Governator Kills Data Protection Law

eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."

Subscriptions

[mastershake_phd (1050150)]

But it also outright prohibited much data being stored at all after a purchase is authorized by banning a retailer from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted."
 
What about automatically recurring bills, like web hosting.

Re:

[GomezAdams (679726)]

The bill was directed to retailers. Is your ISP a retailer? The article is not all that clear about the target but by 'retailer' it seems this is about the local iHop, No-Tell Hotel, or Victoria's Secret storing your credit card and any address, phone number, SS# info way past the authorization cycle. Having a mortgage, auto payments, and a monthly charge for services (I pay an annual fee for my web hosting) would be normal usage of customer data, but a retailer does not require any bank/credit card info a

Re:

[multisync (218450)]

but a retailer does not require any bank/credit card info after they receive the money for their product.

Same goes with brick and mortar stores.

Once the transaction is complete all they need is a receipt with your signature and the Authorization Number on it. But try telling that to your typical wage-slave working in a retail store.

When paying by credit card, I am frequently annoyed to find my complete credit card number printed on the retailer's copy of the receipt, along with my name and the expiry date.

Re:Subscriptions

[Attila Dimedici (1036002)]

It has been a few years (late 90's) since I worked retail. However, I worked for a retailer that for various reasons people forgot that they had purchased things from with their credit card. The customer would get their bill and see a charge from our store on it. They would call the credit card company and contest the charge. The credit card company would send us a letter asking for the signed receipt for charge against Credit card # xxxx xxxx xxxx xxxx (where the x's were the number on the card) from such and such date. If we did not send it to them within a given amount of time, they would issue a credit to the customer and charge us the amount that we had received against that card. SO, at that point a retailer did need a copy of the customer's credit card # for at least two months after the purchase.

First example: Slashdot!

[Spy der Mann (805235)]

404 File Not Found
The requested URL (yro/07/10/15/2043242.shtml) was not found.

I guess the above isn't illegal anymore, right Taco? ;-)

"Governator"? Are we in 6th grade here?

[Tetsujin (103070)]

C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...

Re:

[Martin Blank (154261)]

Indeed. This was old years ago -- before the recall election was even completed. It doesn't help that even when his name did appear, it was spelled incorrectly ("Schwartzenneger" as opposed to the proper spelling, "Schwarzenegger").

Re:

[nuzak (959558)]

Yeah, just prepending "California" or even just "CA" might have made it an eensy bit clearer. But hey, slashdot isn't about that pretentious "old media" with all its "accuracy" and "clarity" and "fact checking". Pshaw.

I prefer "Gubenator", which sounds funnier when said with Schwarzenegger's accent, and it's actually the real latin word that "governer" comes from. But I wouldn't put that in a headline either.

It's not just a "recall" ...

[Slur (61510)]

... It's a Total Recall!

No kidding

[SuperKendall (25149)]

It doesn't help reasoned debate when people jump right into name calling. No matter who you are talking about... M$ is lame for the same reason.

Re:

[Martin Blank (154261)]

Then-Lt. Gov. Cruz Bustamante was the biggest candidate that he faced, and that was a very, very poor choice.

Schwarzenegger is widely regarded in business circles as savvy and intelligent, and before he made his biggest money in Hollywood, he'd become fairly wealthy in real estate. However, he ran as a moderate Republican and has turned out to be more liberal in many ways than the Democrat that he replaced. At least we get to see most of the bad deals that he makes, as opposed to Davis's multitude of clos

Re:

[AuMatar (183847)]

Actually, his biggest opponent was Davis. Over 40% of the people voted to NOT recall him. If the courts hadn't made the braindead decision that he couldn't be on the general recall ballot, he probably would have been recalled, then rewon the election.

Re:

[Opportunist (166417)]

Hey, don't bash Arnie! Judging from Bush, the way he butchers English he could be President if he was born in the USA.

Re:

[TheLink (130905)]

I wonder if he gets a speech trainer to help him _keep_ his accent.

After all just imagine what would happen if he loses his accent. Imagine an Arnie movie with Arnie speaking in English but without his accent.

"Kill" a law?

[Jugalator (259273)]

How do one "kill" a law, really? Bah -- surely, Arnold must have terminated this law.

Re:

[mangu (126918)]

Arnold must have terminated this law.

