- HOME
- About
- Topics
- Angelides
- Arnold Schwarzenegger
- California Attorney General Race
- California Congressional Races
- California Democratic Party
- California Governor Race 2010
- California Legislative Races
- California Lt. Governor Race
- California Secretary of State Race
- California State Budget
- California State Controller
- Campaign Finance Reform
- Campaigns
- Cell Phones
- Children and Families
- Consumer Rights
- Corporate Accountability
- Criminal Justice
- Death With Dignity
- Disaster Preparation
- Discrimination and Civil Rights
- Economy/ Economic Crisis
- Education
- Elections and Voting
- Electoral College
- Energy
- Environment
- Farm Animal Cruelty Ballot Measure
- Flood Control
- Food Safety
- Gas Prices
- Governor's Election Race
- Gun control
- Health Care
- Health Insurance
- Hiram Johnson's Corner
- Housing
- Human Rights
- Humor
- Immigration
- Infrastructure
- Initiative Reform
- Insurance Commissioner Race
- Labor
- Language and Politics
- Legal System
- Media and Communication
- Minimum Wage
- Open Government
- Pharmaceutical Companies
- Politics
- Preschool
- Presidential Election 2008
- Prevention of Farm Animal Cruelty Act Prop
- Prison Reform
- Privacy
- Privitization
- Prop 11-Redistricting/Reapportionment
- Prop 12--Veterans Housing Bond
- Prop 1A--High Speed Rail
- Prop 2--Treatment of Farm Animals
- Prop 3-Children's Hospital Bonds
- Prop 4 Waiting Period and Parental Notification
- Prop 5--Non-violent drug offenses
- Prop 6--Police and law enforcement spending
- Prop 7 and 10-Alternative Fuel and Energy Bond
- Prop 8 and-Marriage Equality
- Prop 85 Parental Notification
- Prop 86 Tobacco Tax
- Prop 87--Alternative Energy
- Prop 9 Parole
- Prop 90
- Prop 91--Transportation Funding
- Prop 92- Community Colleges
- Prop 93--Term Limits
- Props 94-97--Tribal Gaming
- Props 98 and 99
- Racial Disparities
- Responsible Lending
- Retirement Benefits
- Site of the Day
- Solar Initiative
- Structure of California Government
- Taxes
- Toxic Chemicals
- Transportation/Transit
- Water
- Westly
- Workers' Compensation
- Stories
- Proposition 1B: Restoration of Education Funding – NO
- Cavala: Jack D. Maltester – Exemplar of Public Life
- Cal-Cobra Premium Assistance Passes Senate Floor With Bipartisan Support
- Senate Approves Sen. Romero’s Bill Increasing Transparency in Education Policy
- Proposition 1A: State Budget Stabilization – YES
- Local School District Receive Solar Grant
- $634 Million Coming To California For Special Education
- Essay Seven: Props 1D, 1E and 1F
- Running the Show with Wonks and Gurus
- California Needs Propositions 1a-1f to Protect Schools, Health Care And Public Safety From Devastating Cuts And Layoffs
- 33rd California Peace Officers Memorial Ceremony: With Duty and Honor
- Essay Six: Props 1A, 1B and 1C
- Directory
- Donate
- Contact Us
RSS Advertise Here
Deliver your message to thousands of readers every day.
Our readers are influential opinion makers - politicians, journalists and activists.
Our latest headlines
- The Black-White Fallacy of Public Option
- Targeting Obesity Remains A Priority in Tough Budget Times
- Thousands Speak Out Against CA’s Costly and Broken Death Penalty
- Cuts Would Jeopardize Well-Being of Many Disabled Citizens
- Fully Fund Our Schools
- Same Governor, Different Goals
- Assemblymember Evans Sets the Record Straight
About Us
David Greenwald, Editor. (Contact David.)
CFC Education Foundation, Publisher. (Contact us.)
Got a news tip? Want to write a guest column?
Contact David here.
About California Progress Report.
Founded by Frank D. Russo (Publisher and Editor, 2006-08).
Sponsors
Books
Retailers and California Chamber of Commerce Lobbying Governor to Veto Bill Requiring Them to Act Responsibly in Protecting Credit Card Data
By Frank D. Russo
The fate of AB 779 (Jones) lies with Governor Schwarzenegger. It is a commonsense measure that would add retailers and state government to those sharing responsibility under California's data breach notification law for the prevention of these breaches through better protection of consumer information.
It received its final passage in the Assembly 73-0 in September with 47 of 48 Democrats in support and 26 of 32 Republicans voting for it. Before its final amendments it had previously passed the Assembly in June on a 58-2 vote. It passed the California State Senate on a 30 to 6 vote with the support of 22 of 25 Democrats and 8 of those often difficult 15 Republican Senators.
Its author, Assemblymember Dave Jones, worked with a number of groups to make sure that it was a workable law, and the bill won the support of an impressive array of those from consumer, business, and law enforcement fighting identity theft and the abuses of the retail industry that does not comply with contracts they have made with credit card companies. Sponsored by the California Credit Union League, it is supported by Consumers Union, the Los Angeles County District Attorney’s office, Los Angeles County Sheriff’s Department, the Consumer Federation of California, Privacy Rights Clearinghouse, the California State Employees Association, AFSCME – American Federation of State, County and Municipal Employees, the California Public Interest Group (CalPIRG), and the Sacramento County Sheriff’s Department, to name a few. The LA Times, San Francisco Chronicle, and Riverside Press Enterprise editorialized in support of the bill, recognizing its importance.
