September 19, 2007

The Honorable Arnold Schwarzenegger
Governor of California
State Capitol
Sacramento, CA 95814

Re: AB 779 (Jones); Personal Information: REQUEST FOR VETO

Dear Governor Schwarzenegger:

On behalf of AeA (American Electronics Association), the nation’s largest high tech trade group, and our nearly 2,700 high tech member companies nationwide, I respectfully request that you veto AB 779 (Jones). Most of AeA’s members are small or medium sized businesses.

With sincere respect to the author and the sponsors, AB 779 is not a privacy bill, or at least not just a privacy bill. It is instead and in the main a bold gambit by its influential sponsors to shift the cost of their voluntarily selected business practices to everyone else, even if the sponsors are in a better position to absorb such costs; even if there is no proof that their practices enhance the privacy of consumers; even if the cost shift from a multi-million dollar credit union or multi-billion dollar financial institution forever scars the solvency of small businesses and non-profits; even if businesses, non-profits and the state government complied with the parts of the bill that do seek to address privacy; even if it could lead to litigation scare tactics and rip-off scams targeted at small business owners; even if it risks draining money from the state treasury at the expense of funding other priorities more urgent and deserving than reimbursing the sponsors; even if efforts to comply with the bill and avoid liability to the sponsors would be based more on chance than effort; even if it risks undermining California’s landmark breach notice law; and even if it places California businesses and any company or non-profit that does business in California between the rock and a hard place of complying with static California legal requirements and evolving, but mandatory, industry standards that bind their operations throughout the rest of the nation.

AB 779 reaches every California business -- from major high-technology companies, to sole proprietorships, to corner mini-marts – and every state agency or program. All of its provisions would go into effect in 2008, meaning all of those companies, non-profits, and agencies subject to its provisions will be potentially liable for failing to comply with it less than a year from now.

Open Ended Liability For No Policy Purpose. AB 779 is sponsored by credit unions because the measure deals with reimbursing them for the costs of complying with California’s landmark breach notice law; Civil Code section 1798.29 (state agencies) and 1798.82 (persons or businesses).

Notwithstanding the fact that these laws are commonly referred to as the “breach notice” laws, they do not require notices only when personal information is actually breached - the laws are far broader. They require a notice “if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person[.]” (Emphasis supplied)

Thus, -- and this is key to understanding the core, non-privacy purpose of the bill -- breach notices are required by law even if there is no proof at all that (i) personal information and privacy was compromised or (ii) compromised information is being used in a way that harms someone’s privacy.

Those that do not own the “personal information” and likely profit far less from the data – such as those who simply charge a credit card account once – must notify the owners of the data if there is a breach. “Owners” of personal information – the ones who likely earn the most money from it such as the credit unions and banks that issue credit cards – are currently the ones under the breach law required to provide notice to their customers.

Under AB 779, state agencies, non-profits, and companies that do not “own” the personal credit card information and who may make tiny, one time sums from using the data nevertheless “shall be liable to the owner or licensee of the information” – meaning a credit union or financial institution that issues credit cards – “for the reimbursement of all reasonable and actual costs of providing notice to consumers as required by those provisions. Reasonable and actual costs shall include the cost of card replacement as a result of the breach of the security of the system.”

Observe that under this definition it is the “owner” who unilaterally gets to determine the amount of the non-owner’s financial obligation because canceling credit cards en masse is per se classified as “reasonable,” even if there was no evidence of any information actually being stolen or misused, even if the owner is the world’s largest financial institution and the non-owner is a cash-strapped state agency, non-profit, technology start-up, or corner mini-mart that rarely take credit cards as payment.

Moreover, the “cost of card replacement” is not limited to just the cost of the plastic. Cost will “include” at a minimum such related costs personnel time, cost of printing, mailing, apportioned overhead, and the like.

A recent amendment by the author apparently strives to address this obvious injustice, but fails. If the non-owner can “demonstrate” (with an hourly rate attorney in court?) that it complied with the privacy mandates in the rest of the bill such a “demonstration” “may” prevent liability -- not “shall” prevent liability, “may” prevent liability.

Respectfully, that the sponsors would not approve a “shall” here clearly demonstrates that this bill is not a privacy bill. If it were, then the sponsors would have eagerly approved an amendment that without ambiguity motivates companies, the state, and non-profits to adopt the privacy measures mandated elsewhere by the bill, backed by the carrot of avoiding reimbursements to financial institutions. But such an amendment would have made it more difficult for the sponsors to shift their post-breach notice costs to everyone else – including the state taxpayer.

As it stands now, this “may” actually undermines compliance with the true (if misguided) privacy provisions in the bill. It is senseless to spend scarce time and treasure if you might be liable anyway.

