Who should be responsible for paying for the costs of data breaches?

Reacting to the recent high-profile security lapses at major retailers (click here to read our previous newsletter), California lawmakers are considering a bill that would shift the burden of dealing with a data breach—and the costs—off the shoulders of banks and card issuers.

Under the current framework, credit card companies and banks generally carry the initial burden of any financial losses resulting from a cyber attack or hack, such as replacing cards or providing credit monitoring services. But AB 1710 shifts responsibility to the businesses where the breach occurred—Target, for example.

“Financial institutions should not be taking the heat for a data breach that occurs at a retailer,” Assemblyman Roger Dickinson (D-Sacramento), chairman of the Assembly Banking and Finance Committee and coauthor of the bill, told the Los Angeles Times. Coauthor Assemblyman Bob Wieckowski (D-Fremont) chairs the Assembly Judiciary Committee.

Under their proposal, the source of the breach would be required to notify affected California residents within 15 days and “offer to provide appropriate identity theft prevention and mitigation services” at no cost for a two-year period. All associated costs would be shouldered by the business, such as paying for card replacements.

The proposed law also contains provisions intended to reduce the fallout if a breach should occur. Pursuant to the bill, businesses that accept credit or debit cards would be prohibited from “storing, retaining, sending, or failing to limit access to payment-related data” including the contents of a payment card’s magnetic stripe or the card verification code subsequent to an authorization. In addition, the sale of Social Security numbers would be banned.

Violations of AB 1710 could result in civil penalties of $500 per violation, or up to $3,000 for each willful, intentional or reckless violation.

While Dickinson and his co-sponsors are backed by privacy advocates and consumer groups including Privacy Rights Clearinghouse, retailers have already promised to fight the bill.

“It’ll be a fight, a tough fight,” Bill Dombrowski, president of the California Retailers Association, promised the Los Angeles Times.

The bill is currently being considered by the Assembly Judiciary Committee.

To read AB 1710, click here.

Why it matters: The legislation is music to the ears of banks and card issuers, who currently cover the costs when a data breach occurs. But the bill faces a serious challenge from the retail industry, with groups such as the California Retailers Association speaking out in opposition.