Governator Kills Data Protection Law

eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."

Subscriptions

[mastershake_phd]

But it also outright prohibited much data being stored at all after a purchase is authorized by banning a retailer from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted."
 
What about automatically recurring bills, like web hosting.

Re:

[GomezAdams]

The bill was directed to retailers. Is your ISP a retailer? The article is not all that clear about the target but by 'retailer' it seems this is about the local iHop, No-Tell Hotel, or Victoria's Secret storing your credit card and any address, phone number, SS# info way past the authorization cycle. Having a mortgage, auto payments, and a monthly charge for services (I pay an annual fee for my web hosting) would be normal usage of customer data, but a retailer does not require any bank/credit card info a

Re:

[multisync]

but a retailer does not require any bank/credit card info after they receive the money for their product.

Same goes with brick and mortar stores.

Once the transaction is complete all they need is a receipt with your signature and the Authorization Number on it. But try telling that to your typical wage-slave working in a retail store.

When paying by credit card, I am frequently annoyed to find my complete credit card number printed on the retailer's copy of the receipt, along with my name and the expiry date.

Re:Subscriptions

[Attila Dimedici]

It has been a few years (late 90's) since I worked retail. However, I worked for a retailer that for various reasons people forgot that they had purchased things from with their credit card. The customer would get their bill and see a charge from our store on it. They would call the credit card company and contest the charge. The credit card company would send us a letter asking for the signed receipt for charge against Credit card # xxxx xxxx xxxx xxxx (where the x's were the number on the card) from such and such date. If we did not send it to them within a given amount of time, they would issue a credit to the customer and charge us the amount that we had received against that card. SO, at that point a retailer did need a copy of the customer's credit card # for at least two months after the purchase.

Not really

[jeevesbond]

SO, at that point a retailer did need a copy of the customer's credit card # for at least two months after the purchase.

That's what PAN print suppression is for. So instead of storing the whole credit card number you just store the first and last few digits, for example:

5454 xxxx xxxx 1234

Then you store the cardholder name and date of the transaction, this is enough evidence for the credit card company to verify the transaction, but not enough for an identity thief to go on a shopping spree. :)

Re:

[GlassHeart]

No, you don't. All you need is a transaction id that the credit card company would issue you when you charged the card. (I have no idea if this id is in place, the point is that you don't actually have to store the sensitive card number.)

Re:

[jimicus]

How useful that is depends on what grounds the customer is contesting it.

If the grounds are "somebody's cloned/stolen my card and is making transactions on it", the authorisation code is useless - you need the slip that the customer has supposedly signed.

(Of course, the fact that the signature is thoughtfully RIGHT THERE ON THE BACK OF THE FREAKIN' CARD FOR A FRAUDSTER TO COPY AS THEY PLEASE is not relevant to this case. Honest.)

Re:

[cdrguru]

Sorry, but every Internet merchant is a "retailer".

Subscriptions aren't the point. This would have required eliminating the model where you trick someone into paying for shipping for something that is otherwise free just so you can continue to bill then month after month for the rest of the collection. Video Professor is one example of this. Not that this would have been all that bad a deal, but it doesn't sound like an intended consequence.

There are also plenty of other service-related "retailers" that

Re:

[Anonymous Coward]

Well that depends on how the bill defines "retailer".

Here in Texas, we define ISP retailers as copper chomping wallet vampires.

\\//_

Re:

[NeilTheStupidHead]

The parent already stated: they're called CCWVs in Texas.

Re:

[Qzukk]

What about automatically recurring bills, like web hosting.

They would demand that their CC processors issue them an encrypted token after the initial transaction that identifies the pair (company,creditcard) and can only be used for transactions involving that pair?

Re:

[einhverfr]

First, this is nothing new. THe PCI-DSS makes an identical requirement.

Basically, can't store PIN, CVV2, or CVV values. This means that for recurring bills, you can *only* use AVS which isn't so sensitive (basically street number (not name) and zip code.

In an ideal world, this would be done via the authorization code (tied to the merchant account!) rather than the credit card number, but not all processing gateways support this yet.

