Major Change to California Law Regarding Security Breaches Coming

Back in July, I wrote about a proposed California law which would require merchants who suffer from data security breaches (think TJX) to reimburse financial institutions for the cost of replacing credit cards for people whose information is stolen (link here). Now, according to this article from Computer World, that bill has passed through the California senate and now awaits signature by governor Schwarzenegger. Though the law has had some changes as it moved through the legislature. For example, a new provision has been added which would allow merchants to excused for some or all of the costs of card replacement if it can show it was in compliance with all security requirements at the time of the breach. However, the main focus of the law - shifting costs from merchants to banks, remains intact. According to the Computer World article, if signed, the law is expected to have the same ripple effect that California's SB 1386 had on security breach notification in general.