It's hard at the moment to come across a story about Target without the words data breach being mentioned. Reports have chronicled the company's missteps and failure to react to signs criminals had found a way around its defenses. At the moment, banks and credit card companies are responsible for any losses suffered by individuals that come from data breaches, but if legislation being discussed in California is signed into law, liability would shift to retailers instead.
The legislation being proposed, AB-1710, is designed to limit the information that merchants can collect about customers and also make them responsible for losses resulting from breaches. The bill does allow for "liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach."
"Financial institutions should not be taking the heat for a data breach that occurs at a retailer," Assemblyman Roger Dickinson, one of two co-authors of the bill, told the Los Angeles Times.
Retailers oppose the current legislation. Bill Dombrowski, president of the California Retailers Association, said the language in the bill is too broad. "We've got a system in place where we allocate costs based on who is responsible for the problem," he told the LA Times.
Who should assume the major responsibility for losses as a result of data breaches?