Governor Schwarzenegger vetoed California’s second attempt at a payment card law yesterday. Even though the bill passed by overwhelming margins, AB 1656 fell victim to one of Schwarzenegger’s record-setting 415 vetoes.
The bill did, however, escape the boilerplate veto message many bills got. Schwarzenegger again said that the marketplace did enough to protect consumers, and complained that the bill required notification even without evidence that the data has been misused:
As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.
Clearly, the need to protect personal information is increasingly critical as routine commercial transactions are more and more exclusively accomplished through electronic means. However, by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state. In addition, by locking in today’s best practices, AB 1656 would assure that the law remains static in the face of future, unseen concerns. Moreover, this bill would create a disincentive for businesses to adhere to new, more comprehensive, industry standards.
Existing law already contains a comprehensive penalty scheme for identity theft that details with great particularity the numerous ways in which it can occur, and imposes criminal sanctions. These provisions cover both identity thieves and retailers who are complicit in their crimes. If existing penalties are inadequate to properly deter would-be identity thieves, the proper response would be to enhance these penalties..
I’m not sure that the requirement for “notification even where no information was obtained improperly” is new in AB 1656. It adds requirements for what must be reported, but the criteria for notification are set in California Civil Code sections 1798.29(b) and 1798.82(b), which require notification if “personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” AB 1656 did not change this language. One might wonder what would have happened in 2002 to SB 1386 had Schwarzenegger, not Gray Davis, been governor.
It’s also arguable whether the marketplace alone does enough to dissuade data loss or compensate harms. One of the financial costs of large-scale credit card thefts is the issuing banks’ expenses in reissuing all those lost credit cards. Agreements between the issuers and card brands allow the issuers to reallocate losses, but these do not cover all an issuer’s costs. Although a recent appellate decision reopened the possibility of recovering under the third-party beneficiary contract theory, efforts of issuers to recoup their expenses have so far failed. That was part of the motivation for this bill.
Governor Schwarzenegger is on somewhat firmer ground when he points out the problems in legislating specific technical requirements. It’s a challenge the Minnesota payment card law faced with only partial success. Still, California’s bill didn’t seem to pose too many of the problems listed in the veto statement. It doesn’t get tied down to particular physical formats, or too-specifically define a PIN or verification code the way the Minnesota bill does. It applies to “payment-related data” and data from a “payment card or other payment-related device.” This is not the kind of language likely to require a legislative revisit each year.
This bill was a weakened version of a bill sent to Governor Schwarzenegger’s desk last year. Will the California legislature try again next year? The large margins by which AB 1656 passed—only four people in the California legislature voted against it—suggest that the legislature is very interested in updating its data breach law. But this veto raises the question: would Governor Schwarzenegger sign any version of this bill, no matter how weakened?
Chances of an override look slim—last year’s bill also passed by similarly large margins, well above the two-thirds majority needed to override a veto in California, but no override vote ever happened. With a record-setting 415 vetoes this year, AB 1656 probably won’t get enough attention for an override.
Better luck next year.
