Who should be liable for data breaches?
It’s hard at the moment to come across a story about Target without the words data breach being mentioned. Reports have chronicled the company’s missteps and failure to react to signs criminals had found a way around its defenses. At the moment, banks and credit card companies are responsible for any losses suffered by individuals that come from data breaches, but if legislation being discussed in California is signed into law, liability would shift to retailers instead.
The legislation being proposed, AB-1710, is designed to limit the information that merchants can collect about customers and also make them responsible for losses resulting from breaches. The bill does allow for "liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach."
"Financial institutions should not be taking the heat for a data breach that occurs at a retailer," Assemblyman Roger Dickinson, one of two co-authors of the bill, told the Los Angeles Times.
Retailers oppose the current legislation. Bill Dombrowski, president of the California Retailers Association, said the language in the bill is too broad. "We’ve got a system in place where we allocate costs based on who is responsible for the problem," he told the LA Times.
- AB-1710 Personal information: privacy – California Legislative Information
- Making retailers liable for damages from hacking – Los Angeles Times
- Proposed bill aims to protect consumers’ private information – KTVU
- Bill Would Protect Californians From Data Breaches – California News Service/East County Magazine
Should there be more limits on the type of data that companies can collect about consumers? Should retailers suffering data breaches be responsible for the losses coming from that activity or the involved banks and credit card companies?