California lawmakers taking steps to protect consumer data
by Fenit Nirappil, Associated Press
California lawmakers are trying to strengthen consumer data protections as businesses profit from the trove of details they collect and criminals become ever more sophisticated in trying to steal it.
Bills introduced this session seek to guard the information generated when Californians swipe credit cards at stores, drive vehicles and attend schools. The most notable initiatives have been gutted and defeated in the face of fierce opposition from powerful business groups.
“We are winning small, bite-size kinds of fights,” said Richard Holober, executive director of the Consumer Federation of California. “But when it’s about the core profit motive of high tech companies, wins will only really occur when there’s a voter revolt.”
The sometimes nebulous world of consumer data hit home last holiday season for tens of millions of Target and Neiman Marcus customers whose phone numbers, addresses and credit card numbers were breached. That sent customers scrambling to reset credit cards and automatic payments and to monitor their credit scores.
“Everybody wants to go to the store and buy things instantaneously, so you don’t want to crush that advancement in tech,” said Assemblyman Bob Wieckowski, D-Fremont, who held a hearing in February on how to respond to data breaches. “On the other hand, we’ve got to take a step back from this wild, wild West.”
Wieckowski and Assemblyman Roger Dickinson, D-Sacramento, introduced AB1710 in response to the data breaches. It would have set new standards and restrictions on retailers that keep customer data and held those who do not comply liable for the costs of a breach. But those provisions have been gutted after business groups warned against enshrining constantly evolving technology standards into law.
“Data breaches are now a fact of life, and retailers are not the only one facing them,” said Bill Dombrowski, executive director of the California Retailers Association.
The state attorney general’s office reports that 300 separate data breaches during the past two years exposed the personal information for more than 20 million Californians. More than 7 million Californians were affected by the Target breach alone.
The bill, which is headed for a floor vote, still requires retailers, in addition to financial institutions, to notify customers of a breach and provide credit monitoring services.
“Just because you can’t solve an entire problem doesn’t mean you can’t solve part of it,” Dickinson said.
Bills have until the end of May to pass between the Assembly and Senate.
In the Senate, SB994 by Sen. Bill Monning, D-Carmel, tried and failed to pre-emptively deal with vehicles that collect data recording drivers’ routes, speeds and habits. His office said about one in five vehicles has such technology and that it is on track to become universal within a decade.
His bill would have required manufacturers to disclose to customers what data the vehicles collect and choose who gets access to it, such as repair shops.
Vehicle manufacturers launched an aggressive campaign against the bill, arguing the automobile clubs sponsoring it had an ulterior motive to use the data to help affiliated repair shops and insurers. The bill died in committee when seven lawmakers of both parties abstained from voting.
“The question and balancing act is, ‘Are people voting in the best interest of constituents or in reaction to the massive power of industry?’” Monning said in response to the bill’s defeat.
But his legislation also did not have the backing of consumer advocacy groups that want greater privacy protections. Rob Stutzman, who represented the Alliance of Automobile Manufacturers in the fight against the bill, said the Target and Neiman Marcus data breaches resonated with lawmakers about why they should oppose the bill.
“What people really want is data security,” he said. “If you allow any third party to basically be able to receive a car’s data, you have a potential for a huge compromise.”