Data Protection Bill killed in California
Just last week, I wrote on the Canadian governments move to improve privacy protections. This week the news is about Arnold Schwarzenegger vetoing a data protection bill in California. The bill tried to out do PCI DSS, which some retailers are already balking at.
From eWeek:
The bill included a ban on sensitive consumer data information except when the merchant has a payment data retention and disposal policy, "which limits the amount of payment related data and the time that data is retained to the amount," according to the bill.But it also outright prohibited much data being stored at all after a purchase is authorized by banning a retailer from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted."
The governor argued that drive up the cost of compliance and possibly create conflicts between the competing standards. That's true but a balance can and should be found and the governor seems to be open to alternative measures. I think his reasoning is flawed at one point when he says:
The governor argued that "the industry"—presumably a reference to credit card companies and the PCI Council—is in a better position to know what is realistic and reasonable for credit card security."
There is no single, monolithic "industry" that has a single vision of what is best for credit card security. There are competing interest trying to shift responsibility and liability for potential breaches. The government may need to step in and balance the disproportionate distribution of influence in the credit card/retail market.
This issue shouldn't be considered over and government does have to play a role in finding a balanced solution.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
