BILL ANALYSIS �
AB 1677
Page 1
Date of Hearing: May 8, 2007
ASSEMBLY COMMITTEE ON JUDICIARY
Dave Jones, Chair
AB 1677 (Calderon) - As Amended: May 2, 2007
SUBJECT : Internet Transactions: Verification
KEY ISSUE : Should businesses that provide banking and other
financial services over the Internet be required to implement
and maintain reasonable policies and procedures for verifying
the legitimacy of internet transactions?
SYNOPSIS
This bill would require a business that provides banking or
other financial services over the Internet to implement and
maintain reasonable policies and procedures for authenticating
the legitimacy of a consumer transaction on the Internet.
According to the author, this bill is needed in order to help
prevent identity thieves from wrongfully accessing someone
else's financial accounts in order to make unauthorized
transfers or purchases. Although existing law makes this form
of identity theft a crime, it does not impose any obligation on
the business to verify that the person attempting to make the
transaction is in fact who he or she purports to be. Existing
state and federal law imposes various restrictions on the use
and disclosure of customer information, but it does not
expressly prescribe authentication procedures for Internet
transactions. This bill would not prescribe such standards
either; instead, it would require the business to implement its
own authentication procedures and holds it liable if it fails to
comply with those procedures. Most of the registered opposition
to this bill concerned a "safe harbor" provision stating that a
business could demonstrate reasonableness by confirming the
transaction with a real time, out-of-band communication (e.g. a
phone call). The author amended the bill to remove this
provision, but opponents still express concerns about the
precise language of the bill and the fairness of the civil
penalties. However, the author has indicated to the Committee
that the current version of this bill addresses the opponents'
major concerns and that the author is committed to addressing
their remaining concerns, if indeed the Committee decides that
the bill should move to the floor of the Assembly.
�
AB 1677
Page 2
In order to provide more guidance to businesses, the Committee
recommends that this bill be amended to reference the federal
guidelines for Internet authentication.
SUMMARY : Requires a business that provides banking and other
financial services over the Internet to implement policies and
procedures for authenticating the legitimacy of Internet
transactions. Specifically, this bill :
1)Requires a business that provides banking or other financial
services over the Internet to implement and maintain
reasonable policies and procedures for authenticating and
verifying the legitimacy of a consumer transaction over the
Internet.
2)Provides that a business that fails to conduct an Internet
transaction with a consumer in compliance with its required
policies and procedures may be subject to a civil penalty in
the amount of $3000.
3)Provides that any customer injured by a violation of this bill
may institute a civil action to recover damages.
EXISTING LAW :
1)Makes it unlawful to knowingly access and, without permission,
alter, damage, delete, destroy, or otherwise use any data,
computer, computer system, or compute network to (1) devise or
execute a scheme to fraud or extort, or (2) wrongfully control
or obtain money, property, or data. (Penal Code Section 502.)
2)Makes it unlawful to willfully use someone else's personal
identifying information for an unlawful purpose, including to
obtain or attempt to obtain credit, goods, services, or
medical information in the name of the other person without
that person's consent. (Penal Code Section 530.5.)
3)Requires a business that owns or licenses personal information
about a California resident to implement and maintain
reasonable security procedures and practices in order to
protect the personal information from unauthorized access,
use, modification, or disclosure. (Civil Code Section
1798.81.5.)
4)Requires commercial Web site operators and online services
�
AB 1677
Page 3
that collect personally identifiable information about
California residents to conspicuously post their privacy
policy on their Web site, or in the case of an online service,
to make that policy available to the public. (Business &
Professions Code Section 22575.)
5)Requires banks, savings associations, and credit unions to
verify the identity of customers opening new accounts. (See
e.g. 31 CFR Section 103.121, implementing section 326 of the
USA PATRIOT Act, 31 USC Section 5318(l).)
6)Requires banks and savings associations to safeguard the
information of persons who obtain or have obtained a financial
product or service to be used primarily for personal, family,
or household purposes, with whom the institution has a
continuing relationship. (See Interagency Guidelines
Establishing Information Security Standards, implementing
section 501(b) of the Gramm-Leach-Bliley Act, 15 USC 6801.)
