Governator Wants to Plug Up Holes – Unless You Have Encryption.

It looks like businesses in California and, if history serves, in the rest of the United States might soon have an incentive to really start taking a look at their security policies (things seem to spread from California to the rest of the country).  A bill in California will force retailers to reimburse banks and credit unions for breach notifications and credit card replacements.  The bill only requires the signature of California Governor Arnold Schwarzenegger.  Many people have pointed out the retailers do not have an incentive to be more aggressive in how they handle customer data despite the recent spate of ongoing data breaches.  Yes, the ensuing public relations nightmare would be enough for some companies to take a look at how they protect their data.  However, the costs shouldered by credit card companies and other financial institutions due to security breaches are humongous in comparison to the unquantifiable PR damage.  If this bill passes and is made a law in California, and similar ones are passed across the other states, an immediate and direct financial burden that hasn’t been present heretofore will be placed on those responsible. 

However, there will be a way for the retailers to avoid liability: if they can prove that they are in compliance with state data security laws.  This is a great incentive for retailers to start catching up on any security holes that they might have throughout their organizations, especially considering that the cost of data breaches is rising sharply, even without having to shoulder the actual financial burdens mentioned in the paragraph above.


Will the governator sign this bill?  I’d imagine so.  It’s backed by him.

Among other things included in the bill is complete disclosure on the details of any breaches, including what type of personal data was compromised, and limiting the long-term retention of authentication data found on credit cards. 

It sounds like data security companies can expect a great deal of business for some time to come.  Based on the latest string of security breaches that were reported in the media, mobile device encryption as well as port control (through which an administrator can control which devices can hook up to a computer) will probably be popular (perhaps even necessary by law). The good news for retailers is that the soon-to-be-approved law will go into effect in July 2008, so it gives them plenty of time to do some research and implement any policies to plug up holes.



Comments (0)


Let us know what you think