Just Who Should Pay for Data Breaches...and How?
As a lifelong resident of California I’d be the first to admit that state politics on the left coast can sometimes be a little peculiar.
Last month with the Governor and the Legislature at their traditional impasse over the state budget, the Governor was threatening to veto the budget AND more than 900 other bills if the Legislature voted to over-ride his budget veto. Finally, on September 18 the governor and the legislature agreed on a budget (80 days late). With this piece of business out of the way, Governor Schwarzenegger turned his attention to processing the 896 bills passed by the legislature in the wake of the budget deal.
Unfortunately, this didn’t leave the governor enough time to do the standard due diligence on which bills to sign or veto. In California the governor must do one or other as we have a sort of “reverse pocket veto” law that means that any bill not proactively vetoed becomes law. So, last week saw our governor vetoing bills at a rate that was projected to surpass his own record of more than 300 for the year. The governor was vetoing so many bills that he didn’t have time to explain his reasoning for most of them. Presumably he’ll have a chance and explain to the California electorate his reasoning for negating the work of both houses of the state legislature on more than 1/3 of the bills they sent to him last month.
One of the vetoes Governor Schwarzenegger DID explain was AB 1656 known as the Consumer Data Protection Act. This is actually the second time the governor has vetoed essentially the same bill having done so last year as well. In explaining the veto, the governor explained, "As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers." The governor also explained that he believed current industry “best practices” were both adequate and would be able to evolve more quickly if merchants were not required by statute to protect confidential information in specific ways. Finally, the governor asserted his belief that the bill would saddle merchants (and the state) with unacceptable costs in the event of a data breach.
On the face of it this seems like a credible explanation, but the more I looked into the bill and its supporters, I think there’s actually a more subtle issue at stake here that neither the bill's supporters nor opponents wish to debate directly. Essentially there are two lobbying groups promoting their constituencies commercial interests on either side of AB 1656.
On one side we have the state’s Credit Unions represented by the California Credit Union League (CCUL). The CCUL member institutions (like many commercial banks) issue credit cards to their members and under the federal Gramm-Leach-Bliley Act bear most of the cost of notifying card holders in the event of a breach, reissuing new cards, and providing restitution to card holders that lose assets due to the breach. The problem with this model is that data breaches are rarely caused by the card issuing banks and credit unions. Many breaches occur because of security lapses on the part of the merchants that accept credit cards. What the CCUL and other supporters of AB 1656 are actually trying to do is to shift the costs of dealing with data breaches upstream to the retailers frequently responsible for them.
On the other side of the AB 1656 debate we have the California Retailers Association (CRA) and a host of other merchant advocacy groups. The retailer’s position is that they already paying their fare share of breach remediation in the processing fees they pay to the card issuers on each transaction and there’s some logic to their argument. What bothers me about this is that it still leaves the issuers with ultimate liability for events over which they have only indirect control. Issuers typically have the right to cancel a merchant if their fraud rate exceeds a negotiated threshold or the merchant fails to comply with other contractual terms. So the CRA’s position is that this issue is better dealt with contractually than via legislation.
I’m guessing the reason this issue is being led by the CCUL (and not the leading card issuing banks) is that they have much less leverage with the merchant community, particularly the big chains that make up the majority of transactions. They are, therefore, more exposed to big losses and less able to absorb them in the event of a large breach.
I don’t honestly know what the best way of assigning liability in these cases is, but as I noted above, the status quo doesn’t seem entirely just, nor does it appear to provide sufficient motivation for the merchants to do everything required to protect their customer’s confidential information. Fortunately, we’ll have a relatively clean set of test data available soon as Minnesota passed a very similar bill known as the Plastic Card Security Act. So hopefully we’ll be able to revisit this topic in a year or so and objectively assess whether legislation or negotiation leads to the best solution.