By Laura Mahoney
Feb. 19 --As Congress weighs national rules for data breaches and the payment card industry gets closer to adopting more secure card technology, California lawmakers should consider strengthening state enforcement tools and penalties for consumer data breaches, witnesses told an Assembly oversight panel Feb. 18.
Representatives of the California Bankers Association (CBA), Visa Inc., MasterCard Inc., the California Retailers Association (CRA) and consumer groups said lawmakers shouldn't mandate specific technology in response to data breaches at retailers Target Corp. and Neiman Marcus Group Ltd. .
Instead, lawmakers should raise the stakes for hackers and criminals who steal data, they said at the joint hearing of the Assembly Judiciary and Banking & Finance committees.
“It's important to consider why the data breaches occur and what perpetrators get out of them,” CRA President Bill Dombrowski said. “If breaches become less profitable for the criminals then they will commit less resources to them.”
Meanwhile, two bills that would tweak data breach notice requirements in California are pending.
Financial institutions are mostly on track to meet an October 2015 deadline set by MasterCard, Visa and American Express Co. to begin using payment cards with embedded chips that also require the user to enter a personal identification number when making a transaction--chip and PIN cards--to improve security against fraudulent point-of-sale transactions, CBA Vice President Alex Alanis said.
The shift to the new technology carries with it a shift in liability, so that the party with the least secure technology would be liable for the costs of fraud, whether it is the retailer or the card issuer, he said. That shift is motivating financial institutions to meet the October 2015 deadline, Alanis said.
However, specific technology requirements placed in the law become “a roadmap for fraudsters,” he said.
Although California in 2002 became the first state to adopt a consumer data breach notification law (1 PVLR 1180, 10/7/02), the law should be updated, Lee Tien, a senior attorney with the Electronic Frontier Foundation, told lawmakers.
The California statute exempts the holders of data from notifying consumers of breaches if the data were encrypted. When the law was passed, the exemption was considered an incentive for retailers and others to encrypt data, he said.
Since then, many breaches have occurred with encrypted data, and therefore consumers haven't been notified, Tien said. The encryption exemption is clearly outdated, he said.
More laws and rules are less important than enforcement and compliance under current rules, he said.
“All the standards are worthless and deceptive to the public if no one is suing or litigating or taking action against the companies that are not safeguarding the data,” Tien said.
Jamie Court, president of the group Consumer Watchdog, said lawmakers should go farther and enact a measure to punish those who compromise financial information with the same tools that now apply to medical information.
Under his proposal, the data breach notice law would be changed to require immediate notification of consumers even if law enforcement agencies are investigating the breach rather than allowing for a delay if law enforcement requested one while it investigated an incident.
In addition, he proposed that minimum security standards be added and limits be set on collection and retention of data. Under his proposal, entities that violate the law would face fines of $1,000 per consumer, and individuals would have a private right of action to sue organizations that mishandle their data.
Norma Garcia, senior attorney at Consumers Union, said the group supports fast-track replacement of outdated technology to increase security at point-of-sale terminals, vigorous investigation and prosecution of data thieves.
The group favors federal standards for data breach notification as a floor that would allow states to go further.
Assemblymen Roger Dickinson (D) and Bob Wieckowski (D), chairs of the Banking & Finance and Judiciary committees, respectively, Feb. 13 introduced a bill (A.B. 1710) to make changes to the data breach notification law.
So far the bill makes only minor nonsubstantive technical changes, but the lawmakers said they are considering amendments.
In addition, Sen. Hannah-Beth Jackson (D) has introduced a bill (S.B. 383) to tighten consumer privacy in credit card transactions. The bill passed the Senate Jan. 30 and is pending in the Senate.
S.B. 383 would amend the Song-Beverly Credit Card Act.
To contact the reporter on this story: Laura Mahoney in Sacramento, Calif., at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Committee summaries of the issues raised in the hearing are available at http://ajud.assembly.ca.gov/sites/ajud.assembly.ca.gov/files/reports/Data%20Breach%20Background%20Paper%20Final.pdf and http://abnk.assembly.ca.gov/sites/abnk.assembly.ca.gov/files/B%26F%20Breach%20Background.pdf.
A.B. 1710, as introduced, is available at http://www.leginfo.ca.gov/pub/13-14/bill/asm/ab_1701-1750/ab_1710_bill_20140213_introduced.pdf.
S.B. 383, as amended and passed by the Senate, is available at http://www.leginfo.ca.gov/pub/13-14/bill/sen/sb_0351-0400/sb_383_bill_20140128_amended_sen_v96.pdf.
To view additional stories from Privacy & Security Law Report® register for a free trial now