Comparing AB 779 and HF 1758 (New Payment Card Data Laws)

California is ready to adopt new legislation regulating the management of credit card data by retail merchants. The legislature has passed Assembly Bill (AB) 779, the so-called Consumer Data Protection Act, and submitted it to the governor for signature. Proponents believe Governor Schwarzenegger will sign the legislation. [Update: He vetoed the bill. But this discussion is still relevant to those thinking about how data security law should and should not be written.]

Similar to Minnesota's HF 1758, AB 779 contemplates that a merchant will reimburse credit card issuers for costs they incur replacing cards after the merchant suffers a data security breach.

Under Minnesota's HF 1758, the reimbursement requirement only applies if the merchant commits the "transgression" of storing card security data or full magnetic stripe data longer than 48 hours after transactions are authorized.

Compare California’s AB 779. Under 779, the merchant can be excused from the reimbursement requirement if the merchant avoids certain "transgressions" such as storing full track data, storing payment verification codes, transmitting unencrypted payment data over the Internet and storing payment information without a proper data retention policy.

Hence, HF 1758 and AB 779 are similar in the way they impose liability. Both laws effectively say a merchant that suffers a data breach must reimburse card issuer costs if the merchant has committed any of the identified transgressions. Further, both laws require reimbursement even if the breach is unrelated to the transgressions.

In other words, this is what the literal words of the Minnesota and California legislatures seem to mean: If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur.

Analysis: This scheme for imposing liability does not seem fair or rational. It requires perfection. Few organizations can be perfect in avoiding the data security transgressions identified by the legislatures. But many organizations might do a reasonably good job of avoiding those transagressions. Yet the legislatures offer no reward for being reasonably good. They only reward perfection.