The explosive growth of e-commerce has spawned hundreds of data security bills in the last several years, as state legislators have struggled to find ways to protect consumers’ sensitive financial information online. Often, these proposals contradict one another. For example, states have considered bills requiring that online sellers retain sensitive personal or financial information, while other bills have demanded that such information not be kept.

This 2008 session, the Direct Marketing Association’s (DMA) Internet Alliance expects several states to consider an approach first offered by the Payment Card Industry (PCI) last year.

Last August, Minnesota became the first state to enact the "Plastic Card Security Act," which prohibits a company from retaining credit card security code data, the PIN verification code number, or the full contents of any track of magnetic strip data.

The new law was intended to target retailers who store this type of data in violation of the PCI standards, making it a crime for them to retain a credit card holder’s PIN number longer than 48 hours after authorization of their transaction.

Similar bills are pending in California, Illinois, Maryland, Massachusetts, Michigan, Minnesota, Pennsylvania, Washington, and Wisconsin.

The Internet Alliance views this type of legislation as unnecessary, as it duplicates industry standards that already require merchants to purge sensitive credit and debit card information from their systems.

Moreover, these bills would force card issuers and processors to invest in compliance technology and training or face crippling consequences from state government, including heavy fines.

Illinois SB 1675, Maryland HB 129, Massachusetts HB 213, Michigan SB 1022, Washington HB 2838, and Wisconsin AB 745, for example, all contain liability provisions that would allow banks or financial institutions to sue retailers to recover costs arising from a data security breach.

Closely monitoring all 44 states that are in session this year, the Internet Alliance will actively oppose these and similar bills. DMA believes the measures would do little to improve data security, and would significantly expand wasteful, frivolous security-breach litigation.

The bills would require businesses to reimburse multi-billion dollar credit unions for credit card-related expenses, even when those credit unions make an enormous profit on Their credit card operations. The reimbursement provision only encourages credit unions to continue their practice of unnecessary card replacement, instead of implementing responsible fraud prevention and detection practices.

# # #