By  on October 5, 2007

SAN FRANCISCO — Retailers are asking California Gov. Arnold Schwarzenegger to veto a bill that might make them liable for costs caused by breaches in electronic security.

The bill would hold merchants or others accepting credit card payments, such as government agencies and nonprofit groups, responsible for reimbursing banks for the cost of issuing new cards and notifying consumers of suspected breaches. However, merchants would be absolved of liability if they prove they followed security standards outlined in the law.

Opponents of the measure, which passed both houses of the state legislature, argue it could result in merchants paying millions of dollars to compensate banks to reissue credit cards, as well as to consumers who retailers fear could sue for damages caused by misuse of stolen financial or personal information. Retailers, banks and credit card companies have battled before over responsibility for security lapses.

Consumer advocates argue the more definitive law would ensure vigilance against computer hackers.

"All too often retailers and other business make it easy for crooks to get their hands on our sensitive personal information,'' the Consumer Federation of America wrote in a letter to Schwarzenegger, urging him to sign the bill.

Meanwhile, the National Retail Federation this week urged credit card companies to allow merchants to destroy credit card numbers sooner than the 18 months they are currently required to keep them. Such a move would cut down on the amount of information that could be pilfered by computer thieves, the NRF said.

The California bill updates a state data-protection law that requires merchants, nonprofits and state agencies to take "reasonable steps" to protect personal information such as credit card numbers, birthdays, Social Security numbers and addresses. While the existing law also requires these entities to tell consumers about suspected data breaches, they don't have to say from where, when it occurred and what information might have been taken unless a customer asks in writing.

Under the new legislation, notice of suspected security breaches would have to include such specifics. In addition, the measure spells out security steps required to protect credit card information, such as not storing the full contents of a "data track" from a credit card purchase even if encrypted. All personal data from a transaction would also have to be deleted within 90 days of a purchase.California retailers oppose the required three-month purge of consumer data related to credit card purchases. Such information, like addresses and card numbers, is often used to track returns and maintain customer loyalty discount programs, as well as shipping addresses that are used to verify credit cards on e-commerce sites.

"This bill unduly limits the use of credit card information," the California Retailers Association and 40 other business groups and telecommunications companies said in a letter to Schwarzenegger, urging him to veto it. "It also creates a new potential for litigation against those entities and imposes additional financial liabilities."

The governor has until Oct. 14 to act on the legislation. A spokeswoman said Schwarzenegger hasn't taken a public position. A two-thirds majority of the senate and assembly would be required to override a veto. California would be the second state to enact such a bill. Minnesota took action in August. Texas, Connecticut, Massachusetts and Illinois are considering similar bills. Legislation in Congress that would create a national standard has been under consideration in committee.

Three years ago California was the first state to enact a data security standard to counter computer hacking. Credit unions led the push because they don't want to be saddled with issuing new credit cards at a cost of $5 to $15 each. "If you get two or three of these security notices a year you're starting to lose confidence in your bank,'' said Ron Fong, chief lobbyist for the California Credit Union League.

To access this article, click here to subscribe or to log in.

To Read the Full Article

Tap into our Global Network

Of Industry Leaders and Designers

load comments
blog comments powered by Disqus