California data protection law vetoed.

California Gov. Arnold Schwarzenegger recently vetoed what would have been one of the nation's most stringent retail data breach security laws, saying he believed the bill would have resulted in higher compliance costs for small businesses.

According to media sources, the proposed California law (AB 779) would have required retailers to protect data in a manner more stringent than what the current Payment Card Industry Data Security Standard requires.

According to eweek.com, the bill would have banned the retention of sensitive consumer data information except for businesses with a payment data retention and disposal policy. Even then, the bill would have allowed little data to be stored after a purchase because it also restricted the storage of "sensitive authentication data subsequent to authorization, even if that data is encrypted."

Schwarzenegger said he was open to a reworked version of the bill, saying, "I encourage the author and the industry to work together on a more balanced legislative approach." However, he said the current version of the bill "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information."

The governor also said that the bill contained too many ambiguities, failing to clearly define which business or agency "owns" or "licenses" data, and when that business or agency gives up its legal responsibility as the owner or licensee.

The bill's author said the governor caved in to pressure from the retail community. "Big business, hackers, and ID thieves won today, and consumers and common sense lost," said Assemblyman Dave Jones (D-Sacramento). "I'm shocked and disappointed that the governor thinks our personal information should be left out in the open for identity thieves and hackers to pilfer. If your slack security leads to a data breach, then you ought to pay for what you caused."

[ILLUSTRATION OMITTED]

Eweek.com said the bill had passed the 40-member state senate in a 30-6 vote and had earlier unanimously passed the assembly 73-0, so it is possible they could try to get the two-thirds majority in each body needed to override the veto. But no such plans had been announced as the IMJ went to press.