Yes, but he himself said "I encourage the author and the industry to work together on a more balanced legislative approach,"

In other words, the law'll be back...

Re:

[Opportunist (166417)]

In other words, the law is for sale.

Ah! The ads!

[by Anonymous Coward]

Here's the printer friendly version, with (somewhat) fewer advertisements.
http://www.eweek.com/print_article2/0,1217,a=217199,00.asp [eweek.com]
(posted as anon to avoid Karma whoring)

Levels of Compliance?

[nonsequitor (893813)]

Couldn't they redraft the law such that there are several levels of compliance. If you deal with the info of less than 100 individuals you would have the least amount of requirements to meet, 1000 individuals would put you in the next level, and so on. That way the biggest targets are required to be the most secure, and the more information they deal with, the higher their compliance level would be.

Re:

[MtlDty (711230)]

Actually, thats the way it currently does work according to the PCI-DSS. There are four levels of compliancy, and although the compliancy points across all levels are similar, the accreditation is more difficult at the higher levels (requires certification from independant Qualified Security Assessor).

I think most of the EFT industry sees this move by Arnie as the correct thing. The payment card industry 'PCI Co' (mainly Visa and MasterCard) already has mandated merchants must comply with the Data Securi

Too much effort to comply is not an excuse

[ravenspear (756059)]

Seems like a lot of companies out there today do not give the proper effort required to make even rudimentary considerations to the security of client data. This reminds me of an experience I had a few weeks ago. This is 100% true. I was sitting in a subway station waiting for a train. I sat down on a bench and noticed a plain unmarked vanilla envelope sitting on the bench next to me. There was no one else around so it was obvious whoever it belonged to had left it. I opened it and discovered it was several pages of customer records for a hotel chain (don't remember which). It had their names, what nights they had stayed, some additional information, and their FULL credit card numbers they had used to pay printed next to the names. I was amazed that someone would just leave this kind of information lying around anywhere for anyone to find.

What is this "marketplace" that he speaks of?

[khasim (1285)]

From TFA:

However, the current version of the bill, Schwarzenegger said, "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.

So ...... prostitution and drugs should not be illegal because the "marketplace" can handle the problems?

What you saw is a perfect example of why LEGAL restrictions are needed. If it is LEGAL for a business to print out such information, then it WILL be stolen, eventually.

With the inc

Re:

[Rakishi (759894)]

So ...... prostitution and drugs should not be illegal because the "marketplace" can handle the problems?

Sure, why the hell not. Do you realize how much crime is caused by and public money is wasted on fighting both of those? We could probably provide welfare and free drugs to every single bloody drug user for less than it costs us now to deal with them in jail and in their gangs.

I'm not arguing that.

[khasim (1285)]

I'm arguing the lack of logic in claiming that some fictional entity ("the marketplace") can provide protection in one instance ... but not in other instances.

So that certain instances require legal regulation.

But the fictional entity is used to justify the lack of legal regulation in the other instance.

Re:

[Opportunist (166417)]

Money is like energy, you cannot waste or eliminate it. It just gets transformed into something that might not be useful for you.

In other words, don't worry, someone profits from it.

Re:

[Deadstick (535032)]

plain unmarked vanilla envelope

Must make those in Mexico...

rj

It can be, if you want any small business

[Sycraft-fu (314770)]

When you deal with small businesses you are dealing with few employees, few resources, and so on. As such what they can do is limited. Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.

So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.

Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.

Re:

[Opportunist (166417)]

C'mon, be sensible. Keeping customer data reasonably safe is quite easy for small businesses. You have your POS with outsourced security (read: You bought some POS system that handles CC purchases for you). Your accounting needn't be on an internet terminal, that's something you do on a computer which can trivially be disconnected from the internet or anything else that could steal your data.

If anyone, large businesses face problems with increased demands in security.

Re:

[einhverfr (238914)]

You are missing a very basic fact---

If you have a noncompliant system today, whether or not this law would have been signed, and its problems resulted in the theft of a credit card number, your small business could be fined up to $500,000 by Visa/Mastercard.

That is the cost (right now) of noncompliance. So the solution to your question is-- do your homework, evaluate what you have, and get the right system.

Agree and disagree

[einhverfr (238914)]

Most of my customers are small businesses which also process credit cards. What you have to remember is the controversial portions of the law are *already* requirements for small businesses which process credit cards. I invite you to read the PCI-DSS 1.1 (and yes, there are a lot of non-compliant small businesses out there).

