California Governor Vetoes Proposed Law Imposing Stronger Data Protection Requirements

Posted by Charlene Brownlee California Governor Arnold Schwarzenegger vetoed AB 779 -- legislation that would have amended California's data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach. Schwarzenegger vetoed AB 779 based on objections to the broad scope of the law and the excessive cost and burden for compliance for small businesses. The Governor also deferred to industry regulation, noting in a veto statement that industry is better equipped than lawmakers to evaluate the need for higher standards. Minnesota remains the only state which has, to date, codified or increased the compliance requirements of the Payment Card Industry Data Security Standard. Minnesota’s Plastic Card Security Act, effective August 1, 2007, amending Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.