Tuesday, October 2, 2007

Retailers lobbying hard against AB 779

AB 779 - Jones' data protection bill - continues to get a lot of press coverage. To no ones surprise, the LA Times reported today that there is some heavy lobbying of the Governor going on by the retail industry.

The bill would help reduce incidences of identity theft by requiring businesses to take steps to safeguard consumer financial information, including encrypting computer records to avoid hacking, disposal of these records promptly and safely, and would prohibit businesses from storing customer credit card or debit card pin numbers and security codes. This year, the parent company that owns TJ Maxx and Marshalls stores acknowledged that 45 million credit card and debit card records were hacked from inadequately secured store computers by ID thieves sitting in parking lots outside stores.

Marc Lifsher reports:

"Going to the mall simply should not be identity theft Russian roulette," said the bill's author, Assemblyman Dave Jones (D-Sacramento). "What's happening is that retailers are keeping the credit and debit card information, and it is available to hackers and other identity thieves, who perpetrate fraud." He said that only about 40% of retailers and other organizations that accept credit card payments were complying with security guidelines developed by major credit card companies.


Credit unions support the bill, but most large business trade groups are asking the governor for a veto. Jeanne Cain, a lobbyist with the California Chamber of Commerce, said the bill would make retailers potentially liable in lawsuits even if they fully complied with its security conditions.

Frank Russo of the California Progress Report points out the fact that though the bill was overwhelmingly approved by the California Legislature, its fate is still uncertain:

It received its final passage in the Assembly 73-0 in September with 47 of 48 Democrats in support and 26 of 32 Republicans voting for it. Before its final amendments it had previously passed the Assembly in June on a 58-2 vote. It passed the California State Senate on a 30 to 6 vote with the support of 22 of 25 Democrats and 8 of those often difficult 15 Republican Senators.

Its author, Assemblymember Dave Jones, worked with a number of groups to make sure that it was a workable law, and the bill won the support of an impressive array of those from consumer, business, and law enforcement fighting identity theft and the abuses of the retail industry that does not comply with contracts they have made with credit card companies. Sponsored by the California Credit Union League, it is supported by Consumers Union, the Los Angeles County District Attorney’s office, Los Angeles County Sheriff’s Department, the Consumer Federation of California, Privacy Rights Clearinghouse, the California State Employees Association, AFSCME – American Federation of State, County and Municipal Employees, the California Public Interest Group (CalPIRG), and the Sacramento County Sheriff’s Department, to name a few. The LA Times, San Francisco Chronicle, and Riverside Press Enterprise editorialized in support of the bill, recognizing its importance.

Yet its fate is uncertain because of a massive behind the scenes lobbying effort by the California Retailers Association and the California Chamber of Commerce.


A number of bad apples amongst California's retailers have a shoddy, shocking record of performance here--one that cannot withstand the light of day. Here is what Jones told the Governor in his letter asking for a signature so that this bill can become law:

"According to recent information published by Visa, which helped write the data security standards, only 40% of our largest retailers are following the PCI standards, despite the fact that they are currently contractually obligated to do so. As a result consumers are put at risk of data breaches, credit and debit card fraud, and ID theft. And financial institutions also bear the substantial costs of notifying consumers and reissuing compromised credit and debit cards, all because common-sense rules aren’t being followed by retail establishments. The best data breach is one that never happens – AB 779 will prevent data breaches, pure and simple."

1 comment:

Ben Wright said...

In AB 779, proposed Civil Code Section 1724.4(b) is poorly drafted and confusing. It is not clear whether 1724.4(b) covers Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) is muddled about what does and does not constitute "sensitive authentication data" that a merchant is forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Pending Section 1724.4(b)'s poorly crafted language will be a roadblock as innovators try to invent the next PayPal. See detailed analysis at hack-igations --Benjamin Wright, Dallas, Texas