California may soon pass a law that will hold merchants liable for data breaches. The law (A.B. 779) would hold merchants responsible for the “reasonable and actual costs” associated with a breach, including notification and credit card replacement costs.

The law was proposed in response to the large data breaches of companies such as TJX. The legislation has been passed by the California Senate Judiciary Committee, but has not yet passed into law. Minnesota is the only state to have a merchant breach liability law.

It is interesting to examine the premise of the law. The law would require that the third party bear the brunt of the costs associated with the data breach. Although they may be directly responsible for the breach, they may not be solely responsible. Security policies for both companies may be at fault, and it is possible that businesses will not be held responsible for their own faults if they can offload them to merchants.

An effective security policy encompasses not just the company in question, but all merchants who deal with them. It is necessary to require merchants to agree to the terms of the security policy - whether this is encryption, laptop recovery software, password protection or security training - in order to conduct business.  The passage of this law could have wide ranging implications for businesses, merchants and all third parties.

Via CSO Online Tags: california, california law, legislation, security legislation, data breach legislation, data breach, third party merchants, business security, data security, security policy