When Gov. Arnold Schwarzenegger this weekend vetoed Californias data breach bill, it was much more important than a single states governor veto. Much more important.
That bill would have made a California law mandating compliance with what is roughly the PCI requirements today. The bill doesnt mention the Payment Card Industry Data Security Standard (familiarly known in retail circles simply as PCI) by name, but the bills authors tried to mimic the current PCI requirements as much as practical.
It also would have forced retailers with breaches to reimburse banks for any replacement and related costs.
For the most part, this is very similar to a law passed by Minnesota. And only Minnesota and that is the point. Shortly after the TJX data breach—widely considered the worst ever data breach reported, where the credit card data of some 46 million consumers fell into unauthorized hands—many states tried passing similar anti-data breach laws, including Texas, Massachusetts and Connecticut.
All of those efforts fizzled at some point in their legislative process, often thanks to retail lobbying efforts that made the true—and convenient—argument that such a bill would likely penalize the multi-billion-dollar retailers of the world a lot less than they would hurt small retailers. Fearing that those mom-and-pop merchants would file their merchandise return requests at the ballot box, most legislators backed off.
Minnesotas passage was crucial to the movement, but it couldn’t stand alone. It needed several other states to do the same thing or else its laws wouldnt have much nationwide impact, As state after state backed off, most eyes were on California. The nations most populated state—which had already been the leader of data-breach notification laws—was the best shot of keeping the movement alive. In other words, if this could be made into law anywhere, it would be California.
But a lot more was at stake than merely getting a second state to fall in. Californias proposed law specified that California residents would be covered. This is opposed to merely saying that it only impacted stores in California.
By making the law cover the 37 million residents of California (remember that the total U.S. population is barely 300 million), it posed a legal challenge for retailers.
What rules does a Rite-Aid in Illinois have to follow? What if a California resident happens to be visiting Chicago and walks in to buy some shampoo and uses his credit card? Is the cashier supposed to ask what state the customer is from and code the transaction differently?
Even worse, what about a Rite-Aid in Minneapolis? If a San Jose resident walks into that pharmacy in the Twin Cities, which PCI-like set of rules is the store supposed to follow?
That kind of state conflict would place extreme pressure on the U.S. House of Representatives to pass federal legislation. Potentially, the federal courts could get involved and require some federal standard. And that is precisely what the industry needs.
Many retail IT execs very much want to invest more heavily in security, but they cant justify it in the true ROI (return-on-investment) sense. As weve noted many times before, the CFO has a fiduciary obligation to the board of directors and to shareholders to not approve any spending unless theres a clean argument why it will either generate more profits than it costs or why failing to spend that money will cost the company far more if anything goes wrong.
Without a federal law—which Congress has thus far given a very low priority—there is little incentive for retailers to truly invest in security. As the recent TJX settlement makes clear, the law does not prohibit retailers from acting recklessly with consumer data as long as the consumer doesnt lose any money. Current credit card zero-liability plans are quite effective at preventing that.
Identity theft is another issue, but the courts only recognize monetary loss. Federal legislation is needed for that and Californias bill was the last best shot for that.
Is the bill necessarily dead? Not quite. The bill had sailed through both the California Legislature and the Senate with overwhelming percentages, more than enough to over-ride the governors veto. Political realities in California make that unlikely but not impossible. As one California legislative aide involved in the discussions said on a recent night, “Its more than a theoretical possibility.”
But there are many likely scenarios. First, no one has successfully orchestrated a gubernatorial over-ride in California in decades. And the number of legislators who voted for the bill might slim down when the vote is instead an over-ride vote.
Schwarzenegger—now to be known in data security circles as Veto Corleone—also hinted that hed be open to signing the bill if it had some modifications made, so making a few minor tweaks to the bill and sending it back for signature might be more politically attractive. (Ill try and be strong and not have the bill telling the governor: “Ill be back.” Given that I found the strength to not say that Schwarzenegger terminated the bill, I should succeed.)
Of course, theres always the bigger legislative picture to consider. Some politicians might want to get the governors backing on some other priorities in exchange for not supporting an over-ride fight.
Thats apparently what happened, according to the California legislative aide, with this data-breach bill. The banking lobby had initially been supportive of the bill, but retail groups cut a deal where the retail groups agreed to back some higher-priority banking efforts in exchange for the bank lobbys support on this one.
Either way, the bill couldnt re-emerge in any form until Jan. 7, which likely means a decision no sooner than November.
In the meantime, though, data thieves can rest easy and celebrate. They might even buy a round or two for the celebrating retail lobbyists at the other end of the bar. They finally have something they can agree on: mandatory security rules are a bad thing.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.