New LegislationCA Bill Would Make Bad Security Costly To Retailers
Move over data breach notification laws: Thereâ€™s a tough new bill in town, under which banks and credit unions could get money back from breached retailers that didnâ€™t do right in protecting credit or debit card information.
This new data breach reimbursement bill is sitting on the desk of California governor Arnold Schwarzenegger, awaiting his signature. This bill: AB-779 will require the "breached entity reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards."
With his signature, Governor Arnold Schwarzenegger will enact â€œThe Consumer Data Protection Act.â€ Information security and privacy expert Rebecca Herold says this bill may open the floodgates of legislative action across state lines, as last seen when California SB 1386 was enacted as the first state data breach notification law several years ago. That law was the first to require companies to notify victims when their information was stolen from the company. To date, more than 36 states have enacted this type of notification law in one form or the other.
The latest measure was sponsored by the California Credit Union League (CCUL). In its first draft, the bill mandated a breached entity must reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards. Retailers would be forced to disclose more details about breaches, including a description of the categories of personal data that might have been compromised. In addition, the bill would also explicitly prohibit retailers and other merchants from storing specific types of authentication data taken from the magnetic stripes on the back of credit and debit cards.
However, last minute amendments stripped down the scope of potential reimbursement liability from costs "not limited to" notification and card replacement to notification and card replacement costs only. A new liability mitigation provision was also added that would allow a retailer to be excused for all or a portion of reimbursement costs if it can show that it was in compliance with all security requirements under the law at the time of the breach.
That being said, even the cost of notification and card replacement costs can carry a hefty price tag, especially for smaller asset-sized institutions, notes Herold. The thought that retailers will be responsible for data protection is new. â€œI think that this should motivate companies to be more vigilant in their information security and privacy programs.â€
Right now, there are very few fines and regulations against those types of companies, Herold says. â€œThis law would provide banks and credit unions the ammunition they need to go after bad retailers,â€ she says. â€œTheyâ€™ll know that banks and credit unions can come after them; theyâ€™ll be forced to shape up. If they thought it was just civil action from an individual consumer, theyâ€™re not as motivated.â€
Things will change with banks and credit unions entering the fray. â€œNow a financial institution comes to a company and says your breach cost me $2 million, I want to be paid,â€ Herold says. â€œThis will carry a heavier weight with the companies that do not have strong information security in place.â€
Comparing this bill to the ground-breaking California SB 1386 data breach notification bill, Herold predicts other states will follow. â€œYes, it will be a headache for security officers, it will make their life harder,â€ Herold says. â€œBut one bright spot to consider is it will help funding of their programs.â€