Governator Kills Data Protection Law

eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."

"Governator"? Are we in 6th grade here?

[Tetsujin]

C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...

Re:"Governator"? Are we in 6th grade here?

[Martin Blank]

Indeed. This was old years ago -- before the recall election was even completed. It doesn't help that even when his name did appear, it was spelled incorrectly ("Schwartzenneger" as opposed to the proper spelling, "Schwarzenegger").

Levels of Compliance?

[nonsequitor]

Couldn't they redraft the law such that there are several levels of compliance. If you deal with the info of less than 100 individuals you would have the least amount of requirements to meet, 1000 individuals would put you in the next level, and so on. That way the biggest targets are required to be the most secure, and the more information they deal with, the higher their compliance level would be.

What is this "marketplace" that he speaks of?

[khasim]

From TFA:

However, the current version of the bill, Schwarzenegger said, "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.

So ...... prostitution and drugs should not be illegal because the "marketplace" can handle the problems?

What you saw is a perfect example of why LEGAL restrictions are needed. If it is LEGAL for a business to print out such information, then it WILL be stolen, eventually.

With the increase in "identity theft" it should be apparent to anyone that the "marketplace" is not capable of regulating itself.

All a "marketplace" does is ensure that those with the most power KEEP the most power. And right now that is not the credit consumer.

It can be, if you want any small business

[Sycraft-fu]

When you deal with small businesses you are dealing with few employees, few resources, and so on. As such what they can do is limited. Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.

So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.

Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.

Good political move

[Qwavel]

I can imagine that in the state of CA there must be a ton of internet businesses just dying to sell user data. And a lot of those companies will be directing some of their new revenue to the governor that made it all possible. If he can put an 'anti red tape and government bureaucracy' face on it, all the better.

Re:data protection laws not always good

[Opportunist]

All great, but then please at least install some kind of punishment if someone who has to handle my data is careless with it.

Companies don't care about customer data security. So they won't lift a finger to secure it unless there's some "incentive" to do it.

The Goven-ator is foolish.

[Neanderthal Ninny]

We need to have some level of protection when we give our information away. I seen all of the bad example out there even for the big companies like TJX. But for the small and medium size business they don't have the resources, or at least want to release these resources, to protect this data in this manner. I understand this from both side and the legislature should create a bill that has this protections for the consumers but for the small to medium sized business which can prove that they cannot afford such a system that they some for of tax break or something so they can get the system to protect us in California and hopefully this will spread to to the rest of the country.

PCI Standards

[azrider]

The Payment Card Industry standards are, at this point, simply a recommendation. Having built systems which process credit cards, I found that the change to comply with PCI (and prevent ID/Card theft) is one line. In one system, the full card number is in the system (encrypted) only from the time it is entered to the time approval/disapproval is returned.

In fact, the card number is no longer needed to process a credit after the fact. The only information required is the merchant ID, the transaction ID and the approval code.

That said, the only way that merchants are dunned is in response to an audit (very rare) or a breach (unfortunately less rare).

The PCI standards allow for storing the card number as the last four (with X's filling the previous part), 4 X's and the last four or the last four alone.

If your merchant gives you a receipt (and their copy shows also) any thing other than XXXXXXXXXXXX1234 (shorten for some incarnations of Visa and AMEX), XXXX1234 or 1234 complain loudly to the manager of the establishment as well as your card issuer. Reference the Payment Card Industry/Data Security Standard 1.1 (2005).

Re:Too much effort to comply IS an excuse

[bjourne]

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

That argument is quite stupid. Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant. Or you don't have a use for a new employee, which means that $value_of_work less than $salary, which means no hire. Tax has nothing to do with that decision. It's a great way to raise sympathy for your cause though (more money). However, no business owner would rather hire someone than pocket the money if the latter is more profitable.

Re:data protection laws not always good

[CodeBuster]

I, as an individual, prefer to be responsible for protecting my own data

Which you cannot do because you do not have control over what information third parties collect and store except for that provided by the government through laws and regulation. There are plenty of large data brokers (remember ChoicePoint?) who collect tons of information about everyone (everything that they can get their hands on) and then sell it to practically anyone with the ability to pay. If you pop up on the grid even once with these guys then they have you pegged for the rest of your life. It is practically impossible to avoid the information brokers without living under a rock and paying for everything in cash.

Re:Too much effort to comply IS an excuse

[Harmonious Botch]

Your calulations are overly simplistic.

You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.

As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.

If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )


Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.

Other names for bill

[tjstork]

The "Don't host anything in California Act"
The "Not Available Online to California Residents Act"

and more...

Sorry, but in world of nearly a billion people online, California's market of 40 million isn't as much worth the pain in the ass they keep regulating it to be.

Re:Too much effort to comply IS an excuse

[khallow]

Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.

I don't see why it's so difficult for you to understand, if you raise the taxes or regulation cost per employee on a business, then it's easy to cross over the threshhold where you no longer earn more from that employee than it costs you in salary and increase in mandated expenses. In addition to direct expenses per employee, you have to train the employee to deal with the new regulations and bureaucracy grows as the employee base grows and as the regulation burden grows. Second, there's the matter of cash flow. The weaker a business's cash flow the harder it is for them to expand their business. Regulations like this consume cash flow. The business has to spend to stay in compliance.

