Minnesota Paves the Way to Making Retailers Pay More For Data Losses

Carl Weinschenk

Several states are on the road to joining Minnesota in taking a particularly hard stance against retailers who lose customer data.


Late last month, the California Senate Judiciary Committee approved AB 779 which, if it becomes law, will compel retailers to reimburse credit unions and banks for costs associated with data breaches, according to this ComputerWorld story. The piece says that retailers accepting credit and debit card payments won't be able to store certain types of information and will be mandated to use strong encryption and access controls during data transmission. The bill now moves to the state's Senate Appropriations Committee, where hearings are expected before the end of next month.


The rest of the story outlines the obstacles the bill faces before it becomes law. It must pass appropriations, the full Senate and be signed by Governor Schwarzenegger. Not surprisingly, the bill faces strong opposition from the National Retail Federation. The tone of the story suggests that there is a good chance that the measure will becomes law, however.


The California initiative comes as a retail data breach statute takes effect in Minnesota. On August 1, a law will goes into effect that is similar to California's AB 779. This post at the Privacy and Security Law Blog provides the details in a way that one would expect a blog run by a bunch of lawyers (Davis Wright Tremaine LLP) to explain things. The post says that Texas, Connecticut, Illinois and Massachusetts also are considering laws in this area.


It seems likely that state-by-state initiatives will continue. At least in some circles, the idea of federal standards is being discussed. This piece, posted at the Heartland Institute, covered the National Conference of State Legislatures' Spring Forum in April. A representative of The Presidential Task Force on Identity Theft said that national standards should be adopted to protect data and promptly notify potential victims when such data is lost.


This InfoWorld piece, a report on the Authentication and Online Trust Alliance Summit in Boston, also in April, says that state attorneys general likewise are grappling with the state-versus-federal issue. At the meeting, Massachusetts Attorney General Martha Coakley said that a stricter nationwide laws would be a good thing, though she is concerned that a federal preemption would interfere with state-level enforcement.


Of course, the biggest news in retail data theft during the past year was the huge loss by TJX Companies, owners of TJ Maxx, Marshalls and other stores. According to InformationWeek, the company reported $20 million in charges related to the theft. This number is bound to grow as lawsuits come to fruition and other costs come due. However, if the new series of laws were in place, that losses to the company would be far steeper.

Add Comment      Leave a comment on this blog post
Oct 5, 2007 4:15 AM Benjamin Wright Benjamin Wright  says:
In AB 779, proposed Civil Code Section 1724.4(b) is poorly drafted and confusing. It is not clear whether 1724.4(b) covers Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) is muddled about what does and does not constitute "sensitive authentication data" that a merchant is forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Pending Section 1724.4(b)'s poorly crafted language will be a roadblock as innovators try to invent the next PayPal. See detailed analysis at hack-igations.com --Benjamin Wright, Dallas, Texas Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.