Schwarzenegger vetoes data breach liability bill

SACRAMENTO Calif. Gov. Arnold Schwarzenegger has vetoed Assembly Bill 779, a measure that, among other things, would have made restaurateurs and other merchants liable for the cost of replacing credit and debit cards and notifying consumers when cardholder information is stolen from a business. The bill had been opposed by the California Restaurant Association and other business groups.

Schwarzenegger said the private sector, through such mechanisms as the Payment Card Industry Data Security Standards, or PCI DSS, already has the guidelines and contractual means to best protect cardholder data. The proposed California law, with provisions mirroring some data-handling requirements of PCI DSS, had the potential to needlessly increase costs for small businesses, he indicated.

The measure’s author, Assemblyman Dave Jones, D-Sacramento, expressed disappointment over the veto of his bipartisan bill, which was approved 73-0 in the 80-member Assembly and 30-6 in the 40-person Senate. He indicated that arguments that the private sector can best protect consumer credit information overlooked the fact that many merchants are not yet compliant with the PCI DSS.

Robert Herrell, Jones’ legislative director, said at press time that the assemblyman was undecided about whether to pursue the two-thirds majority votes needed in the Assembly and Senate to override the governor’s veto.

The California bill, and a similar measure that was signed into law in Minnesota earlier this year, were inspired by recent data breaches, including the hacking of data systems managed by retailer TJX Cos. that put millions of cardholders at risk.