SAN FRANCISCO — Retailers are asking California Gov. Arnold Schwarzenegger to veto a bill that might make them liable for costs caused by breaches in electronic security.
The bill would hold merchants or others accepting credit card payments, such as government agencies and nonprofit groups, responsible for reimbursing banks for the cost of issuing new cards and notifying consumers of suspected breaches. However, merchants would be absolved of liability if they prove they followed security standards outlined in the law.
Opponents of the measure, which passed both houses of the state legislature, argue it could result in merchants paying millions of dollars to compensate banks to reissue credit cards, as well as to consumers who retailers fear could sue for damages caused by misuse of stolen financial or personal information. Retailers, banks and credit card companies have battled before over responsibility for security lapses.
Consumer advocates argue the more definitive law would ensure vigilance against computer hackers.
"All too often retailers and other business make it easy for crooks to get their hands on our sensitive personal information,'' the Consumer Federation of America wrote in a letter to Schwarzenegger, urging him to sign the bill.
Meanwhile, the National Retail Federation this week urged credit card companies to allow merchants to destroy credit card numbers sooner than the 18 months they are currently required to keep them. Such a move would cut down on the amount of information that could be pilfered by computer thieves, the NRF said.
The California bill updates a state data-protection law that requires merchants, nonprofits and state agencies to take "reasonable steps" to protect personal information such as credit card numbers, birthdays, Social Security numbers and addresses. While the existing law also requires these entities to tell consumers about suspected data breaches, they don't have to say from where, when it occurred and what information might have been taken unless a customer asks in writing.
Under the new legislation, notice of suspected security breaches would have to include such specifics. In addition, the measure spells out security steps required to protect credit card information, such as not storing the full contents of a "data track" from a credit card purchase even if encrypted. All personal data from a transaction would also have to be deleted within 90 days of a purchase.
Hermès is launching a Laundromat pop-up shop in NYC - dubbed Hermèsmatic - where customers can bring their old scarves to be dip-dyed by an expert. Get all the details on WWD.com. #wwdnews (📷: @donstahl)