On October 12, 2007, California Governor Arnold Schwarzenegger vetoed Assembly Bill 779, which would have required retailers that suffered a breach of the security of its systems to reimburse issuing banks the reasonable and actual costs of providing notice to consumers and reissuing the credit cards, debit cards, or other payment devices to such consumers.
AB 779 was unanimously approved by the California Assembly, with the California Senate passing it in a 30-6 vote. Despite this strong support in the legislature, Governor Schwarzenegger’s veto message stressed (i) potential conflicts between the bill and the Payment Card Industry (PCI) Data Security Standard (DSS) and (ii) the cost of compliance, particularly for small businesses:
this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards.
While I support many of the provisions of this bill, it fails to provide clear definition of which business or agency “owns” or “licenses” data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses.
AB 779 was based, in part, on provisions of the PCI DSS developed by the PCI Security Standards Council and, if not vetoed, would have become only the second law of its kind in the U.S. (Minnesota was the first state to pass a similar law earlier this year (the Plastic Card Security Act).) Similar retailer liability bills are still being considered in the 2007 legislative sessions in Illinois and New Jersey, and several similar bills have failed in the 2007 legislative sessions in Connecticut, Massachusetts and Texas.
| 