Tuesday, October 16, 2007
Schwarzenegger Rejects New Data Breach Law
The proposed legislation I wrote about here and here, which would have made retailers in California liable for the cost of replacing credit cards of individuals whose data is exposed in the event of a security breach was vetoed by Governor Schwarzenegger (details in this article from Computer World). In explaining his veto, Schwarzenegger cited private sector efforts to address the risk of data breaches, such as the PCI DSS, and stated that those efforts showed that private actors were well placed to handle this issue without government involvement. Whether you buy that reasoning or not, the bottom line is that the bill is dead, at least for now (though its proponents have vowed to keep fighting). This leaves Minnesota as the only state with a data breach notification law which shifts costs of card replacement from financial instutions to retailers.