Like many other things in life, the legislative process often mystifies me. But the one thing that is clear is that the outsized influence of special interest groups and lobbying organizations has in many ways reduced the task of getting a bill signed into law to a simple numbers game. He who has the most influence (read: money and favors to hand out) wins. The Schoolhouse Rock depiction of bills becoming laws isn’t so accurate these days.
It would be hard to find a better example of this filthy process than Gov. Arnold Schwarzenegger’s veto of a California bill that would have prevented retailers from storing payment data if they didn’t have a valid retention and disposal policy. The bill also would have required the merchants to shoulder some of the financial burden when they compromise customer data by paying customers a reasonable restitution. Makes a lot of sense. Only trouble is that Schwarzenegger takes a dim view of anything that could possibly cost his friends in the business community money. His rationale for vetoing the bill was that the PCI DSS regulations already have this problem solved.
“This bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers,” Schwarzenegger said in a statement. “This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses.”
Apparently no one told the governor that PCI DSS is NOT working. The threat of sanctions from credit card companies just doesn’t carry the same weight as legal penalties do. The bill’s sponsor, California Assemblyman Dave Jones, didn’t bother trying to hide his disgust with the veto.
“Big business, hackers and ID thieves won today and consumers and common sense lost,” Jones said in a statement. “I’m shocked and disappointed that the Governor thinks our personal information should be left out in the open for identity thieves and hackers to pilfer. If your slack security leads to a data breach then you ought to pay for what you caused – ‘you broke it, you bought it,’ as retailers like to say. How could anybody disagree with this, let alone the Governor?”
Indeed. It takes a special person to ignore the logic of the sanctions in Jones’ bill, and, sadly for Californians, Schwarzenegger is just such a man.