California’s Governor, Arnold Schwarzenegger, vetoed the state legislator’s second attempt to pass a Consumer Data Protection Act. While the new bill softened some provisions found in the original, such as the requirement that a breached organization reimburse financial institutions for the cost of replacing credit cards, it remained a flawed bill in many respects.By vetoing the bill, the Governor once again concluded that adequate protection already exists. Schwarzenegger wrote, “As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.”
I had a chance to talk about the proposed legislation last month. During the discussion, I expressed my hope that the Governor would again veto the bill because I saw it as an inadequate attempt to define appropriate data handling requirements with only one possible outcome…litigation.
The bill meant well, but falls short of providing any significant new value and includes minimal guidance on how to minimize the potential loss of data. Its technical focus is limited to storage and transmission suggesting that businesses:
1. Don’t store consumer data, even if it’s encrypted
2. Encrypt data that is being transmitted on open networks
These aren’t unreasonable requests…
Inappropriate customer data storage and transmission have been the leading culprits in several recent breaches. Unfortunately, storage and transmission breaches are only the tip of the iceberg. Businesses continue to lose sensitive data just through wireless access points, weak passwords, weak encryption, vendor default or contractor passwords, systems compromised by key loggers, trojans and more. Plain and simple: If a business handles a meaningful volume of credit card data, there is a high probability someone is looking for a way to get it.
Considering all the risks, and the reality that security can be expensive, don’t we need legislation?
Perhaps… but not this legislation.
It didn’t highlight many of the possible attack vectors and PCI already enforces everything the proposed legislation would offer. Given the California bill’s shortcomings, I wonder who the target audience was for the bill. Were they serious about requiring businesses to protect the data, or was their agenda focused on generating evidence to assign blame?
Clearly, the most meaningful consumer data protection comes from taking responsible and prudent steps to prevent data loss. Even under the best of circumstances, no one can guarantee that a loss will never occur and that’s where California led the way in disclosure legislation. In my opinion, this legislation was ill-conceived and I hope it won’t be back.
What do you think?
November 7th, 2008 at 9:50 am
I agree with the Gov. This is not good legislation, and may have some redundancy. This was probably written by Trial Lawyers. Gov. S. was right in saying there is already legislation that covers these areas. (See the FACTA Act of 2003 and 2008). The FACTA Act gives rights to the individual to recovers cost of identity theft from the business involved. Although as of July 2008, the FACTA is also in trouble, because of court rulings. One court has ruled that FACTA 2008 forces undue hardship on small businesses because of vague compensation clause. The court ruled that it may force some small businesses into unnecessary bankruptcy. FACTA is the law that gave consumers the right to free credit reports etc. if their identity is stolen. (SEE http://www.privacyrights.org)