First example: Slashdot!

[Spy der Mann]

404 File Not Found
The requested URL (yro/07/10/15/2043242.shtml) was not found.

I guess the above isn't illegal anymore, right Taco? ;-)

I guess your:

[einhverfr]

connection TERMINATED with error: 404.

"Governator"? Are we in 6th grade here?

[Tetsujin]

C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...

Re:

[Martin Blank]

Indeed. This was old years ago -- before the recall election was even completed. It doesn't help that even when his name did appear, it was spelled incorrectly ("Schwartzenneger" as opposed to the proper spelling, "Schwarzenegger").

Re:

[nuzak]

Yeah, just prepending "California" or even just "CA" might have made it an eensy bit clearer. But hey, slashdot isn't about that pretentious "old media" with all its "accuracy" and "clarity" and "fact checking". Pshaw.

I prefer "Gubenator", which sounds funnier when said with Schwarzenegger's accent, and it's actually the real latin word that "governer" comes from. But I wouldn't put that in a headline either.

It's not just a "recall" ...

[Slur]

... It's a Total Recall!

No kidding

[SuperKendall]

It doesn't help reasoned debate when people jump right into name calling. No matter who you are talking about... M$ is lame for the same reason.

Re:

[speaker of the truth]

he used his Governor powers to terminate a privacy bill. Was there ever a time more appropriate to call him the Governator?

Re:

[AK Marc]

C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...

When I hear complaints like this, they inevitably come from Republicans that were fond of saying "Slick Willie" or Democrats that have uttered the words "Tricky Dick." Nicknames are popular in politics. They are popular in use by friends as well as supporters of the other party. If you don't like the divisive nature, you are in the wrong country. Try a place that doesn't have a two-party-

Re:

[nostriluu]

Much as I dislike cheesy nicknames, if I were in California, I'd be reminding myself I had "the Terminator" (and other science fiction characters) as governor too.

Re:

[db32]

Do you honestly believe that the man doesn't think being called the Governator is funny? His primary fame came from those movies. It isn't like they are calling him anything inherently derogatory. He was famous for being the Terminator, he is the Governor, he is the Governator! Big deal, don't get your panties in a twist over a dumb nick name. I really suspect that he probably thinks its funny that people call him that, shit, it wouldn't surprise me if he likes the nickname given that he got it for bei

Re:He's the "Governator"! (giggle)

[Tetsujin]

Do you honestly believe that the man doesn't think being called the Governator is funny? His primary fame came from those movies. It isn't like they are calling him anything inherently derogatory. He was famous for being the Terminator, he is the Governor, he is the Governator! Big deal, don't get your panties in a twist over a dumb nick name. I really suspect that he probably thinks its funny that people call him that, shit, it wouldn't surprise me if he likes the nickname given that he got it for being wildly successful.

Oh, and here I thought it was because he was in Predator... silly me...

It's just dumb, is all. "I remember Arnold Schwarzenegger was in this movie when I was a kid, and now he's a governor! Sounds like it's time for a portmanteau!" It's fine to poke fun at the guy, but if you're going to refer to the man in a news story you ought to use his proper name and/or title at least once in the story...

I could give a flying fuck about what Arnold thinks of his various nicknames. I am just embarrassed that a gr

Re:

[Martin Blank]

Then-Lt. Gov. Cruz Bustamante was the biggest candidate that he faced, and that was a very, very poor choice.

Schwarzenegger is widely regarded in business circles as savvy and intelligent, and before he made his biggest money in Hollywood, he'd become fairly wealthy in real estate. However, he ran as a moderate Republican and has turned out to be more liberal in many ways than the Democrat that he replaced. At least we get to see most of the bad deals that he makes, as opposed to Davis's multitude of clos

Re:

[AuMatar]

Actually, his biggest opponent was Davis. Over 40% of the people voted to NOT recall him. If the courts hadn't made the braindead decision that he couldn't be on the general recall ballot, he probably would have been recalled, then rewon the election.

Re:

[Opportunist]

Hey, don't bash Arnie! Judging from Bush, the way he butchers English he could be President if he was born in the USA.

