones, the Democratic assemblyman who authored the bill, said he doubts that worries over fines from payment brands would propel merchants to improve their security posture.
"Because Visa and MasterCard are competitors, none of them want to push too hard on that front," Herrell told SCMagazineUS.com today.
In May, Minnesota Gov. Tim Pawlenty, a Republican, signed a similar bill – the Minnesota Plastic Card Security Act – which forces violators to reimburse financial institutions for all breach-related costs, including fraudulent purchases.
Arnould said that despite the veto, the proposal underscored the need for businesses to exhibit best data security practices.
"Other states are going to continue to press it," he said. "We're going to continue to press it. The governor did leave the door open and instructed the parties to go back to the table."