The fate of AB 779 (Jones) lies with Governor Schwarzenegger. It is a commonsense measure that would add retailers and state government to those sharing responsibility under California’s data breach notification law for the prevention of these breaches through better protection of consumer information.
It received its final passage in the Assembly 73-0 in September with 47 of 48 Democrats in support and 26 of 32 Republicans voting for it. Before its final amendments it had previously passed the Assembly in June on a 58-2 vote. It passed the California State Senate on a 30 to 6 vote with the support of 22 of 25 Democrats and 8 of those often difficult 15 Republican Senators.
Its author, Assemblymember Dave Jones, worked with a number of groups to make sure that it was a workable law, and the bill won the support of an impressive array of those from consumer, business, and law enforcement fighting identity theft and the abuses of the retail industry that does not comply with contracts they have made with credit card companies. Sponsored by the California Credit Union League, it is supported by Consumers Union, the Los Angeles County District Attorney’s office, Los Angeles County Sheriff’s Department, the Consumer Federation of California, Privacy Rights Clearinghouse, the California State Employees Association, AFSCME – American Federation of State, County and Municipal Employees, the California Public Interest Group (CalPIRG), and the Sacramento County Sheriff’s Department, to name a few. The LA Times, San Francisco Chronicle, and Riverside Press Enterprise editorialized in support of the bill, recognizing its importance.
Yet its fate is uncertain because of a massive behind the scenes lobbying effort by the California Retailers Association and the California Chamber of Commerce. In today’s LA Times, Marc Lifsher has an article, “ID theft victims, retailers split on bill: The legislation, awaiting Gov. Schwarzenegger, would force retailers and financial institutions to adopt national standards to protect shoppers’ data they disclose,” that provides some of the details of this fight.
A number of bad apples amongst California’s retailers have a shoddy, shocking record of performance here–one that cannot withstand the light of day. Here is what Jones told the Governor in his letter asking for a signature so that this bill can become law:
“According to recent information published by Visa, which helped write the data security standards, only 40% of our largest retailers are following the PCI standards, despite the fact that they are currently contractually obligated to do so. As a result consumers are put at risk of data breaches, credit and debit card fraud, and ID theft. And financial institutions also bear the substantial costs of notifying consumers and reissuing compromised credit and debit cards, all because common-sense rules aren’t being followed by retail establishments. The best data breach is one that never happens – AB 779 will prevent data breaches, pure and simple.”
Here’s what AB 779 would do:
First, AB 779 requires that the security breach notices sent to consumers be more consumer-friendly by requiring that the notices be written in plain language and:
• Identify the date when the breach occurred
• Include a description of the information that was jeopardized due to the breach
• Include a phone number for the consumer to find out more about the breach
• Include the toll-free numbers of the three major credit reporting agencies
Second, AB 779 requires that the entity responsible for the data breach pay the costs of providing notice to consumers about the breach and the cost of card replacement if data protections weren’t followed.
Third, and most importantly, to avoid future data breaches AB 779 implements portions of existing industry standards (the Payment Card Industry data security standards) that require entities to only retain the personal information they must have if that information is adequately protected.
What’s most curious in all of this is that there are elements in the business community that recognize there is a problem here and have supported measures such as the bill that Jones has carefully crafted:
• Douglas Johnson, senior policy advisor for the American Bankers Association, said earlier this year that “Retailers need to be held to a higher standard; it’s as simple as that. If they are housing customer’s card data, they need to be held to the same security standards that we are. And if they have a problem with that, then I have a problem with them.”
• Minnesota recently enacted (in August) a similar law to what is on the table here in California. The Minnesota Bankers Association was supportive of that proposal.
• The Massachusetts Bankers Association, joined by other bankers’ associations, is the lead plaintiff in a lawsuit against TJX , identified in today’s LA Times article as operating T.J. Maxx and Marshalls discount chains, whose lax security resulted in hackers obtaining information on 46 million credit and debit cards. As Times reporter Lifsher points out, TJX settled the lawsuit stemming from that to the tune of $100 million.
• The President and CEO of VISA USA, John Philip Coghlan, believes strongly that retailers ought to do more to protect their data, thus making data breaches infrequent and minimally damaging. Mr. Coghlan said earlier this year that “the majority of compromises come from storage of prohibited data and using vulnerable systems to process data.”
• At the same VISA security summit earlier this year security expert Bryan Sartin with security service provider Cybertrust said “I’ve never seen an organization that’s compliant with PCI (the Payment Card Industry data security standards) that was at risk for a breach.”
Take a look at two quotes from the Massachusetts Bankers Association’s press release about the TJX lawsuit:
“With the possible exception of the banks from California that could also decide to join us, our New England institutions have had the most exposure to this massive data breach.”
“If we’re successful against TJX, the nation’s major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required.”
Governor Schwarzenegger should sign this important consumer protection legislation so that retailers are accountable for their actions. That’s why 103 of 120 legislators in California voted for this bill. It’s a matter of privacy of one’s records, plain and simple. Without it, we are all naked when we shop at many stores and shops in California, and there’s no excuse for that.