Re:

[mikael]

One another related point, there is no way he would have got elected as an European with his original name if he hadn't been a rich famous movie star. So referring to him in a way that reminds people WHY he was famous in the first point is actually useful in this case.

He got elected because, in the economic downturn of the dot com bust, California's budget went from a surplus to a deficit. So everyone blamed Gray Davis and voted for Schwarznegger instead.

Re:

[TheLink]

I wonder if he gets a speech trainer to help him _keep_ his accent.

After all just imagine what would happen if he loses his accent. Imagine an Arnie movie with Arnie speaking in English but without his accent.

"Kill" a law?

[Jugalator]

How do one "kill" a law, really? Bah -- surely, Arnold must have terminated this law.

Re:

[mangu]

Arnold must have terminated this law.

Yes, but he himself said "I encourage the author and the industry to work together on a more balanced legislative approach,"

In other words, the law'll be back...

Re:

[Opportunist]

In other words, the law is for sale.

Re:

[pintpusher]

Come on, you remember the little guy sitting on the steps, "... yes I'm only a bill..."

well, what happens is some fat dude comes out of the capitol building, grabs that little guys and starts bellowing something about "what's your function!" and then proceeds to rend him to little shreds and then stomps off stage right.

Re:

[OldeTimeGeek]

And this is why we should put Civics class back into schools... He didn't kill a law because it wasn't a law yet - it was just a bill [school-house-rock.com].

Ah! The ads!

[Anonymous Coward]

Here's the printer friendly version, with (somewhat) fewer advertisements.
http://www.eweek.com/print_article2/0,1217,a=217199,00.asp [eweek.com]
(posted as anon to avoid Karma whoring)

Levels of Compliance?

[nonsequitor]

Couldn't they redraft the law such that there are several levels of compliance. If you deal with the info of less than 100 individuals you would have the least amount of requirements to meet, 1000 individuals would put you in the next level, and so on. That way the biggest targets are required to be the most secure, and the more information they deal with, the higher their compliance level would be.

Re:

[MtlDty]

Actually, thats the way it currently does work according to the PCI-DSS. There are four levels of compliancy, and although the compliancy points across all levels are similar, the accreditation is more difficult at the higher levels (requires certification from independant Qualified Security Assessor).

I think most of the EFT industry sees this move by Arnie as the correct thing. The payment card industry 'PCI Co' (mainly Visa and MasterCard) already has mandated merchants must comply with the Data Securi

I wonder if the GOv thinks that

[einhverfr]

the issue of compliance goes away.

In fact, the requirements are basically copied from the PCI-DSS 1.1 which Visa/Mastercard require compliance with anyway (and reserve the right to "fine" you for up to half a million dollars for losses of credit card numbers if you fail to comply).

This is at best political posturing and at worst a dangerous illusion for small businesses.

Too much effort to comply is not an excuse

[ravenspear]

Seems like a lot of companies out there today do not give the proper effort required to make even rudimentary considerations to the security of client data. This reminds me of an experience I had a few weeks ago. This is 100% true. I was sitting in a subway station waiting for a train. I sat down on a bench and noticed a plain unmarked vanilla envelope sitting on the bench next to me. There was no one else around so it was obvious whoever it belonged to had left it. I opened it and discovered it was several pages of customer records for a hotel chain (don't remember which). It had their names, what nights they had stayed, some additional information, and their FULL credit card numbers they had used to pay printed next to the names. I was amazed that someone would just leave this kind of information lying around anywhere for anyone to find.

What is this "marketplace" that he speaks of?

[khasim]

From TFA:

However, the current version of the bill, Schwarzenegger said, "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.

So ...... prostitution and drugs should not be illegal because the "marketplace" can handle the problems?

What you saw is a perfect example of why LEGAL restrictions are needed. If it is LEGAL for a business to print out such information, then it WILL be stolen, eventually.

With the inc

Re:

[Rakishi]

So ...... prostitution and drugs should not be illegal because the "marketplace" can handle the problems?

Sure, why the hell not. Do you realize how much crime is caused by and public money is wasted on fighting both of those? We could probably provide welfare and free drugs to every single bloody drug user for less than it costs us now to deal with them in jail and in their gangs.

I'm not arguing that.

[khasim]

I'm arguing the lack of logic in claiming that some fictional entity ("the marketplace") can provide protection in one instance ... but not in other instances.

So that certain instances require legal regulation.

But the fictional entity is used to justify the lack of legal regulation in the other instance.

Re:

[Opportunist]

Money is like energy, you cannot waste or eliminate it. It just gets transformed into something that might not be useful for you.

In other words, don't worry, someone profits from it.

Re:

[StikyPad]

So what are you "saying"?

Re:

[Deadstick]

plain unmarked vanilla envelope

Must make those in Mexico...

rj

Re:

[conteXXt]

Because we all know the "Manila" ones come from Thailand?

Just kidding they are all made out of recycled Canadian newspaper.

It can be, if you want any small business

[Sycraft-fu]

When you deal with small businesses you are dealing with few employees, few resources, and so on. As such what they can do is limited. Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.

So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.

Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.

Re:

[Opportunist]

C'mon, be sensible. Keeping customer data reasonably safe is quite easy for small businesses. You have your POS with outsourced security (read: You bought some POS system that handles CC purchases for you). Your accounting needn't be on an internet terminal, that's something you do on a computer which can trivially be disconnected from the internet or anything else that could steal your data.

If anyone, large businesses face problems with increased demands in security.

Re:

[Sycraft-fu]

Ahh, so what happens if you already own the system, and it doesn't meat the criteria. Just buy it again? What happens if it is then incompatible with your inventory? Just reenter it? Easy to say, less easy to do. I didn't read this bill, not relevant to me (I don't live in California) I am just saying that it is a perfectly legitimate argument against something that the costs are too high for small business.

You have to consider the cost of your actions, and that includes legislatons. I dislike those who see

Re:

[AK Marc]

What small business stores anything like this? They keep the recipts. They keep nothing else. The only place that takes a stamping of my card is CompUSA, and I don't think they qualify as small. The small businesses outsource everything. Often to the point that they don't even own the credit card terminal they use. They swipe and get a recipt they keep. All the other information is stored by some 3rd party on servers far far away. Unless by "small" business, you mean 100+ employees with servers and

Re:

[Ooblek]

They swipe and get a recipt they keep. All the other information is stored by some 3rd party on servers far far away.

This is not always the case. That terminal may actually be storing your card data. It may even give someone the ability to access data stored in those far far away servers.

And if they are 100+ employees, they are big enough to be able to figure out how to do a little encryption.

I was at a global company recently that probably has tens of thousands of employees. They did a "little" encryption project and it took them a year to do it. Then they figured out that it didn't meet PCI DSS's requirements to be able to rotate your keys, so they had to scrap the whole thing and try to figure out how to do it ag

Re:

[einhverfr]

You are missing a very basic fact---

If you have a noncompliant system today, whether or not this law would have been signed, and its problems resulted in the theft of a credit card number, your small business could be fined up to $500,000 by Visa/Mastercard.

That is the cost (right now) of noncompliance. So the solution to your question is-- do your homework, evaluate what you have, and get the right system.

Re:

[Opportunist]

Bluntly? If you were dumb enough to buy an insecure data handling system, it's better you go out of business before you do damage to your customer's data.

Again, think about it. What kind of customer data does the average mom'n'pop shop keep? If (and only if) they have CC payment, you already outsourced that. You have a POS terminal that you rent. This terminal is not your problem. It's the problem of the company owning it. You only get some receipt for your accountant. This receipt now has to go into a safe

Re:

[CodeBuster]

This is precisely why I generally do not do business with small businesses or if I do, then I pay in cash. The problem with small business is that they are well, small. They think small, they behave like amateurs (particularly in areas that are not part of their core business), and they usually provide no tangible benefit to a transaction while charging a higher price than larger businesses, especially at retail.

Now having said that, if we are going to increase the regulatory burden then it should be inc

Re:

[einhverfr]

Actually, security is as big an issue for larger businesses. You have legacy systems built when nobody foresaw the sorts of security threats we have today, and a *lot* of data is still stored in them. Some of those systems probably store data no longer allowed by the PCI-DSS.

The goal ought to be to help build awareness of PCI-DSS compliance and help all businesses become compliant.

Agree and disagree

[einhverfr]

Most of my customers are small businesses which also process credit cards. What you have to remember is the controversial portions of the law are *already* requirements for small businesses which process credit cards. I invite you to read the PCI-DSS 1.1 (and yes, there are a lot of non-compliant small businesses out there).

Now the PCI-DSS does not really have the force of law at the moment, but it might as well. Visa/Mastercard reserves the right to fine merchants up to half a million dollars for violat

Re:

[Tim C]

Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.

Nice false dichotomy there; obviously between small businesses (a handful of employees, maybe a few dozen) and ones the size of MS (tens of thousands of employees worldwide) there's a great big barren land in which no business exists or can exist.

Re:Too much effort to comply IS an excuse

[Harmonious Botch]

I own a small business. I spend at least 1/3 to 1/2 of my time doing govt paperwork, or complying with some govt standard which is either 1) an obviously good business practice that does not need to be legislated or 2) irrelevant or 3) stupid or 4) #2 and #3.

These legislators live in a hypothetical world of zero risk. Any problem that they see, they try to legislate out of existence. But they don't have to pay the bills. They don't have to make the decisions of how limited resources are applied to problems.

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

Laws have consequenses. And someday the consequence may be your job.

Re:

[Harmonious Botch]

As the subject is regulation, I should add that due to unneeded regulations my business is much less efficient than it could be. It is not nearly as easy to quantify as the losses to taxes, but I estimate it is a job loss for one part-time person.

Re:Too much effort to comply IS an excuse

[bjourne]

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

That argument is quite stupid. Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant. Or you don't have a use for a new employee, which means that $value_of_work less than $salary, which means no hire. Tax has nothing to do with that decision. It's a great way to raise sympathy for your cause though (more money). However, no business owner would rather hire someone than pocket the money if the latter is more profitable.

Re:Too much effort to comply IS an excuse

[Harmonious Botch]

Your calulations are overly simplistic.

You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.

As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.

If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )


Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.

Re:Too much effort to comply IS an excuse

[khallow]

Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.

I don't see why it's so difficult for you to understand, if you raise the taxes or regulation cost per employee on a business, then it's easy to cross over the threshhold where you no longer earn more from that employee than it costs you in salary and increase in mandated expenses. In addition to direct expenses per employee, you have to train the employee to deal with the new regulations and bureaucracy grows as the employee base grows and as the regulation burden grows. Second, there's the matter of cash flow. The weaker a business's cash flow the harder it is for them to expand their business. Regulations like this consume cash flow. The business has to spend to stay in compliance.

Re:

[mcrbids]

That argument is quite stupid. Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant. Or you don't have a use for a new employee, which means that $value_of_work less than $salary, which means no hire. Tax has nothing to do with that decision. It's a great way to raise sympathy for your cause though (more money). However, no business owner would rather hire someone than pocket

Not in this case

[einhverfr]

If you accept credit cards, you already have to comply. Look up the PCI-DSS, and note that Visa/MC already require everything that was in this bill. Note too that Visa/MC already reserve the right to "fine" you for noncompliance (if you have a merchant account) up to $500,000.00 USD.

Yet most small businesses have *no* idea what is required of them. This passage of the law would have helped businesses avoid problems which could put them out of business.

Please note that my business is fairly small and most

Let's talk about hypothetical worlds of zero risk

[hey!]

Well as a business owner of course it's good for you if somebody else absorbs the cost of the risks you take.

So if the choice is paying, say, $100,000/year to safeguard sensitive personal data you have in your posession, or simply ignore the possibilty that the data might be stolen or misused. If you protect your customer's privacy, you're a good man. If you don't, you're $100,000 richer.

Now here's a pretty legal conundrum: if one of your customers has his data stolen because you didn't take reasonable

Re:

[ozphx]

This reminds me of an experience I had a few weeks ago. This is 100% true. I work for a government agency doing sting operations against identity theives. We leave a plain vanilla envelope on a bench of a subway station containing fake customer records. If anyone opens the envelope then we give them a few days to report it.

I'm amazed that it usually ends up in the phase where I roll down there with uniform and stick a nightstick up the suspects ass. They never see it coming!

Re:

[ravenspear]

haha ok but, you're forgetting the third and most likely option. They don't report it but they also are not identity thieves. I just shredded it and threw it away.

If that happens again

[einhverfr]

I would check out who you contact at Visa/Mastercard. This is a pretty serious violation of security reqirements, and the hotel chain could be fined substantially for the lapse in security. Note that if you have the full credit card number and the customer's address, you can basically get AVS-type queries to pass. I would suggest helping ensure that it gets turned in to Visa/Mastercard.

I am not quite sure what the fine is for something like this, but the maximum (when credit card numbers are actually sto

"It won't be back"?

[whoever57]

Perhaps the submittor or editor could refrain from lame jokes when said joke is in conflict with the article:

Schwarzenegger, in his veto message explaining why he killed the bill, left the door open to possibly signing a reworked version of the bill.

Re:

[johndiii]

Not only that, but it passed both houses with a majority well in excess of that required to override the veto.

PCI Compliance

[jeramybsmith]

Because of PCI compliance you have Linux/Unix admins across the country installing useless virus scanners that scan for windows viruses on their Linux/Unix machines. PCI compliance is a private initiative by the credit card companies.

I would hate to see the retardation government compliance laws in 50 different states would result in.

PCI-DSS is not as you describe.

[einhverfr]

Because of PCI compliance you have Linux/Unix admins across the country installing useless virus scanners that scan for windows viruses on their Linux/Unix machines. PCI compliance is a private initiative by the credit card companies.

Then the problem is either with the admins or that the compliance people can't read.

The PCI-DSS 1.1 states:

5.1: Deploy anti-virus software on all systems commonly affected by viruses (particularly personal
computers and servers)
Note: Systems commonly affected by viruses typically do not include UNIX-based operating
systems or mainframes.[emphasis mine]

Next time someone complains about the PCI-DSS requiring antivirus software on Linux/UNIX systems, you can point them to the fact that the standard specifically excluded these systems from the antivirus requirements.

Re:

[jimicus]

Next time someone complains about the PCI-DSS requiring antivirus software on Linux/UNIX systems, you can point them to the fact that the standard specifically excluded these systems from the antivirus requirements.

When nonsense complaints like that are made, what they generally mean is not "this regulation is bad".

What it means is "This regulation has the potential to make my life harder in some impossible to define way which I can't very easily argue, so I'm clutching at straws".

IME, a moments analysis wi

data protection laws not always good

[wikinerd]

I, as an individual, prefer to be responsible for protecting my own data, rather than having a government nanny creating huge bureaucracies with great costs and making everyone's life difficult and not necessarily more secure. I really do not know much about this particular law, or whether its change was motivated by some multinational (in which case it's bad) or true concern for the costs to small businesses (which is a valid concern), but speaking generally I distrust data protection laws, as they can be

Re:

[Opportunist]

All great, but then please at least install some kind of punishment if someone who has to handle my data is careless with it.

Companies don't care about customer data security. So they won't lift a finger to secure it unless there's some "incentive" to do it.

Re:

[wikinerd]

I would very much prefer an NGO or citizen organisation funded by donations to create data protection standards and then choose to shop only from companies bearing the NGO's approval logo. Perhaps the only law that's needed is that every citizen has a right to privacy and their data, and before a transaction customer and company must agree to a contract or policy that defines what is going to happen to the personal data involved. If the company does something against the contract then the customer is enti

Re:

[CodeBuster]

I, as an individual, prefer to be responsible for protecting my own data

Which you cannot do because you do not have control over what information third parties collect and store except for that provided by the government through laws and regulation. There are plenty of large data brokers (remember ChoicePoint?) who collect tons of information about everyone (everything that they can get their hands on) and then sell it to practically anyone with the ability to pay. If you pop up on the grid even once wi

Re:

[wikinerd]

The big multinationals can bypass the laws. So, in reality, the only thing these laws do is to make the life difficult for the small guys and make it easier for the government to spy on everyone. Why not have an NGO or citizen organisation supported by our donations instead of government bureucracies and red tape? A law defining the general spirit of privacy and privacy policies and making it easy for people to get entitled to remedies in case of privacy breaches would be enough.

This law would have been good for the small guys

[einhverfr]

The basic thing is that another multinational enforces a contractual provision against all merchants big and small, doing business in various parts of the world. That multinational is Visa/Mastercard. And they levy fines of up to $500,000.00 USD for noncompliance.

All this law would have done practically speaking would have been to encourage small businesses to protect data properly. Right now, I don;t think most of them know what they are required to do. It is a shame and nothing more than political pos

Re:

[freedom_india]

Similarly why can't consumers collect as much information about companies such as ChoicePoint, Blackwater, etc., and publish it on wikipedia regularly?
Am sure employees, ex-empployees, etc., would love to contribute as much information.
Present it neatly tabulated without any opinions, including judgements, settlements, debt refusals etc.
Am sure the companies will get it.

Re:

[hey!]

It apears that you have not grasped at least one essential element of this situation: data laws may allow the government to "interfere" with how private entprises handle personal data, but the net effect of the laws is to restrict government access to privately held data. In most cases the government can simply ask for data and the vendor will give it to them. If not they can get subpoenas for data about you without your permission without showing probable cause, because legally, it's not your data. Fou

Good political move

[Qwavel]

I can imagine that in the state of CA there must be a ton of internet businesses just dying to sell user data. And a lot of those companies will be directing some of their new revenue to the governor that made it all possible. If he can put an 'anti red tape and government bureaucracy' face on it, all the better.

Kills Data Protection Law?

[nurb432]

Wouldn't that be 'terminates data protection law' ?

PCI Standards

[azrider]

The Payment Card Industry standards are, at this point, simply a recommendation. Having built systems which process credit cards, I found that the change to comply with PCI (and prevent ID/Card theft) is one line. In one system, the full card number is in the system (encrypted) only from the time it is entered to the time approval/disapproval is returned.

In fact, the card number is no longer needed to process a credit after the fact. The only information required is the merchant ID, the transaction ID and the approval code.

That said, the only way that merchants are dunned is in response to an audit (very rare) or a breach (unfortunately less rare).

The PCI standards allow for storing the card number as the last four (with X's filling the previous part), 4 X's and the last four or the last four alone.

If your merchant gives you a receipt (and their copy shows also) any thing other than XXXXXXXXXXXX1234 (shorten for some incarnations of Visa and AMEX), XXXX1234 or 1234 complain loudly to the manager of the establishment as well as your card issuer. Reference the Payment Card Industry/Data Security Standard 1.1 (2005).

Re:

[MtlDty]

There are some mistruths in this otherwise quite informative post.

Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.

So the full card number is required for
a) initial authorization request, typically taken

Re:

[PFAK]

Should it only show the last four digits for merchant, customer copy, or both?

Are the same standards upheld in Canada for MasterCard/Visa?

Re:

[azrider]

Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.

See the above referenced standard https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm [pcisecuritystandards.org]. The only required information is merchant ID, merchant tr

Re:

[MtlDty]

Sorry - I didnt mean to get your back up. Fact is however that I am an EFT system developer working for a Payment Service Provider, and as such deal with multiple acquiring banks, merchants, card schemes and am very familiar both with the PCI standards and inter-bank communications.

I did mention that point b varies greatly between card issuers, and acquiring banks, so I wont argue if you have different experiences there. But point c is an actual fact. Point d is also a fact with the vast majority of acqu

Re:

[einhverfr]

That problem mostly affects large businesses only (i.e. those who can afford to talk directly to the V/MC network and skip the gateway). And the cost of compliance there is *huge.*

For smaller businesses, generally this is handled via the acquirer (in the case of a small credit card processing terminal) or the payment gateway (like Authorize.net or TrustCommerce). There is no reason to store the credit card number beyond the initial approval there.

Note furthermore, that you *can* store the credit card numb

Interesting

[cdrguru]

There are many businesses that accept credit cards via third parties. The real "merchant" is this third party but all of the personal information (except for credit card number) is transmitted to the vendor/author/publisher/etc.

Amazon has a service for this, for example. Your personal information is being sold (in a manner of speaking) or at least transferred from the merchant to this vendor that is really selling you the goods. Wouldn't this violate many of the recent laws? I would certainly think it w

Re:

[CodeBuster]

Wouldn't this violate many of the recent laws? I would certainly think it would.

Probably not with large companies like Amazon since they have the resources to meet the regulatory burdens. Amazon is in fact becoming a payment processing service in its own right (for markets where it choses not to be directly involved), whereby small businesses receive payments from Amazon, not directly from the consumer, and are told by Amazon where to ship the goods. In fact this is preferable for the consumer because i

Spelt his name wrong, of course.

[Paperweight]

Sorry, I browsed for another post to mod-up but nobody made the point that Schwarzenegger was spelt wrong.

Other names for bill

[tjstork]

The "Don't host anything in California Act"
The "Not Available Online to California Residents Act"

and more...

Sorry, but in world of nearly a billion people online, California's market of 40 million isn't as much worth the pain in the ass they keep regulating it to be.

The regulations already apply

[einhverfr]

They are basically cut and pasted from the requirements that the payment card industry places on merchants anyway. V/MC "levy fines" of up to a half a million dollars in the event of noncompliance which results in credit card data theft. This law would have helped buisnesses avoid fines which would result in bankrupcy by helping them understand what they were required to do.

Re:

[tjstork]

And why are you complaining? The bill was vetoed. Do you always find something to complain about?

Only when the Red Sox pull within 2 runs of the Indians. But, the Indians hung on to win, and I'm happy. Go Indians!

It was inevitable

[PPH]

Now SkyNet can locate the correct Sarah Conner.

This is consistent with

[Whuffo]

Simply the sort of thing that a Republican governor would do. Protect the interests of the common man when it might cost the corporations a little profit? Nope; not the Republican way...

Data protection in EU prove Schwartzneger false

[aepervius]

They don't seem to close or kill small business in EU, isn't it ? Last time I looked the big conglomerate were not the main employer in many country, the small enterprise cover more than 50% of the jobs (66% for France for example), with an increasing tendency in the last few years (~60% 1985 for France up to 66+% today, I took the example of France because this is the first which came up in google). So REALLY if data protection law killed small enterprise, we would know by now.
PS: Although I must admit that there are dissenting voice saying that now big enterprise make the bulk of the economy near the 51% if you count small filial as belonging to the main big enterprise. See TUC report for UK for example.

My philosophy of regulation

[hey!]

To the degree a regulation creates new expenses, it's bad, but if you are not going to pay the new expense, it appears insignificant.

To the degree that a regulation redistributes an existing expense more fairly, it is good, but if you weren't paying those cost before they appear to be new.

Arnold doesn't think very long about some things

[Catbeller]

Goodness, we don't want to make businesses pay money for stuff.

Arnold: the business community had no problem spending money to build the infrastructure to take our privacy away. They must have collectively spent hundreds of billions on the computer systems, the software, and the deals they made to trade the details of our lives to the highest bidder. They are now cooperating with a police state unrivaled in history, giving over our finances, our communications, our very second-to-second physical locations to shadowy figures who sneer at the courts.

They also have no problem making billions exploiting the data they spent so much money accumulating and processing.

Businesses have no "right" to accumulate data and exploit it anymore than they have a right to dump poison in a river. Profit for shareholders is not an excuse. You want to be bastards, pay the bastard tax. And corporations are government creatures, not freeholds. They exist under government license. They have NO OTHER existence other than through the government. Without the government, they are just shopkeepers with known addresses. They are shielded from liability and personal exposure for crimes. You want to play with the government, play by the government's rules. Cry me a river.