Governator Kills Data Protection Law

eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."

Subscriptions

[mastershake_phd]

But it also outright prohibited much data being stored at all after a purchase is authorized by banning a retailer from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted."
 
What about automatically recurring bills, like web hosting.

Re:Subscriptions

[Attila+Dimedici]

It has been a few years (late 90's) since I worked retail. However, I worked for a retailer that for various reasons people forgot that they had purchased things from with their credit card. The customer would get their bill and see a charge from our store on it. They would call the credit card company and contest the charge. The credit card company would send us a letter asking for the signed receipt for charge against Credit card # xxxx xxxx xxxx xxxx (where the x's were the number on the card) from such and such date. If we did not send it to them within a given amount of time, they would issue a credit to the customer and charge us the amount that we had received against that card. SO, at that point a retailer did need a copy of the customer's credit card # for at least two months after the purchase.

"Governator"? Are we in 6th grade here?

[Tetsujin]

C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...

"Kill" a law?

[Jugalator]

How do one "kill" a law, really? Bah -- surely, Arnold must have terminated this law.

Levels of Compliance?

[nonsequitor]

Couldn't they redraft the law such that there are several levels of compliance. If you deal with the info of less than 100 individuals you would have the least amount of requirements to meet, 1000 individuals would put you in the next level, and so on. That way the biggest targets are required to be the most secure, and the more information they deal with, the higher their compliance level would be.

Too much effort to comply is not an excuse

[ravenspear]

Seems like a lot of companies out there today do not give the proper effort required to make even rudimentary considerations to the security of client data. This reminds me of an experience I had a few weeks ago. This is 100% true. I was sitting in a subway station waiting for a train. I sat down on a bench and noticed a plain unmarked vanilla envelope sitting on the bench next to me. There was no one else around so it was obvious whoever it belonged to had left it. I opened it and discovered it was several pages of customer records for a hotel chain (don't remember which). It had their names, what nights they had stayed, some additional information, and their FULL credit card numbers they had used to pay printed next to the names. I was amazed that someone would just leave this kind of information lying around anywhere for anyone to find.

"It won't be back"?

[whoever57]

Perhaps the submittor or editor could refrain from lame jokes when said joke is in conflict with the article:

Schwarzenegger, in his veto message explaining why he killed the bill, left the door open to possibly signing a reworked version of the bill.

It's not just a "recall" ...

[Slur]

... It's a Total Recall!

It can be, if you want any small business

[Sycraft-fu]

When you deal with small businesses you are dealing with few employees, few resources, and so on. As such what they can do is limited. Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.

So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.

Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.

Re:Too much effort to comply IS an excuse

[Harmonious+Botch]

I own a small business. I spend at least 1/3 to 1/2 of my time doing govt paperwork, or complying with some govt standard which is either 1) an obviously good business practice that does not need to be legislated or 2) irrelevant or 3) stupid or 4) #2 and #3.

These legislators live in a hypothetical world of zero risk. Any problem that they see, they try to legislate out of existence. But they don't have to pay the bills. They don't have to make the decisions of how limited resources are applied to problems.

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

Laws have consequenses. And someday the consequence may be your job.

Re:Too much effort to comply IS an excuse

[bjourne]

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him. That argument is quite stupid. Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant. Or you don't have a use for a new employee, which means that $value_of_work less than $salary, which means no hire. Tax has nothing to do with that decision. It's a great way to raise sympathy for your cause though (more money). However, no business owner would rather hire someone than pocket the money if the latter is more profitable.

Spelt his name wrong, of course.

[Paperweight]

Sorry, I browsed for another post to mod-up but nobody made the point that Schwarzenegger was spelt wrong.

Re:Too much effort to comply IS an excuse

[Harmonious+Botch]

Your calulations are overly simplistic.

You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.

As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.

If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )


Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.

Re:Too much effort to comply IS an excuse

[khallow]

Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.

I don't see why it's so difficult for you to understand, if you raise the taxes or regulation cost per employee on a business, then it's easy to cross over the threshhold where you no longer earn more from that employee than it costs you in salary and increase in mandated expenses. In addition to direct expenses per employee, you have to train the employee to deal with the new regulations and bureaucracy grows as the employee base grows and as the regulation burden grows. Second, there's the matter of cash flow. The weaker a business's cash flow the harder it is for them to expand their business. Regulations like this consume cash flow. The business has to spend to stay in compliance.

PCI-DSS is not as you describe.

[einhverfr]

Because of PCI compliance you have Linux/Unix admins across the country installing useless virus scanners that scan for windows viruses on their Linux/Unix machines. PCI compliance is a private initiative by the credit card companies. Then the problem is either with the admins or that the compliance people can't read.

The PCI-DSS 1.1 states:

5.1: Deploy anti-virus software on all systems commonly affected by viruses (particularly personal
computers and servers)
Note: Systems commonly affected by viruses typically do not include UNIX-based operating
systems or mainframes.[emphasis mine] Next time someone complains about the PCI-DSS requiring antivirus software on Linux/UNIX systems, you can point them to the fact that the standard specifically excluded these systems from the antivirus requirements.

Data protection in EU prove Schwartzneger false

[aepervius]

They don't seem to close or kill small business in EU, isn't it ? Last time I looked the big conglomerate were not the main employer in many country, the small enterprise cover more than 50% of the jobs (66% for France for example), with an increasing tendency in the last few years (~60% 1985 for France up to 66+% today, I took the example of France because this is the first which came up in google). So REALLY if data protection law killed small enterprise, we would know by now.
PS: Although I must admit that there are dissenting voice saying that now big enterprise make the bulk of the economy near the 51% if you count small filial as belonging to the main big enterprise. See TUC report for UK for example.