In a previous post, I asked why Minnesota was still the only state with a PCI DSS law. California may be about to become state number two.
Last year, California’s legislature passed AB 779, but Governor Schwarzenegger vetoed it. Explaining his veto, Schwarzenegger said that that the bill tried to legislate areas that were better left to industry self-regulation. He also complained about some definitional problems in the bill (for example, that the bill didn’t adequately define the “owner or licenser” of data).
The bill is back. AB 1656, amended to address some of Governor Schwarzenegger’s concerns, passed the California Senate 34-3 and the Assembly 74-1.
As with Minnesota’s law and the previous version of the California bill, this version would forbid storing full-track payment card data. This year’s bill includes a new exception for “the sole purpose of processing ongoing or recurring payments.”
But the biggest change is in card handlers’ liability. The amended bill creates liability for the cost of notifying customers:
SEC. 3. Section 1724.6 is added to the Civil Code, to read:
1724.6. Any person, business, or agency subject to Section 1724.4 required to give the notice described in subdivision (a) of Section 1724.5 shall be liable to the owner or licensee of the information for the actual costs of any consumer notification provided by the owner or licensee pursuant to Section 1798.29 or 1798.82.
Compare this to the old version of the bill, which allowed damages for the costs of notifying customers and for issuing new cards:
Sec. 2 , § 1724.5
(d) (1) In addition, a person, business, or agency subject to Section 1724.4 shall be liable to the owner or licensee of the information for the reimbursement of all reasonable and actual costs of providing notice to consumers pursuant to the breach as required by subdivision (a) of Section 1798.29 or subdivision (a) of Section 1798.82 and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system.
(Emphasis mine.)
The removal of damages for card replacement is a big concession to merchants. Replacing cards can be vastly more expensive than giving notice to consumers. Notice probably* won’t cost more than $250,000, because California’s breach notification law allows substitute notice if the cost of written or electronic notice would be more than that. But the cost of reissuing cards after a large breach can be huge. For example, TJX recently agreed to pay $65 million to card issuers as settlement for the cost of reissuing cards after its breach.
*I say “probably” because California’s data breach notification law says that notice may be given by substitute notice, but it doesn’t have to be. Could an issuer notify its customers in writing even though it would be allowed to give substitute notice, and still get the cost back as damages? Probably not (the loss avoidance doctrine would seem to apply here), but an issuer might successfully argue that substitute notice was inadequate for some reason.
Although Minnesota’s law came first, California is the trend setter. Its data breach notification law spurred a host of similar laws in other states, and some people think a California payment card law could do the same. If so, it will be interesting to watch whether these states follow the model of California’s bill, Minnesota’s, or some combination of the two.
