Governator Kills Data Protection Law 177
eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."
"Governator"? Are we in 6th grade here? (Score:4, Insightful)
Re:"Governator"? Are we in 6th grade here? (Score:3, Insightful)
Levels of Compliance? (Score:4, Insightful)
What is this "marketplace" that he speaks of? (Score:3, Insightful)
So
What you saw is a perfect example of why LEGAL restrictions are needed. If it is LEGAL for a business to print out such information, then it WILL be stolen, eventually.
With the increase in "identity theft" it should be apparent to anyone that the "marketplace" is not capable of regulating itself.
All a "marketplace" does is ensure that those with the most power KEEP the most power. And right now that is not the credit consumer.
It can be, if you want any small business (Score:5, Insightful)
So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.
Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.
Good political move (Score:2, Insightful)
Re:data protection laws not always good (Score:3, Insightful)
Companies don't care about customer data security. So they won't lift a finger to secure it unless there's some "incentive" to do it.
The Goven-ator is foolish. (Score:1, Insightful)
PCI Standards (Score:3, Insightful)
Re:Too much effort to comply IS an excuse (Score:5, Insightful)
Re:data protection laws not always good (Score:3, Insightful)
Which you cannot do because you do not have control over what information third parties collect and store except for that provided by the government through laws and regulation. There are plenty of large data brokers (remember ChoicePoint?) who collect tons of information about everyone (everything that they can get their hands on) and then sell it to practically anyone with the ability to pay. If you pop up on the grid even once with these guys then they have you pegged for the rest of your life. It is practically impossible to avoid the information brokers without living under a rock and paying for everything in cash.
Re:Too much effort to comply IS an excuse (Score:5, Insightful)
You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.
As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.
If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )
Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.
Other names for bill (Score:3, Insightful)
The "Not Available Online to California Residents Act"
and more...
Sorry, but in world of nearly a billion people online, California's market of 40 million isn't as much worth the pain in the ass they keep regulating it to be.
Re:Too much effort to comply IS an excuse (Score:5, Insightful)
Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.
Data protection in EU prove Schwartzneger false (Score:4, Insightful)
PS: Although I must admit that there are dissenting voice saying that now big enterprise make the bulk of the economy near the 51% if you count small filial as belonging to the main big enterprise. See TUC report for UK for example.
Re:PCI Standards (Score:3, Insightful)
I did mention that point b varies greatly between card issuers, and acquiring banks, so I wont argue if you have different experiences there. But point c is an actual fact. Point d is also a fact with the vast majority of acquiring banks, if the acquiring bank receives a chargeback request from the cardholder they will contact the merchant with an RFI on the transaction. At this point its up to the merchant to prove that the transaction flowed through their system, and they'll receive the PAN in the RFI. If the merchant doesnt store the PAN they have nothing to tie the transaction to the RFI. These points are not detailed in the PCI standards, these are just things that any decent EFT systems developer will be familiar with.
In your original post you also said that 'The Payment Card Industry standards are, at this point, simply a recommendation.'. Thats also not true. Compliance is mandatory. There are various levels of compliance, requiring different levels of validation of compliance, but even at the lowest level, completion of an SAQ is mandatory.
You also said that compliance was as simple as changing one line. This leads me to believe that you're authorising through a payment gateway / PSP, and your payment gateway will therefore undertake the burden of PCI compliance. This probably also explains why you're not familiar with the settlement process (PSP will generally take care of that also). Please understand however that a lot of merchants dont use PSPs, and PCI compliance is anything but trivial.
Let's talk about hypothetical worlds of zero risk (Score:3, Insightful)
So if the choice is paying, say, $100,000/year to safeguard sensitive personal data you have in your posession, or simply ignore the possibilty that the data might be stolen or misused. If you protect your customer's privacy, you're a good man. If you don't, you're $100,000 richer.
Now here's a pretty legal conundrum: if one of your customers has his data stolen because you didn't take reasonable steps to protect it, it costs him a great deal, in lost credit, reputation, and personal anguish. How much of the dollar cost are you responsible for? Surely not all -- the identity thieves themselves must bear most ofthe responsibilty. On the other hand, surely not zero, for the customer would never have been exposed to the thieves if it weren't for your failure to take reasonable steps.
It's clear you bear some responsibility, but the fact there is no way to quantify your contribution to the customer's loss bears on a bug in the law. If the damages cannot be quantified, you are completely off the hook as far as liability is concerned. The customer can get injunctive relief. The courts can say, "stop doing that." But that's it.
One thing the legislature can do is specify a standard damage figure. Let's say that your negligence leads to identity theft of a customer. They can say that if you negligently contribute to that, you are responsible for $1,000 of "per se damages", whether the total actual damages suffered by the customer are $100,000 or $1,000,000. It sounds reasonable and manageable. It may be enough (in aggregate) to motivate your less morally scrupulous competitors to match your principled investment in customer security.
But remember the anguish suffered by the customer? The humiliation? The year of his life devoted to dealing with a stupid credit rating crisis? Once he has handle on your for the $1,000 of damages, he can also add the cost of those things, plus payback.
This leaves us with three options.
Option 1: leave things as they are. This is good for your unscrupulous competitors, maybe not so good for you. Definitely bad for consumers (including you in your role as consumer).
Option 2: specify "per se" damages. Unfortunately, you'll never know how much protection is "enough". Enough is enough to convince any conceivable jury you did your duty. Better add to your liability insurance.
Option 3: regulatory oversight. Expect having to file data security reports.
Which approach is least burdensome to society as a whole? Which of these can businesses manage to deal with? Overall, a well designed regulatory regime is probably the most predictable and manageable. On the other hand, it's always possible for regulations to be drafted that don't do the job and cost a lot of money. It depends on who is running the regulatory agency, in this case, ultimately, the governor of California.
Arnold doesn't think very long about some things (Score:3, Insightful)
Arnold: the business community had no problem spending money to build the infrastructure to take our privacy away. They must have collectively spent hundreds of billions on the computer systems, the software, and the deals they made to trade the details of our lives to the highest bidder. They are now cooperating with a police state unrivaled in history, giving over our finances, our communications, our very second-to-second physical locations to shadowy figures who sneer at the courts.
They also have no problem making billions exploiting the data they spent so much money accumulating and processing.
Businesses have no "right" to accumulate data and exploit it anymore than they have a right to dump poison in a river. Profit for shareholders is not an excuse. You want to be bastards, pay the bastard tax. And corporations are government creatures, not freeholds. They exist under government license. They have NO OTHER existence other than through the government. Without the government, they are just shopkeepers with known addresses. They are shielded from liability and personal exposure for crimes. You want to play with the government, play by the government's rules. Cry me a river.