Now the PCI-DSS does not really have the force of law at the moment, but it might as well. Visa/Mastercard reserves the right to fine merchants up to half a million dollars for violat

Re:Too much effort to comply IS an excuse

[Harmonious Botch (921977)]

I own a small business. I spend at least 1/3 to 1/2 of my time doing govt paperwork, or complying with some govt standard which is either 1) an obviously good business practice that does not need to be legislated or 2) irrelevant or 3) stupid or 4) #2 and #3.

These legislators live in a hypothetical world of zero risk. Any problem that they see, they try to legislate out of existence. But they don't have to pay the bills. They don't have to make the decisions of how limited resources are applied to problems.

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

Laws have consequenses. And someday the consequence may be your job.

Re:Too much effort to comply IS an excuse

[bjourne (1034822)]

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

That argument is quite stupid. Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant. Or you don't have a use for a new employee, which means that $value_of_work less than $salary, which means no hire. Tax has nothing to do with that decision. It's a great way to raise sympathy for your cause though (more money). However, no business owner would rather hire someone than pocket the money if the latter is more profitable.

Re:Too much effort to comply IS an excuse

[Harmonious Botch (921977)]

Your calulations are overly simplistic.

You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.

As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.

If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )


Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.

Re:Too much effort to comply IS an excuse

[khallow (566160)]

Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.

I don't see why it's so difficult for you to understand, if you raise the taxes or regulation cost per employee on a business, then it's easy to cross over the threshhold where you no longer earn more from that employee than it costs you in salary and increase in mandated expenses. In addition to direct expenses per employee, you have to train the employee to deal with the new regulations and bureaucracy grows as the employee base grows and as the regulation burden grows. Second, there's the matter of cash flow. The weaker a business's cash flow the harder it is for them to expand their business. Regulations like this consume cash flow. The business has to spend to stay in compliance.

Let's talk about hypothetical worlds of zero risk

[hey! (33014)]

Well as a business owner of course it's good for you if somebody else absorbs the cost of the risks you take.

So if the choice is paying, say, $100,000/year to safeguard sensitive personal data you have in your posession, or simply ignore the possibilty that the data might be stolen or misused. If you protect your customer's privacy, you're a good man. If you don't, you're $100,000 richer.

Now here's a pretty legal conundrum: if one of your customers has his data stolen because you didn't take reasonable

"It won't be back"?

[whoever57 (658626)]

Perhaps the submittor or editor could refrain from lame jokes when said joke is in conflict with the article:

Schwarzenegger, in his veto message explaining why he killed the bill, left the door open to possibly signing a reworked version of the bill.

Re:

[johndiii (229824)]

Not only that, but it passed both houses with a majority well in excess of that required to override the veto.

PCI Compliance

[jeramybsmith (608791)]

Because of PCI compliance you have Linux/Unix admins across the country installing useless virus scanners that scan for windows viruses on their Linux/Unix machines. PCI compliance is a private initiative by the credit card companies.

I would hate to see the retardation government compliance laws in 50 different states would result in.

PCI-DSS is not as you describe.

[einhverfr (238914)]

Because of PCI compliance you have Linux/Unix admins across the country installing useless virus scanners that scan for windows viruses on their Linux/Unix machines. PCI compliance is a private initiative by the credit card companies.

Then the problem is either with the admins or that the compliance people can't read.

The PCI-DSS 1.1 states:

5.1: Deploy anti-virus software on all systems commonly affected by viruses (particularly personal
computers and servers)
Note: Systems commonly affected by viruses typically do not include UNIX-based operating
systems or mainframes.[emphasis mine]

Next time someone complains about the PCI-DSS requiring antivirus software on Linux/UNIX systems, you can point them to the fact that the standard specifically excluded these systems from the antivirus requirements.

data protection laws not always good

[wikinerd (809585)]

I, as an individual, prefer to be responsible for protecting my own data, rather than having a government nanny creating huge bureaucracies with great costs and making everyone's life difficult and not necessarily more secure. I really do not know much about this particular law, or whether its change was motivated by some multinational (in which case it's bad) or true concern for the costs to small businesses (which is a valid concern), but speaking generally I distrust data protection laws, as they can be

Re:

[Opportunist (166417)]

All great, but then please at least install some kind of punishment if someone who has to handle my data is careless with it.

