California Governor Arnold Schwarzenegger has vetoed a legislative proposal that aimed to increase California's data protection standards. The proposed law, AB 779, imposed stronger data protection requirements than the Payment Card Industry Data Security Standard, an industry-created standard for protecting consumer data.

Gov. Schwarzenegger objects to the broad scope of the law and argues that compliance would be excessively costly and burdensome for small businesses. The Governor also argues that the industry is better equipped than lawmakers to evaluate the need for higher standards. "Protecting the personal information of every Californian is very important to me and I am committed to strong laws that safeguard every individual's privacy and prevent identity theft," the Governor wrote in a veto statement. "However, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."

Additionally, Schwarzenegger criticized what he perceives as ambiguities in the text of the law itself. "While I support many of the provisions of this bill, it fails to provide clear definition of which business or agency 'owns' or 'licenses' data, and when that business or agency relinquishes legal responsibility as the owner or licensee," Schwarzenegger wrote. The Governor also encourages lawmakers to collaborate with businesses to create "a more balanced legislative approach."

Despite the concerns expressed by Schwarzenegger, AB 779 was immensely popular in the state Senate and Assembly. The state Senate passed it in a vote of 58 to 2 and the Assembly passed it with a vote of 30 to 6. The margins indicate that there's enough support for the legislation for both houses to override the veto.

The AB 779 would impose limits on what kind of information companies can retain, prohibit companies without data retention policies from collecting sensitive data, and force businesses to stop storing authentication data after the completion of transactions.

Supporters of 779 question the adequacy of industry standards. Recent Payment Card Industry compliance statistics issued by Visa show that only 40 percent of major retailers are in full compliance. Serious data theft incidents caused by poor security—like the one that took place earlier this year when hackers obtained millions of credit card numbers by infiltrating the wireless network of several TJ Maxx stores—indicate that the industry isn't doing enough.

Schwarzenegger's decision to veto AB 779 will be seen as a disappointment by privacy advocates, some of whom believe that the veto was influenced by industry lobbyists. The need for higher data protection standards is abundantly clear, but the proper solution is less obvious. The legislative approach to ensuring better data security may prove to be expensive for many businesses operating in California, but the cost of neglecting this important issue could be much higher for the citizens of California, especially given that the businesses appear incapable of adequate self-policing. If state lawmakers decide to pursue a legislative compromise in response to the veto, they must strive to ensure that data security isn't compromised as well in the process.