Governator Kills Data Protection Law 177
eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."
Ah! The ads! (Score:2, Informative)
http://www.eweek.com/print_article2/0,1217,a=217199,00.asp [eweek.com]
(posted as anon to avoid Karma whoring)
"It won't be back"? (Score:5, Informative)
Re:Too much effort to comply IS an excuse (Score:5, Informative)
These legislators live in a hypothetical world of zero risk. Any problem that they see, they try to legislate out of existence. But they don't have to pay the bills. They don't have to make the decisions of how limited resources are applied to problems.
With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.
Laws have consequenses. And someday the consequence may be your job.
Re:"Governator"? Are we in 6th grade here? (Score:3, Informative)
Schwarzenegger is widely regarded in business circles as savvy and intelligent, and before he made his biggest money in Hollywood, he'd become fairly wealthy in real estate. However, he ran as a moderate Republican and has turned out to be more liberal in many ways than the Democrat that he replaced. At least we get to see most of the bad deals that he makes, as opposed to Davis's multitude of closed-door, secret meetings selling off the state's future.
Re:Levels of Compliance? (Score:3, Informative)
I think most of the EFT industry sees this move by Arnie as the correct thing. The payment card industry 'PCI Co' (mainly Visa and MasterCard) already has mandated merchants must comply with the Data Security Standard. They also have the means to force non-compliance fees on merchants, through their acquiring banks.
In short, there's no need to add layers of government bureaucracy to the mix - it would just cost the tax payer for something that the card industry should be able to manage, and add extra levels of confusion to what is already a difficult landscape of compliancy.
Re:PCI Standards (Score:3, Informative)
Spelt his name wrong, of course. (Score:3, Informative)
Agree and disagree (Score:3, Informative)
Now the PCI-DSS does not really have the force of law at the moment, but it might as well. Visa/Mastercard reserves the right to fine merchants up to half a million dollars for violations resulting in theft of sensitive cardholder information. Many smaller fines are levied against businesses who are required to certify their compliance with third parties (these are either larger businesses or those who have had past problems).
This isn't about an attack on smaller businesses. Businesses *should* be doing this already. If they don't they are already risking their continued operations. Hopefully such a law would help build awareness of these sorts of problems and help small businesses actually avoid problems. Yes, compliance is a bear, but already the costs of noncompliance, as levied by Visa/Mastercard are sufficient to drive small businesses out of business.
Re:It can be, if you want any small business (Score:3, Informative)
If you have a noncompliant system today, whether or not this law would have been signed, and its problems resulted in the theft of a credit card number, your small business could be fined up to $500,000 by Visa/Mastercard.
That is the cost (right now) of noncompliance. So the solution to your question is-- do your homework, evaluate what you have, and get the right system.
PCI-DSS is not as you describe. (Score:4, Informative)
The PCI-DSS 1.1 states:
computers and servers)
Note: Systems commonly affected by viruses typically do not include UNIX-based operating
systems or mainframes.[emphasis mine]