[Dataloss] California Data Breech Bill

Henry Brown hbrown at knology.net
Fri Sep 14 09:22:42 UTC 2007 

a followup:

http://tinyurl.com/3e4dtv

US state moves closer to passing data breach law
Jim Carr Sep 13 2007 09:38

California is a single signature away from passing a closely watched US 
bill that would require retailers to reimburse banks and credit unions 
for the costs of data breaches.

The California State Assembly this week unanimously ratified amendments 
to its assembly bill added by the state senate a week ago.

The bill, known as the Consumer Data Protection Act, now requires just 
the signature of California Governor Arnold Schwarzenegger to become law.

He is expected to sign the bill, and Keri Bailey, a state legislative 
and regulatory lobbyist for the California Credit Union League, said if 
he does - and he has until about mid-October to do so - California will 
become the second state with such a law; Minnesota has already passed 
similar legislation.

The latest California bill will have the same effect on data breach laws 
as the state's data breach notification law , Mari Frank, an expert on 
identity theft, said.

"Every time California has passed a privacy law, it has a ripple effect 
across the country," said Frank. "California has taken the initiative on 
all of these - it was the first state to pass security breach 
legislation in 2003 - and California is one of few states that even has 
privacy in its constitution."

The original bill mandated that a breached retailer or government agency 
reimburse affected banks and credit unions for all costs incurred when 
alerting customers of the breach and reissuing cards.

It also required retailers to disclose complete details about breaches 
and explicitly prohibit retailers from retaining a variety of 
authentication data stored on the magnetic stripes on the back of credit 
and debit cards.

The amended bill narrows the scope of potential reimbursement liability, 
noted Bailey. Merchants who suffer a breach but who followed accepted 
security guidelines may be excused from reimbursing the financial 
institutions impacted by a breach, she explained.

Reimbursement could have a significant negative impact on retailers who 
suffer a breach, she said.

More information about the Dataloss mailing list