New Legislation

CA Bill Would Make Bad Security Costly To Retailers

Move over data breach notification laws: There’s a tough new bill in town, under which banks and credit unions could get money back from breached retailers that didn’t do right in protecting credit or debit card information.

See Also: Panel | Encryption is on the Rise! Learn How to Balance Security with User Privacy and Compliance

This new data breach reimbursement bill is sitting on the desk of California governor Arnold Schwarzenegger, awaiting his signature. This bill: AB-779 will require the "breached entity reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards."

With his signature, Governor Arnold Schwarzenegger will enact “The Consumer Data Protection Act.” Information security and privacy expert Rebecca Herold says this bill may open the floodgates of legislative action across state lines, as last seen when California SB 1386 was enacted as the first state data breach notification law several years ago. That law was the first to require companies to notify victims when their information was stolen from the company. To date, more than 36 states have enacted this type of notification law in one form or the other.

The latest measure was sponsored by the California Credit Union League (CCUL). In its first draft, the bill mandated a breached entity must reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards. Retailers would be forced to disclose more details about breaches, including a description of the categories of personal data that might have been compromised. In addition, the bill would also explicitly prohibit retailers and other merchants from storing specific types of authentication data taken from the magnetic stripes on the back of credit and debit cards.

However, last minute amendments stripped down the scope of potential reimbursement liability from costs "not limited to" notification and card replacement to notification and card replacement costs only. A new liability mitigation provision was also added that would allow a retailer to be excused for all or a portion of reimbursement costs if it can show that it was in compliance with all security requirements under the law at the time of the breach.

That being said, even the cost of notification and card replacement costs can carry a hefty price tag, especially for smaller asset-sized institutions, notes Herold. The thought that retailers will be responsible for data protection is new. “I think that this should motivate companies to be more vigilant in their information security and privacy programs.”

Right now, there are very few fines and regulations against those types of companies, Herold says. “This law would provide banks and credit unions the ammunition they need to go after bad retailers,” she says. “They’ll know that banks and credit unions can come after them; they’ll be forced to shape up. If they thought it was just civil action from an individual consumer, they’re not as motivated.”

Things will change with banks and credit unions entering the fray. “Now a financial institution comes to a company and says your breach cost me $2 million, I want to be paid,” Herold says. “This will carry a heavier weight with the companies that do not have strong information security in place.”

Comparing this bill to the ground-breaking California SB 1386 data breach notification bill, Herold predicts other states will follow. “Yes, it will be a headache for security officers, it will make their life harder,” Herold says. “But one bright spot to consider is it will help funding of their programs.”

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.