California Gov. Arnold Schwarzenegger has vetoed data breach notification legislation for the second time in the last year.
The bill, dubbed the Consumer Data Protection Act, would have required retailers that take card transactions to disclose more detail about any data breach. Schwarzenegger's veto comes after the bill--AB 1656--handily passed in California's State Assembly and Senate.
From the bill:
Existing law requires any agency, person, or business that maintains computerized data that includes personal information that the agency, person, or business does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This bill would require that notification to the owner or licensee of the information to include, among other things, a description of the categories of personal information that were, or may have been, acquired, a toll-free or local telephone number or e-mail address that individuals may use to contact the agency, person, or business, and the telephone numbers and addresses of the major credit reporting agencies. If the owner or licensee of the information is the issuer of the credit or debit card or the payment device, or maintains the account from which the payment device orders payment or is an agency required to give notice of a security breach, as specified, the bill would require the owner or licensee to disclose the same information to the California resident in plain language, as specified.
Schwarzenegger shot down the bill and in a notice said:
Clearly, the need to protect personal information is increasingly critical as routine commercial transactions are more and more exclusively accomplished through electronic means. However, by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state.