Gov. Schwarzenegger Shoots Down Data Breach Bill

The proposed California law, known as the Consumer Data Protection Act (AB 779), would have required retailers to adopt security best practices for securing credit cardholder data, which include not storing magnetic stripe data and payment verification codes, as well as refraining from sending unencrypted credit card data over the Internet.

However, AB 779 would have gone a step further than PCI by holding retailers responsible for the costs associated with security breaches, including replacing cards and notifying customers.

By raising the bar for security, AB 779 would have likely generated more business for solution providers. But some feel the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements drawn up by major credit-card companies for securing cardholder data, is a better approach to the problem.

Andrew Plato, president at Anitian Enterprise Security, a security specialist in Beaverton, Ore., believes Schwarzenegger made the right call by vetoing the legislation.

"AB 779 was onerous to businesses, especially small ones. The PCI standard is a solid set of guidelines that is still creating a lot of compliance related work for the channel," said Plato.

In a letter to the California Legislature, Schwarzenegger said that PCI has already established minimum data security standards for storing, processing, and transmitting credit card data.

"[The credit card] industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace," Schwarzenegger wrote.

Another troublesome aspect of AB 770 is that retailers would have been required to dispose of consumers' personal information within 90 days, as opposed to PCI, which simply says this should be done within a reasonable time frame, according to Pamela Fredericks, director of security advisory services at Forsythe Technology, Skokie, Ill.

"Any retailer that's maintaining personally identifiable information has to look at all the places where that data is stored, and there's a ton of work to be done for any organization to comply with the very stringent and specific disposal requirements," said Fredericks.

John Kindervag, senior security architect at Vigilar, an Atlanta-based integrator, says some of the security measures spelled out by PCI may be expensive for companies to implement, but actually do pay long term dividends.

"PCI includes a lot of auditing and logging mandates, but the thing I get pushback on the most is encrypting credit card data when it's stored. But in their training sessions, Visa says that if everyone did this, it would eliminate 80 percent of credit card data breaches," said Kindervag.

Minnesota is another state that has dipped its toes into the waters of data breach security legislation. The state's H.F. 1758 bill was the first legislation to put the burden of liability for credit card breaches on retailers, but has been widely criticized by security experts for being too vague.

It's always a source of concern when the government decides to step in and mandate specific technical standards for problems that are better left to the private sector, Plato said.

"Government regulations tend to foster an 'opportunist environment' in which hucksters sell 'feel-good' solutions that deliver very little improvement in information security," said Plato.