Data protection in EU prove Schwartzneger false

[aepervius]

They don't seem to close or kill small business in EU, isn't it ? Last time I looked the big conglomerate were not the main employer in many country, the small enterprise cover more than 50% of the jobs (66% for France for example), with an increasing tendency in the last few years (~60% 1985 for France up to 66+% today, I took the example of France because this is the first which came up in google). So REALLY if data protection law killed small enterprise, we would know by now.
PS: Although I must admit that there are dissenting voice saying that now big enterprise make the bulk of the economy near the 51% if you count small filial as belonging to the main big enterprise. See TUC report for UK for example.

Re:PCI Standards

[MtlDty]

Sorry - I didnt mean to get your back up. Fact is however that I am an EFT system developer working for a Payment Service Provider, and as such deal with multiple acquiring banks, merchants, card schemes and am very familiar both with the PCI standards and inter-bank communications.

I did mention that point b varies greatly between card issuers, and acquiring banks, so I wont argue if you have different experiences there. But point c is an actual fact. Point d is also a fact with the vast majority of acquiring banks, if the acquiring bank receives a chargeback request from the cardholder they will contact the merchant with an RFI on the transaction. At this point its up to the merchant to prove that the transaction flowed through their system, and they'll receive the PAN in the RFI. If the merchant doesnt store the PAN they have nothing to tie the transaction to the RFI. These points are not detailed in the PCI standards, these are just things that any decent EFT systems developer will be familiar with.

In your original post you also said that 'The Payment Card Industry standards are, at this point, simply a recommendation.'. Thats also not true. Compliance is mandatory. There are various levels of compliance, requiring different levels of validation of compliance, but even at the lowest level, completion of an SAQ is mandatory.

You also said that compliance was as simple as changing one line. This leads me to believe that you're authorising through a payment gateway / PSP, and your payment gateway will therefore undertake the burden of PCI compliance. This probably also explains why you're not familiar with the settlement process (PSP will generally take care of that also). Please understand however that a lot of merchants dont use PSPs, and PCI compliance is anything but trivial.

Let's talk about hypothetical worlds of zero risk

[hey!]

Well as a business owner of course it's good for you if somebody else absorbs the cost of the risks you take.

So if the choice is paying, say, $100,000/year to safeguard sensitive personal data you have in your posession, or simply ignore the possibilty that the data might be stolen or misused. If you protect your customer's privacy, you're a good man. If you don't, you're $100,000 richer.

Now here's a pretty legal conundrum: if one of your customers has his data stolen because you didn't take reasonable steps to protect it, it costs him a great deal, in lost credit, reputation, and personal anguish. How much of the dollar cost are you responsible for? Surely not all -- the identity thieves themselves must bear most ofthe responsibilty. On the other hand, surely not zero, for the customer would never have been exposed to the thieves if it weren't for your failure to take reasonable steps.

It's clear you bear some responsibility, but the fact there is no way to quantify your contribution to the customer's loss bears on a bug in the law. If the damages cannot be quantified, you are completely off the hook as far as liability is concerned. The customer can get injunctive relief. The courts can say, "stop doing that." But that's it.

One thing the legislature can do is specify a standard damage figure. Let's say that your negligence leads to identity theft of a customer. They can say that if you negligently contribute to that, you are responsible for $1,000 of "per se damages", whether the total actual damages suffered by the customer are $100,000 or $1,000,000. It sounds reasonable and manageable. It may be enough (in aggregate) to motivate your less morally scrupulous competitors to match your principled investment in customer security.

But remember the anguish suffered by the customer? The humiliation? The year of his life devoted to dealing with a stupid credit rating crisis? Once he has handle on your for the $1,000 of damages, he can also add the cost of those things, plus payback.

This leaves us with three options.

Option 1: leave things as they are. This is good for your unscrupulous competitors, maybe not so good for you. Definitely bad for consumers (including you in your role as consumer).

Option 2: specify "per se" damages. Unfortunately, you'll never know how much protection is "enough". Enough is enough to convince any conceivable jury you did your duty. Better add to your liability insurance.

Option 3: regulatory oversight. Expect having to file data security reports.

Which approach is least burdensome to society as a whole? Which of these can businesses manage to deal with? Overall, a well designed regulatory regime is probably the most predictable and manageable. On the other hand, it's always possible for regulations to be drafted that don't do the job and cost a lot of money. It depends on who is running the regulatory agency, in this case, ultimately, the governor of California.

Arnold doesn't think very long about some things

[Catbeller]

Goodness, we don't want to make businesses pay money for stuff.

Arnold: the business community had no problem spending money to build the infrastructure to take our privacy away. They must have collectively spent hundreds of billions on the computer systems, the software, and the deals they made to trade the details of our lives to the highest bidder. They are now cooperating with a police state unrivaled in history, giving over our finances, our communications, our very second-to-second physical locations to shadowy figures who sneer at the courts.

They also have no problem making billions exploiting the data they spent so much money accumulating and processing.

Businesses have no "right" to accumulate data and exploit it anymore than they have a right to dump poison in a river. Profit for shareholders is not an excuse. You want to be bastards, pay the bastard tax. And corporations are government creatures, not freeholds. They exist under government license. They have NO OTHER existence other than through the government. Without the government, they are just shopkeepers with known addresses. They are shielded from liability and personal exposure for crimes. You want to play with the government, play by the government's rules. Cry me a river.