Companies don't care about customer data security. So they won't lift a finger to secure it unless there's some "incentive" to do it.

Re:

[CodeBuster (516420)]

I, as an individual, prefer to be responsible for protecting my own data

Which you cannot do because you do not have control over what information third parties collect and store except for that provided by the government through laws and regulation. There are plenty of large data brokers (remember ChoicePoint?) who collect tons of information about everyone (everything that they can get their hands on) and then sell it to practically anyone with the ability to pay. If you pop up on the grid even once wi

Good political move

[Qwavel (733416)]

I can imagine that in the state of CA there must be a ton of internet businesses just dying to sell user data. And a lot of those companies will be directing some of their new revenue to the governor that made it all possible. If he can put an 'anti red tape and government bureaucracy' face on it, all the better.

PCI Standards

[azrider (918631)]

The Payment Card Industry standards are, at this point, simply a recommendation. Having built systems which process credit cards, I found that the change to comply with PCI (and prevent ID/Card theft) is one line. In one system, the full card number is in the system (encrypted) only from the time it is entered to the time approval/disapproval is returned.

In fact, the card number is no longer needed to process a credit after the fact. The only information required is the merchant ID, the transaction ID and the approval code.

That said, the only way that merchants are dunned is in response to an audit (very rare) or a breach (unfortunately less rare).

The PCI standards allow for storing the card number as the last four (with X's filling the previous part), 4 X's and the last four or the last four alone.

If your merchant gives you a receipt (and their copy shows also) any thing other than XXXXXXXXXXXX1234 (shorten for some incarnations of Visa and AMEX), XXXX1234 or 1234 complain loudly to the manager of the establishment as well as your card issuer. Reference the Payment Card Industry/Data Security Standard 1.1 (2005).

Re:

[azrider (918631)]

Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.

See the above referenced standard https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm [pcisecuritystandards.org]. The only required information is merchant ID, merchant tr

Re:

[MtlDty (711230)]

Sorry - I didnt mean to get your back up. Fact is however that I am an EFT system developer working for a Payment Service Provider, and as such deal with multiple acquiring banks, merchants, card schemes and am very familiar both with the PCI standards and inter-bank communications.

I did mention that point b varies greatly between card issuers, and acquiring banks, so I wont argue if you have different experiences there. But point c is an actual fact. Point d is also a fact with the vast majority of acqu

Spelt his name wrong, of course.

[Paperweight (865007)]

Sorry, I browsed for another post to mod-up but nobody made the point that Schwarzenegger was spelt wrong.

Other names for bill

[tjstork (137384)]

The "Don't host anything in California Act"
The "Not Available Online to California Residents Act"

and more...

Sorry, but in world of nearly a billion people online, California's market of 40 million isn't as much worth the pain in the ass they keep regulating it to be.

Data protection in EU prove Schwartzneger false

[aepervius (535155)]

They don't seem to close or kill small business in EU, isn't it ? Last time I looked the big conglomerate were not the main employer in many country, the small enterprise cover more than 50% of the jobs (66% for France for example), with an increasing tendency in the last few years (~60% 1985 for France up to 66+% today, I took the example of France because this is the first which came up in google). So REALLY if data protection law killed small enterprise, we would know by now.
PS: Although I must admit that there are dissenting voice saying that now big enterprise make the bulk of the economy near the 51% if you count small filial as belonging to the main big enterprise. See TUC report for UK for example.

Arnold doesn't think very long about some things

[Catbeller (118204)]

Goodness, we don't want to make businesses pay money for stuff.

Arnold: the business community had no problem spending money to build the infrastructure to take our privacy away. They must have collectively spent hundreds of billions on the computer systems, the software, and the deals they made to trade the details of our lives to the highest bidder. They are now cooperating with a police state unrivaled in history, giving over our finances, our communications, our very second-to-second physical locations to shadowy figures who sneer at the courts.

They also have no problem making billions exploiting the data they spent so much money accumulating and processing.

Businesses have no "right" to accumulate data and exploit it anymore than they have a right to dump poison in a river. Profit for shareholders is not an excuse. You want to be bastards, pay the bastard tax. And corporations are government creatures, not freeholds. They exist under government license. They have NO OTHER existence other than through the government. Without the government, they are just shopkeepers with known addresses. They are shielded from liability and personal exposure for crimes. You want to play with the government, play by the government's rules. Cry me a river.