Hence, under AB 779, even if, say, a small bodega owner in Los Angeles or technology start-up in Silicon Valley does everything in his/her power to comply with the privacy strictures in the bill and, in fact, does comply, there is still a chance that he/she could be liable to some of the world’s largest companies when they decide to cancel credit cards without any proof that anyone’s data has been compromised.

But it is not just small business owners like the ones that are AeA members that are at-risk. As the Senate Appropriations analysis of AB 779 observed:

“but to the extent the term ‘reasonable and actual costs’ is undefined and there is no requirement in AB 779 for proof of risk to a consumer's data prior to owners of the data recouping costs or damages, state costs could be significant. These costs would vary based on the size of the breach, but assuming replacing a credit card were to cost $5 and a state agency were to suffer a data security breach impacting 30,000 records, replacement costs alone would be $150,000, not including notice requirements and potential response to consumer questions.”

With respect to the author and the sponsor, we suggest that there is not a compelling public policy reason justifying why credit unions and other financial institutions should potentially have a mandated point of entry to the state treasury when other priorities such as improving math and science education, ensuring technology in every classroom to equalize educational opportunities for all California children, lowering fees or enhancing science scholarships to our flagship public universities, investing in cutting edge science and technology, or improving infrastructure do not.

And please recall: the credit union sponsors are under the bill exempt from the liability they impose on literally everyone else except those also exempted from the bill who dropped their opposition in return.

Fewer Breach Notices. Of course, facing an open-ended liability, it is likely that some state agencies and businesses will simply respond with a stingy – but still lawful -- interpretation of when they reasonably believe their data has been breached, undermining the functional sweep of the landmark, much-copied breach notice law itself.

The PCI problem. The bill incorporates some parts of mandatory industry standards called the Payment Card Industry (PCI) standards. These are not ordinary industry standards. A company that fails to comply could have its ability to take credit cards terminated.

Recognizing that it would be unjust to treat large and small businesses identically, PCI standards expressly deal with small businesses differently than large ones where compliance is concerned. Small businesses are, for example, allowed to self-certify compliance until they “get up to speed.” AB 779 ignores this nuance. All businesses are treated the same.

Thus, small business owners who may not read or understand English proficiently, who may not even know that a bill has been enacted, will be uniquely vulnerable both to demand letters sent beginning next year based truthfully on the businesses’ non-compliance with the law and scam artists falsely holding out the promise of quick compliance. Will the small business owner know that there might questions as to whether the letter can be backed up by a plaintiff who has legal standing under Proposition 64? Should we force small businesses to the hire lawyers and experts required to “demonstrate” compliance?

Worse, every business in California and every company or non-profit that does business in California is placed between a rock and a hard place by AB 779. As the Senate Appropriations Committee analysis pointed out: “Compliance with PCI's standards is compulsory for all merchants who accept participating credit cards, but the standards were established voluntarily and are not in federal law or regulation. The committee may wish to consider the potential impacts of changes to the PCI standards by the PCI Council in the future and how, if AB 779 were to become law, state agencies and businesses would manage conformity with a codified standard versus an industry one if they are at some point out of synch.”

Odd Double Standard For California Businesses. Observe that the entities that are most likely to be treasure troves for identity thieves (credit unions and other financial institutions, insurance companies, brokerage houses) are exempt from the more detailed and prescriptive notice requirements of the bill. Hence, under the bill, mom and pop grocers, gardeners, small web-based retailers, and the like will if they take credit cards have more onerous breach notice requirements burdening them even though they have less sensitive data than the sponsors. Likewise, consumers will get the most information from those least likely to have it.

Compliance Based On Luck Not Effort. Basic fairness requires that if a new open-ended financial obligation is going to be placed on state taxpayers, non-profits, and small businesses that the law be sufficiently clear so that they can decisively act to prevent liability. But many of AB 779’s key statutory terms are both vague and undefined, making compliance a matter of luck and not devoted effort.

Here are just two examples: The bill prohibits “storage” of “sensitive authentication data.” But, what does “store” mean? How long must electronic data be captured to qualify as “storage”? Do, say, the merchant’s retention of copies of credit card purchases qualify as “storage”? “Sensitive” is likewise not defined (“includes but is not limited to…”). The “including but not limited to” means that businesses that want to comply cannot predictably avoid acting illegally because they are not told which data is “sensitive” and which is not.

For all these reasons, AeA respectfully asks that you veto AB 779.

Sincerely,

Roxanne Gould
Senior Vice President
California Legislative and Public Affairs
 

This page was last updated on 10/15/07.  
Copyright © 2007 American Electronics Association.  All rights reserved.