Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Database

    The Ultimate Cyberthief Gift: Californias Veto

    By
    Evan Schuman
    -
    October 16, 2007
    Share
    Facebook
    Twitter
    Linkedin

      When Gov. Arnold Schwarzenegger this weekend vetoed Californias data breach bill, it was much more important than a single states governor veto. Much more important.

      That bill would have made a California law mandating compliance with what is roughly the PCI requirements today. The bill doesnt mention the Payment Card Industry Data Security Standard (familiarly known in retail circles simply as PCI) by name, but the bills authors tried to mimic the current PCI requirements as much as practical.

      It also would have forced retailers with breaches to reimburse banks for any replacement and related costs.

      For the most part, this is very similar to a law passed by Minnesota. And only Minnesota and that is the point. Shortly after the TJX data breach—widely considered the worst ever data breach reported, where the credit card data of some 46 million consumers fell into unauthorized hands—many states tried passing similar anti-data breach laws, including Texas, Massachusetts and Connecticut.

      All of those efforts fizzled at some point in their legislative process, often thanks to retail lobbying efforts that made the true—and convenient—argument that such a bill would likely penalize the multi-billion-dollar retailers of the world a lot less than they would hurt small retailers. Fearing that those mom-and-pop merchants would file their merchandise return requests at the ballot box, most legislators backed off.

      Minnesotas passage was crucial to the movement, but it couldn’t stand alone. It needed several other states to do the same thing or else its laws wouldnt have much nationwide impact, As state after state backed off, most eyes were on California. The nations most populated state—which had already been the leader of data-breach notification laws—was the best shot of keeping the movement alive. In other words, if this could be made into law anywhere, it would be California.

      But a lot more was at stake than merely getting a second state to fall in. Californias proposed law specified that California residents would be covered. This is opposed to merely saying that it only impacted stores in California.

      By making the law cover the 37 million residents of California (remember that the total U.S. population is barely 300 million), it posed a legal challenge for retailers.

      /zimages/3/28571.gifClick here to read more about the state of Californias data-protection law.

      What rules does a Rite-Aid in Illinois have to follow? What if a California resident happens to be visiting Chicago and walks in to buy some shampoo and uses his credit card? Is the cashier supposed to ask what state the customer is from and code the transaction differently?

      Even worse, what about a Rite-Aid in Minneapolis? If a San Jose resident walks into that pharmacy in the Twin Cities, which PCI-like set of rules is the store supposed to follow?

      That kind of state conflict would place extreme pressure on the U.S. House of Representatives to pass federal legislation. Potentially, the federal courts could get involved and require some federal standard. And that is precisely what the industry needs.

      Many retail IT execs very much want to invest more heavily in security, but they cant justify it in the true ROI (return-on-investment) sense. As weve noted many times before, the CFO has a fiduciary obligation to the board of directors and to shareholders to not approve any spending unless theres a clean argument why it will either generate more profits than it costs or why failing to spend that money will cost the company far more if anything goes wrong.

      Without a federal law—which Congress has thus far given a very low priority—there is little incentive for retailers to truly invest in security. As the recent TJX settlement makes clear, the law does not prohibit retailers from acting recklessly with consumer data as long as the consumer doesnt lose any money. Current credit card zero-liability plans are quite effective at preventing that.

      Identity theft is another issue, but the courts only recognize monetary loss. Federal legislation is needed for that and Californias bill was the last best shot for that.

      Is the bill necessarily dead? Not quite. The bill had sailed through both the California Legislature and the Senate with overwhelming percentages, more than enough to over-ride the governors veto. Political realities in California make that unlikely but not impossible. As one California legislative aide involved in the discussions said on a recent night, “Its more than a theoretical possibility.”

      But there are many likely scenarios. First, no one has successfully orchestrated a gubernatorial over-ride in California in decades. And the number of legislators who voted for the bill might slim down when the vote is instead an over-ride vote.

      Schwarzenegger—now to be known in data security circles as Veto Corleone—also hinted that hed be open to signing the bill if it had some modifications made, so making a few minor tweaks to the bill and sending it back for signature might be more politically attractive. (Ill try and be strong and not have the bill telling the governor: “Ill be back.” Given that I found the strength to not say that Schwarzenegger terminated the bill, I should succeed.)

      Of course, theres always the bigger legislative picture to consider. Some politicians might want to get the governors backing on some other priorities in exchange for not supporting an over-ride fight.

      Thats apparently what happened, according to the California legislative aide, with this data-breach bill. The banking lobby had initially been supportive of the bill, but retail groups cut a deal where the retail groups agreed to back some higher-priority banking efforts in exchange for the bank lobbys support on this one.

      Either way, the bill couldnt re-emerge in any form until Jan. 7, which likely means a decision no sooner than November.

      In the meantime, though, data thieves can rest easy and celebrate. They might even buy a round or two for the celebrating retail lobbyists at the other end of the bar. They finally have something they can agree on: mandatory security rules are a bad thing.

      Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan.Schuman@ziffdavisenterprise.com.

      To read earlier retail technology opinion columns from Evan Schuman, please click here.

      /zimages/3/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

      Evan Schuman
      Evan Schuman is the editor of CIOInsight.com's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at Evan.Schuman@ziffdavisenterprise.com.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×