California Governor Arnold Schwarzenegger has vetoed a stringent data protection bill that would have made merchants, not banks, responsible for reissuing credit cards and alerting customers following a breach.The veto of the Consumer Data Protection Act, which only weeks earlier had unanimously passed the California State Assembly, also would have required breach notification letters to include details on who lost the data and what type of information was stolen.
"Legislators felt people have a right to know who is not doing a good job protecting their information," Bob Arnould, senior vice president of government affairs at the California Credit Union League, said.
But a powerful coalition — including the state Retailers Association, Chamber of Commerce and Bankers Association — actively petitioned the governor to veto the legislation.
Schwarzenegger, said in a message to the assembly that he decided to veto the measure because guidelines already exist that mandate merchants to protect cardholder data.
"This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," he said. "In addition, the Payment Card Industry (PCI) has already established minimum data security standards when storing, processing or transmitting credit or debit cardholder information."
Arnould said the measure would have more teeth than PCI [standards], the enforcement of which is left up to the card brands, such as Visa and MasterCard.
"The reason that legislation is needed is a majority of retailers are thumbing their noses at PCI standards and not complying," Arnould said. "They decided they're going to save a buck and not protect people's data. Government is probably the only entity that is going to be able to solve the problem."