Following the lead of Minnesota, the California legislature recently passed legislation (AB 1656) that requires retailers to implement data protection controls if they retain customer’s personal information. The California bill does not require retailers to compensate card issuers for the costs of closing accounts and reissuing cards, but it does require the retailers to notify consumers affected by security breaches, with the cost of notification being borne by the retailer. With significant amendments from the original bill that was vetoed by the governor in 2007, this version of the bill is expected to now be signed.

The Minnesota law, signed into law in 2007, goes further by putting the liability for the cost of card reissuance on the retailer rather than the issuing bank.

My prediction is that we will see continued legislative pressure to move the costs of breach cleanup away from card issuing banks, to those responsible for the breach (oftentimes the retailers).  

An interesting aspect of this new bill is that it is more prescriptive than the state data privacy laws typically are. The bill has specific language around storage of cardholder data, a requirement to have and implement a policy regarding customer information data retention, limiting access to only those whose job requires access, and use of encryption to protect cardholder data.

At a glance, the language used seems to mirror the controls found in PCI 1.1, which is good. But it is one more set of controls that have to be understood and accounted for if you are a firm that operates in the payment card processing chain, and if you are doing business in California.

As with SB1386, this law applies to breaches involving California consumers , meaning if you have California consumers in your customer base, the law applies to you.