The state of Califor-notification

If it weren’t for California 1386 and ChoicePoint, would we all be talking so much about data breaches these days? Maybe, but maybe not.

I’ll never forget writing that first ChoicePoint breach story back in mid-Feb. 2005. It was one of those news items that really made you scratch your head and question how much such an event could potentially impact your own life.

I remember wondering how long this type of thing had been going on, how few were actually being reported, and how long it would be until someone subverted my identity.

A hop, skip, VA vet debacle and TJX Companies later, the consumer data-handling topic couldn’t seem more relevant.

As we sit here reading, tomorrow marks the deadline for the White House’s mandate for federal agencies to clean up their own data processing and retention activities. Progress is arguably being made.

But if it weren’t for 1386 — which was first introduced by California State Senator Steve Peace in 2002 — we might not even be focused on the problem.

(If you believe Wikipedia, it’s interesting to note that Peace maintained a career writing, producing and acting-in the “Attack of the Killer Tomatoes” movie series, among others, before jumping into politics. I think we all dream of making such landmark civic and cultural contributions to society; don’t we? I do!)

Anyway, California lawmakers are back at it, trying to lead the way. With some 38 U.S. states having followed suit and passed their own breach notification laws, now the Golden State gang has a new bill you might want to consider.

Earlier this month, California bill AB 779 was passed near-unanimously in both the State Senate and State Assembly, and it now sits on the Governator’s desk, awaiting the prodigious force of his personal stamp of approval.

(779 was authored by Calif. Assemblyman Dave Jones.. considering Peace’s former employment, you have to wonder, it couldn’t be that Davy Jones, right? Though, he’s from Sacramento, not Clarksville, apparently.)

At the center of the bill is a requirement that would force retailers like TJX Companies to reimburse banks and credit unions for any expenses those firms are forced to endure as a result of a data breach — namely for re-issuing credit and debit cards to those customers whose accounts have been exposed. Sounds fair enough, and other states are again expected to follow suit.

Industry watchers of all sorts are taking interest in this one, as, if the law spreads a la 1386, it could truly force retailers to improve their operations. Consider, after all, that TJX reported increased in-store sales after its breach, despite all the media hooplah. (Although some believe the firm will cough up roughly $1 billion in penalties once all its class-action suits, etc. are resolved.)

Javelin Strategy Analyst Rachael Kim notes that 779-type laws could help advance the PCI DSS regulation, which is also aimed at helping card issuers force retailers to better protect account data.

“What I find particularly interesting is the fact that this particular bill actually codifies the PCI DSS, prohibiting retailers and other merchants from storing sensitive authentication data, in addition to requiring merchants to use strong encryption and access controls,” Kim wrote in a recent blog post.

She continues:

“What I’d like to know is whether or not a PCI compliant merchant is provided with safe harbor — meaning that if they are indeed compliant with the PCI standards but experience a security breach, they will not have to cover issuer costs of notifying customers and reissuing cards. This has not yet been clarified. In my opinion, a PCI-compliant merchant should not have to cover these costs, as they’ve been doing everything they can to protect customer data (after all, the PCI standards are data security ‘best practices,’ are they not?).”

It’s certainly interesting food for thought.

In the end, it sounds like we have to thank our Californian neighbors for again leading the charge in this arena.

Meanwhile, I’m holding out for Hollywood to produce “Attack of the Killer Data Incident.”