informa
News

Schwarzenegger Terminates CA Retail Data Security Law

Minnesota remains only state to outlaw retention of credit card data

Governor Arnold Schwarzenegger Saturday put the kibosh on California's bid to become the second state in the U.S. to pass a law forcing retailers to discontinue the practice of retaining customer credit card data.

The bill would have banned merchants from collecting sensitive consumer data unless they had a data retention policy. Even then, they would be severely limited on what information they could collect, and how long they could retain it. The bill also would have made merchants liable for reimbursement of some recovery costs if customers' data was stolen from them.

The state of Minnesota earlier this year passed a law that essentially outlaws the retention of credit card data for more than 48 hours. By that law, the merchant becomes liable for some damages if customer credit data is held longer than 48 hours and then is lost via a security breach. Those damages could include costs to the card issuer, such as banks, which have footed most of the bill for previous retail breaches, including the one that occurred at TJX Companies. (See Many Retailers Will Not Make PCI Compliance Deadline.)

Experts say the California bill was more nuanced, and allowed merchants to escape liability if they held to a number of specific security guidelines. (See TJX Breach Skewers Customers, Banks and NAC: Can't Get No Satisfaction.)

But Governor Schwarzenegger said the compliance requirements are too stiff for small businesses, which have lobbied against the new law. The law also could conflict with industry standards such as the Payment Card Industry's Data Security Standard, he said. While the California legislature considers whether it has enough votes to override the veto, the governor invited the lawmakers to submit a reworked version of the bill.

Legal experts generally agreed with Schwarzenegger that the language of the California bill is problematic and leaves some unanswered questions about how it will be enforced.

"If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur," noted Benjamin Wright, an expert in computer law, in his blog following the bill's passage. "This scheme for imposing liability does not seem fair or rational. It requires perfection."

The new laws could also put a heavy burden on law enforcement and court systems, which would be tasked with somehow monitoring the compliance of retail institutions and prosecuting the offenders, experts noted. Some 200 merchants already have been sued for violation of the Fair and Accurate Credit Transactions Act, which requires credit card handlers to truncate all credit information so that only the last few numbers of an account can be read, notes Deborah Thoren-Peden, an attorney at Pillsbury, Winthrop, Shaw, and Pittman.

Some critics have also said that the new laws are redundant with regulations laid out by the credit card industry under PCI. David Taylor, president of the The Payment Card Industry Security Vendor Alliance (PCI SVA) and an executive at Protegrity Corp. , says most PCI auditors and vendors welcome the attention created by the new legislation, but they wonder how it will be enforced.

"The question is: 'Who's going to be in the merchant's face every day to see whether they are in compliance, and what rules of compliance will they be held to?'" Taylor wonders. Minnesota's law doesn't lay out the requirements for compliance, where the PCI regulations are very detailed and specific, he notes.

"In the end, are merchants going to see a government auditor every Monday and a PCI auditor every Thursday?" Taylor asks. "I'm not sure that the government is staffed for that sort of monitoring." Minnesota's law also isn't clear on how to handle common retail practices, such as automated monthly billing and customer purchase analysis, which may require the use of customer data for a period of more than 48 hours, he notes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: