Following the lead of Minnesota, the California legislature
recently
passed legislation (AB 1656) that requires retailers to implement data
protection controls if they retain customer’s personal information. The
California bill does not require retailers to compensate card issuers for the
costs of closing accounts and reissuing cards, but it does require the
retailers to notify consumers affected by security breaches, with the cost of
notification being borne by the retailer. With significant amendments from the
original bill that was vetoed by the governor in 2007, this version of the bill
is expected to now be signed.
The Minnesota
law, signed into law in 2007, goes further by putting the liability for the
cost of card reissuance on the retailer rather than the issuing bank.
My prediction is that we will see continued legislative
pressure to move the costs of breach cleanup away from card issuing banks, to
those responsible for the breach (oftentimes the retailers).
An interesting aspect of this new bill is that it is more
prescriptive than the state data privacy laws typically are. The bill has
specific language around storage of cardholder data, a requirement to have and
implement a policy regarding customer information data retention, limiting
access to only those whose job requires access, and use of encryption to protect
cardholder data.
At a glance, the language used seems to mirror the
controls found in PCI 1.1, which is good. But it is one more set of controls
that have to be understood and accounted for if you are a firm that operates in
the payment card processing chain, and if you are doing business in California.
As with SB1386, this law applies to breaches involving California
consumers , meaning if you have California consumers in your customer base, the
law applies to you.
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
