New Data Security Breach Law Moves Through California Legislature

In 2002, California passed the nation's first data breach notification statute, SB 1386, which has since been copied by states around the country. Now, a new bill is making its way through the California legislature, this one significantly modifying the provisions of SB 1386 by mandating that retailers who suffer data security breaches to reimburse banks and credit unions for the cost of issuing new cards to their customers. Predictably, as described in this article, groups representing retailers are opposing the bill, which, if it passes could become a model for similar bills around the country (by comparison, 39 states have enacted data breach notification laws similar to SB 1386). Thus far, laws shifting costs for replacing cards from banks and credit unions to retailers have been defeated in Texas, Massachusetts, and Connecticut, though one has passed in Minnesota, thank, in part, to the TJX breach. Whether that breach will be enough to carry the bill in California is an open question, but, if it does, it will usher in a brave new world in which the risks to retailers of data security breaches would be substantially larger than they are now.