California's Proposed Cyber-Crime Legislation Could Resurface in 2010

A recently vetoed California bill aimed at protecting consumers’ credit card information online may resurface in 2010, according to the state senator who drafted the measure.

Earlier this month, Gov. Arnold Schwarzenegger vetoed SB20, written by State Sen. Joe Simitian (D–Palo Alto). It would have updated a 2002 law that required businesses to give more-detailed information to consumers when they lose consumers’ information such as credit card numbers. More than 40 other states, including Nevada and Massachusetts, have similar laws on their books. Retailers are a frequent target of cyber criminals, according to a 2009 study by communications company Verizon Business, which found that 30 percent of all cyber crime occurs through the retail industry.

In Schwarzenegger’s Oct. 11 veto message, he wrote that the bill would place more burdens on businesses without giving more help to consumers. Simitian said he probably would reintroduce the bill to the Senate in early 2010.He also hoped to talk over with the Schwarzenegger administration about what went wrong.

“It was one of the most surprising vetoes I’ve gotten in nine years in the legislature,” Simitian said. “There were no amendments from the business community. There was no cost to the state.”

Simitian wrote the United States’ first data-breach law in 2002. It required businesses to notify their consumers that their information was lost after they experienced a security breach.

The updated law would have demanded companies notify consumers on what specific information was lost and the manner it was lost. It also would have required businesses to notify the state attorney general’s office when information on more than 500 California consumers is lost in a single incident.

Simitian said providing some extra details on a security breach would not put any extra costs on businesses. “The only additional burden would be sending one more e-mail notice to the state attorney general. If you are sending out 50,000 notices, one extra e-mail does not hit me as a burden.”

Weigh the costs

Attorney Christine Lyon said she doubts that businesses would incur direct costs from following the requirements of SB20. Lyon specializes in privacy issues for law firm Morrison Foerster in Palo Alto, Calif. However, she said, tracking down the information lost in a security breach might prove painful to businesses.

It often takes weeks, sometimes months, for forensic information-technology teams to track down all of the particulars of how a breach happened, who was affected and other information requested by SB20.

The general cost of a security breach can cause damage to a company. Michigan-based security company Ponemon Institute estimated that a single security breach costs a company $6.6 million, or $202 per record.

A security breach also can damage public trust in a company, according to a 2007 study reported by Pleasanton, Calif.–based payment-services industry consultants Javelin Strategy & Research.

It found 85 percent of consumers surveyed said they would be more likely to increase their shopping at a store if they knew it maintained an excellent record in protecting their personal data. In addition, 78 percent said they would most likely stop shopping at a store if it experienced a data breach.

If a retailer experiences a security breach, Lyon recommended taking the following steps.

Find out where security was compromised and stop the hacking.

Contact an attorney and find out what laws and steps need to be followed to notify people of the breach.

Contact your merchant bank and review your responsibilities spelled out in your contract with them.

The California Office of Privacy Protection also offers a publication on dealing with security breaches:

There are other steps that can be taken to prevent a security breach. One is to collect the bare minimum of information and then get rid of it quickly. Another trend gaining popularity has been retailers encrypting personal information on their consumers. The state of Nevada passed a law requiring businesses to encrypt their consumers’ personal information. “It’s a best practice,” Lyon said. “Now it also is a legal requirement.”

As long as security technology improves, it will be the job of the retailer to repel cyber crooks with the latest programs, according to Jordan Rubin, a representative for Merchant Risk Council, a Seattle-based trade organization focusing on electronic commerce risk. “We stress to our members that compliance does not always equate to security. We encourage our retail merchants to go the extra mile in securing and protecting consumer data,” he said.