SACRAMENTO — Personal information collected from credit card shoppers would be better protected by upgrading the country's entire payment system to technology that has dramatically reduced fraud in Europe.
That was the consensus of a group of retailers, bankers, credit card companies and consumer advocates at a legislative hearing Tuesday.
Legislators delved into the causes of a recent hacking of about 70 million computerized customer records at
Bill Dombrowski, president of the California Retailers Assn., predicted that much fraud would be eliminated after October 2015, when all the players in the national credit card and payments industry have agreed to switch to a chip-and-PIN system, the current international standard in Europe and elsewhere.
The method uses computer chips embedded in cards, instead of magnetized stripes. Security is augmented by giving the shopper a PIN, or personal identification number, such as those linked to bank debit cards.
"It's time to move to chip-and-PIN technology," Dombrowski said. "Cards should be smarter and use dynamic data rather than magnetic stripes."
According to a briefing paper by the Assembly Judiciary Committee, U.S. credit card fraud jumped 87% from 2010 to 2013, creating an estimated $6 billion in losses.
But in some parts of Europe credit card fraud has plummeted by as much as half since 2009, said Norma Garcia, a lawyer with Consumers Union's West Coast office in San Francisco.
California, which includes a right to privacy in its state constitution, has been a leader in dealing with breaches of personal information. In 2002, lawmakers adopted the nation's first data-breach notification law. Since then, every state except Alabama, Kentucky, New Mexico and South Dakota passed similar legislation.
But just notifying customers that they were — or might have been — victims of information thieves isn't enough, critics contended Tuesday.
Jamie Court, the president of Consumer Watchdog, a Santa Monica advocacy group, urged lawmakers to make breach notification more immediate. Additionally, he called for creating penalties on retailers or other responsible parties whose negligence allowed privacy breaches to occur.
Court also wants to give victims the right to sue for financial damages. "If you don't make corporations pay when they violate your privacy, your privacy is going to be violated," he said.
Dombrowski of the retailers association dismissed Court's allegation that retailers don't face financial costs from privacy breaches. Target's liability from the recent incident, he said, is estimated at $1 billion.
Better card technology is just one of the potential tools to combat privacy breaches, witnesses said. Improved encryption of personal information plus tighter and modernized state and federal laws also are needed.
Personal information kept by businesses should be limited only to what's needed to complete a commercial transaction. And even that data should be purged once it's no longer needed, they contended.
With that in mind, privacy and consumer groups are backing a bill, SB 383, by state Sen. Hannah-Beth Jackson (D-Santa Barbara). The amended measure, in the Assembly, would require businesses to make sure that some customer information is used solely for fraud deterrence. Businesses would be required to destroy the information in a secure manner once it's no longer needed for those purposes.
Making businesses collect information needed only to complete a transaction is a good first step, said Lenny Goldberg, a lobbyist for the Privacy Rights Clearing House.
But even if no bill emerges this year from the Legislature, the hearing and the ongoing prospect that more and larger data breaches occurring have educational value, he said.
"We expect people to come to some understanding about how bad this is," Goldberg said.