Yet its fate is uncertain because of a massive behind the scenes lobbying effort by the California Retailers Association and the California Chamber of Commerce. In today's LA Times, Marc Lifsher has an article, "ID theft victims, retailers split on bill: The legislation, awaiting Gov. Schwarzenegger, would force retailers and financial institutions to adopt national standards to protect shoppers' data they disclose," that provides some of the details of this fight.
A number of bad apples amongst California's retailers have a shoddy, shocking record of performance here--one that cannot withstand the light of day. Here is what Jones told the Governor in his letter asking for a signature so that this bill can become law:
"According to recent information published by Visa, which helped write the data security standards, only 40% of our largest retailers are following the PCI standards, despite the fact that they are currently contractually obligated to do so. As a result consumers are put at risk of data breaches, credit and debit card fraud, and ID theft. And financial institutions also bear the substantial costs of notifying consumers and reissuing compromised credit and debit cards, all because common-sense rules aren’t being followed by retail establishments. The best data breach is one that never happens – AB 779 will prevent data breaches, pure and simple."
Here's what AB 779 would do:
First, AB 779 requires that the security breach notices sent to consumers be more consumer-friendly by requiring that the notices be written in plain language and:
• Identify the date when the breach occurred
• Include a description of the information that was jeopardized due to the breach
• Include a phone number for the consumer to find out more about the breach
• Include the toll-free numbers of the three major credit reporting agencies
Second, AB 779 requires that the entity responsible for the data breach pay the costs of providing notice to consumers about the breach and the cost of card replacement if data protections weren’t followed.
Third, and most importantly, to avoid future data breaches AB 779 implements portions of existing industry standards (the Payment Card Industry data security standards) that require entities to only retain the personal information they must have if that information is adequately protected.
What's most curious in all of this is that there are elements in the business community that recognize there is a problem here and have supported measures such as the bill that Jones has carefully crafted:
• Douglas Johnson, senior policy advisor for the American Bankers Association, said earlier this year that “Retailers need to be held to a higher standard; it’s as simple as that. If they are housing customer’s card data, they need to be held to the same security standards that we are. And if they have a problem with that, then I have a problem with them.”
• Minnesota recently enacted (in August) a similar law to what is on the table here in California. The Minnesota Bankers Association was supportive of that proposal.
• The Massachusetts Bankers Association, joined by other bankers’ associations, is the lead plaintiff in a lawsuit against TJX , identified in today's LA Times article as operating T.J. Maxx and Marshalls discount chains, whose lax security resulted in hackers obtaining information on 46 million credit and debit cards. As Times reporter Lifsher points out, TJX settled the lawsuit stemming from that to the tune of $100 million.
• The President and CEO of VISA USA, John Philip Coghlan, believes strongly that retailers ought to do more to protect their data, thus making data breaches infrequent and minimally damaging. Mr. Coghlan said earlier this year that “the majority of compromises come from storage of prohibited data and using vulnerable systems to process data.”
• At the same VISA security summit earlier this year security expert Bryan Sartin with security service provider Cybertrust said “I’ve never seen an organization that’s compliant with PCI (the Payment Card Industry data security standards) that was at risk for a breach.”
Take a look at two quotes from the Massachusetts Bankers Association's press release about the TJX lawsuit:
"With the possible exception of the banks from California that could also decide to join us, our New England institutions have had the most exposure to this massive data breach."
“If we’re successful against TJX, the nation’s major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required.”
Governor Schwarzenegger should sign this important consumer protection legislation so that retailers are accountable for their actions. That's why 103 of 120 legislators in California voted for this bill. It's a matter of privacy of one's records, plain and simple. Without it, we are all naked when we shop at many stores and shops in California, and there's no excuse for that.
Comments
Let's look at roles and responsibilities.
The consumer is clearly the "owner" of their data including name, address, Social Security number, account numbers, credit card numbers, etc. One of the primary responsibilities of the data owner is to define what is required to protect the data they own.
Companies (retailers included) are "custodians" of the data they maintain belonging to the owner. Custodians are responsible for maintaining data at the direction of the owner.
Retailers and companies should not have any say about what protections are required, period. This is the responsibility of the owner.
The problem is that many data owners do not know what protections they want and are not willing to apply consequences in the event that the custodian fails in the care and protection of their data. Until this happens, companies will continue to lose data and not really care all that much about it. When a breach affects the wallet of the custodian, then change will happen.
TJX, Fidelity, TD Ameritrade, Citigroup, etc. laugh at the petty penalties and inconveniences of victim notification behind the scenes.
Posted by: The Breach Blog at October 2, 2007 08:29 PM
In AB 779, proposed Civil Code Section 1724.4(b) is poorly drafted and confusing. It is not clear whether 1724.4(b) covers Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) is muddled about what does and does not constitute "sensitive authentication data" that a merchant is forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Pending Section 1724.4(b)'s poorly crafted language that will be a roadblock as innovators try to invent the next PayPal. --Benjamin Wright, Dallas, Texas
Posted by: Benjamin Wright at October 4, 2007 09:24 AM
Post a comment
Commenters: You must preview your comment before posting. And please only hit "Post" once; it may take a while, but your comment is being processed. Thanks.
Get Email Updates
Want the California Progress Report by email? Once a week, we'll send you the latest and greatest headlines.
© 2008 California Progress Report Our copyright and fair use policy.
Powered by Mandate Media. Logo design by Jane Norling.
