California gets serious about data breach
The California assembly committee recently passed a bill which will affect all companies doing business in California. Among other businesses, it will have a serious impact on credit card companies, banks, and financial institutions who handle users’ personal data. The bill will move to the Assembly Business and Professions Committee for a hearing on April 24. According to
The Data Breach Notification Bill, Assembly Bill 779, was approved Tuesday by the state Assembly Judiciary Committee with an 8-2 vote. The bill, authored by committee chairman Assemblyman Dave Jones (D-Sacramento), seeks to improve data security by requiring accountability and reimbursement of affected parties if a data breach occurs. [Source: BizJournals]
It’s interesting that the California Credit Union League supports the bill, while California Bankers Association, California Mortgage Bankers Association, and the state’s financial services, grocers, retailers and restaurant associations all oppose the bill. Of course, these businesses don’t want to be held responsible for their lack of security and would prefer to continue to do business the way they have been doing for decades.
Here’s a portion of the Assembly Bill (AB 779).
Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
You can read the entire bill here.
Zubair: In AB 779, proposed Civil Code Section 1724.4(b) is poorly drafted and confusing. It is not clear whether 1724.4(b) covers Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) is muddled about what does and does not constitute “sensitive authentication data” that a merchant is forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Pending Section 1724.4(b)’s poorly crafted language will be a roadblock as innovators try to invent the next PayPal. –Benjamin Wright, Dallas, Texas
Benjamin! When lawmakers write legislations that deal with technology there always seem to be room for improvement, especially where Internet is involved. Even supreme court’s carefully drafted rulings are challenged by attorneys. Your point is well taken. Thanks for your feedback. (Zubair Alexander)