Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The major payment card networks have promulgated security standards, known as the Payment Card Industry Data Security Standards (PCI DSS), for processing payment card data. Since mid-2005 merchants, data processors, and others who manage cardholder data have been required to comply with these standards, which are meant to be modified from time to time to reflect advances in technology. A bill recently passed by the California state Legislature seeks, inter alia, to embed the present version of the PCI DSS in the law, according to opponents of the bill. The bill is AB 779, 1 which passed the Assembly on Sept. 10, having passed the Senate on Sept. 6. It has been sent to Governor Arnold Schwarzenegger for signature and, as of this writing, has not been signed. The bill would apply to all who sell goods or services to California residents and who accept payment by credit card, debit card or other “payment device.” A new �1724.4 of the Civil Code would establish standards for the use of “payment related data” — account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account, whether individually or in combination with other information in this list. Specifically, it would render unlawful the storage of payment related data, absent (i) a retention and disposal policy limiting the amount of it and its retention time to the amount and time required for business, legal or regulatory purposes, and (ii) storage of the data only in a manner and for a time permitted by that policy. This section would also prohibit the storage of encrypted or non-encrypted “sensitive authentication data” after authorization. 2 It would also be unlawful to store payment-related data not needed for business purposes, or any payment verification code, payment verification value, or PIN verification value. Further, it would be unlawful to retain the primary account number unless retained in a manner consistent with other requirements of this bill and in a form unreadable and unusable by unauthorized persons anywhere it is stored. The bill also proscribes sending payment related data over open, public networks absent strong encryption and security protocols or otherwise rendering it undecipherable. And it limits access to payment related data to individuals whose jobs require it. Importantly, these restrictions do not apply to institutions (financial institutions generally) subject to the federal Gramm-Leach-Bliley Act 3 and to regulation by a state or federal agency thereunder. AB 779 would also create a new Civil Code �1724.5, which would revise the California data security breach notification statute by requiring the notice to include: the date of the notice; the name of the agency, business or person that maintained the data at the time of the breach; the date or estimated date on which the breach occurred if possible to determine; a description of categories of personal data reasonably believed to have been acquired; a toll-free phone number (local number if no toll-free number is maintained) for the agency, business or person subject to the breach (or e-mail address if e-mail is the primary means used to communicate with such individuals); and the addresses and toll-free numbers for the major credit reporting agencies. Importantly, a person, business or agency subject to �1724.4 would now be liable to the owner or licensee of the data for the “reimbursement of all reasonable and actual costs of providing notice to consumers” under the statute, and “for the reasonable and actual cost of card replacement as a result of the breach.” 4 Inasmuch as many of the breaches reported in the press have involved hundreds of thousands – even millions – of individuals, in a given instance these costs may exceed $10 million. However, a person, business or agency that can show it was fully compliant with �1724.4 at the time of the breach would be exempted “in whole or in part” from this liability. 5 Finally, an additional obligation would be added: Where “substitute” notice 6 is permitted under the breach notification statute, notice would also have to be given to the California Office of Privacy Protection. One purpose of this bill as espoused by its sponsors is to permit individuals to elicit the types of their personal data that were subject to a breach. Proponents argue that retention of sensitive consumer financial information should be restricted so as to limit opportunities for its intentional or inadvertent misuse. And they argue that the cost of notification and card replacement should be imposed on the entity at the source of the breach. But the bill also has its critics, who contend that the bill would freeze into law the present requirements of the PCI DSS. Opponents of the bill note that over time the PCI DSS themselves will inevitably undergo change to adapt to advancing technology and newly perceived threats, so that before long some requirements of the law would be obsolete and perhaps even counter-productive. Opponents further argue that restrictions on retention of sensitive financial data – even when encrypted – will thwart recurring payment plans, whereunder consumers provide a payment card number for use by utility companies, mortgage holders, etc. Moreover, opponents argue that it is unfair to impose strict liability on the entity at the source of a breach. While an entity that can show compliance with all the requirements of �1724.4 would be excused “in whole or in part” from this reimbursement obligation, opponents argue that the provision is nevertheless unfair because it requires reimbursement regardless of whether any deficiency actually caused the breach. Thus, a generally compliant party that was deficient in some aspect of its data security would be on the hook, even if the deficiency had nothing to do with the breach, and even a fully compliant party suffering a breach would be liable. IMPACT ON NEW YORK Well, so what? California is a long way from here. Based on recent history, there are at least two good reasons why those in New York (and elsewhere) should pay attention to California privacy legislation. The first is that recent California privacy legislation has had an energizing effect on both Congress and other state legislatures. In 2003, California enacted a tough anti-spam statute. 7 As a result, quite soon thereafter — after a good deal of earlier unfruitful deliberation — Congress enacted the CAN-SPAM Act, 8 a more moderate statute that pre-empted tough aspects of the California law. Moreover, California’s enactment of a data security breach notification statute, 9 effective in 2003, has led some 38 other states (including New York) to enact such statutes, and is responsible for several breach notification bills 10 pending in Congress. 11 The second reason to pay attention is based on economic reality. Many businesses today are national, if not international, in scope. Companies must comply with applicable law wherever they do business. The state data security breach notification statutes that have proliferated over the past four years, by their terms, typically apply to companies, wherever based, that conduct business in the state and possess certain unencrypted personal data of state residents. A law requiring the adoption of more stringent standards in one state thus presents a national company with three legitimate options: (1) adopt those standards across the board; (2) bifurcate 12 the way it handles this matter; or (3) stop conducting business in that state. If the state happens to be California, where one out of every eight U.S. residents now resides, option number three is generally not acceptable; few national companies can afford to exclude California from their territory. Moreover, companies typically strive for efficiency in their efforts to better their competitors. It is often not efficient for an enterprise to bifurcate its treatment of a major aspect of its business; uniform treatment is generally more efficient. And in the financial industry the choice of security standards is clearly a major — indeed critical — aspect of the business. Option number two will therefore be unacceptable to many companies, as well. Thus, the enactment of a statute in one state — especially in California — can lead businesses nationally and even internationally, as a matter of economic reality, to adapt their conduct across the board to the statutory requirements. David Bender is senior privacy counsel at DLA Piper. ENDNOTES: 1. The law firm in which the author practices represents a coalition of companies opposed to enactment of this bill. 2. Sensitive authentication data “includes, but is not limited to” full content of a data track from a payment card or payment device; a card verification code or any value used to verify transactions when the payment device is not present; or a PIN or an encrypted PIN block. 3. 15 U.S.C. ��6801-6809. 4. A narrower Minnesota statute enacted earlier this year requires destruction within 48 hours of sensitive data, and permits financial institutions that issue payment cards to seek reimbursement from merchants responsible for data security breaches. 5. Amendments made to the bill just before passage limited reimbursable costs to those of notification and card replacement; created a compliance exemption; and moved the effective date from Jan. 1, 2008 to July 1, 2008. 6. Where the cost of notification would exceed $250,000, the number of individuals to be notified exceeds 500,000, or the party giving notification lacks sufficient contact information, a less expensive form of notification is permitted. See Calif. Civ. Code ��1798.29(g)(3), 1798.82(g)(3). 7. Cal. Bus. & Prof. Code ��17529, 17538.45 (added by SB 186 (2003), approved 23 Sept. 2003). 8. Publ. L. No. 108-187, 15 U.S.C. ��7701-7713; 18 U.S.C. ��1001, 1037; 28 U.S.C. �994; 47 U.S.C. 227. 9. This California statute is responsible for the almost daily publicity attending the latest large data security breach. Prior to its enactment, very few such breaches were made public. 10. Most observers anticipate enactment of a federal breach notification law. 11. Indeed, a bill to embed PCI in the law was introduced in New Jersey, and another passed the Texas Assembly, only to die in the Senate. And House Financial Services Chairman Barney Frank (D-Mass.) favors merchant liability for financial institution costs resulting from a breach. 12. Indeed, in some instances bifurcation may not be sufficient, as there may be several jurisdictions with varying requirements.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.