The Consumer Data Protection Act (AB 1656; PDF) has been put before California’s Governor Arnold Schwarzenegger once again. The bill was vetoed by him in October 2007, saying the costs for merchants would have been too prohibitive. He said that the bill had the “potential for California law to be in conflict with private sector data security standards.”

The bill has now been amended, approved by the Senate in a 74-1 margin, and is headed back to the Governor’s desk for approval. The Consumer Data Protection Act would require that retailers:

• Take more stringent protection measures
• Notify consumers about data breaches (provision to reimburse financial institutions for cost of breach removed from the bill)
• Specify a date range when the data breach was thought to have occurred
• Not store certain types of cardholder data, even if encrypted
• Develop data retention & disposal policies
• Encrypt data transmissions

Given that the financial reimbursement provision has been lifted, it is a much more conservative bill. Still, it is unclear if Governor Arnold Schwarzenegger will re-iterate his desire for added security measures to be the responsibility of private governing bodies, rather than by law. Analysts suspect the bill will be approved and that California will lead the way toward other states adopting similar statutes. 

Minnesota is currently the only state with law such as this - their Plastic Card Security Act is more strict than the proposed California bill.

—

In other security news, Roger Grimes has a very thorough analysis of Google’s new open source browser, Chrome, here.

Hat tip to PogoWasRight ; Via ComputerWorld