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
COMMENTS : According to the author, this bill will impose
penalties and liability on businesses that provide banking and
financial services on the Internet if they fail to take
reasonable steps to prevent criminal activity, "particularly in
high value Internet [financial] transactions." This bill is
roughly modeled after existing state laws that require
businesses to implement reasonable security procedures to
safeguard their customer's personal information. (Civil Code
Section 1798.81.5.) Similarly, this bill would require a
business that provides on-line banking or financial services to
implement procedures to verify the legitimacy of certain
consumer transaction on the Internet. In addition, this bill
would provide that a civil penalty of $3,000 may be imposed on a
business that fails to conduct an Internet transaction in
compliance with its verification policies. Finally, this bill
also states that any customer injured by a fraudulent
transaction, where the business had failed to act in compliance
with its policy, could bring a civil action to recover damages.
Existing law makes it a crime to commit "identify theft," which
is generally defined as using the identity or personal
information of another in order to obtain credit, goods, or
�
AB 1677
Page 4
services in the name of another. (Penal Code Section 530.5.)
More specifically, existing law makes it a crime to knowingly
use a computer or any computer network to wrongfully control or
obtain money, property, or data. (Id. Section 502.) However,
the author contends, there are no existing laws that expressly
require a business to take reasonable steps to verify and
authenticate the legitimacy of an Internet consumer transaction.
Instead, the Federal Financial Institutions Examination Council
(FFIEC) issues only voluntary guidelines. (The FFIEC is an
inter-agency council made up of members from the Federal Reserve
Board, the Federal Deposit (FDIC), National Credit Union
Administration (NCUA), and the Office of the Comptroller.) The
FFEIC guidelines recommend a variety of customer verification
techniques, including passwords, security questions, smart
cards, biometrics, and "out-of-band" authentication (i.e.
verification through some means other than an Internet
transmission, such as a follow-up phone call). (See FFIEC,
Authentication in an Internet Banking Environment, in FDIC,
Financial Institution Letter FIL-103-2005, October 12, 2005.)
Presumably, these guidelines could provide a framework for a
business seeking to comply with the requirements of this bill.
ARGUMENTS IN SUPPORT : According to the author, "there is
currently no effective law governing the standard of care
required of service providers when confirming Internet
transactions." The absence of such laws, the author contends,
"leaves a glaring hole in the State's attempt to provide
comprehensive consumer fraud protection." The author contends
that "existing crime prevention measures are ineffective at
dealing with the fast growing criminal industry of using
another's personal information to enter into high value Internet
transactions." This bill, the author argues, will require
businesses that offer such services to implement and maintain
standards and procedures that offer reasonable protections
against financial fraud and identity theft. This bill does not
mandate the particular standards or procedures that must be
implemented; instead, it places the burden on businesses to
develop their own reasonable procedures and then holds them
liable if they fail to comply with them. According to the
author, this will allow the business to "make their own
cost-benefit determination with regards to their level of care
in each transaction."
�
AB 1677
Page 5
Concerns : Several associations representing financial,
insurance, business, and Internet businesses opposed this bill
before its most recent amendments, and many still express
concerns. Prior the most recent amendment, this bill would have
required a business to use "reasonable care" to confirm the
legitimacy of Internet consumer transactions and provided a
"safe harbor" provision by which a business could satisfy the
reasonable care requirement by confirming the transaction with
an "out of band real time identity verification." In plain
language, the business could demonstrate reasonable care by
making a phone call prior to, or simultaneous with, the
completion of the Internet transaction. Opponents argued that
whether the out-of-band method was a requirement or a safe
harbor, it would seriously interrupt e-commerce if a phone call
had to be made prior to every Internet transaction, no matter
the value of that transaction. Also, by favoring a single
method of authentication (out-of-band) it might create a de
facto standard that might not be the most secure or effective in
all situations.
Although the author deleted the safe harbor provisions to
address these concerns, the opponents continue to raise other
objections to the bill. In particular, the opponents "question
whether civil fines are appropriate when the bill lacks any
recognition of the obligation for consumers to protect sensitive
information in their own possession." Opponents claim that
consumers often "voluntarily provide their financial passwords
to other parties or fail to adequately protect their computers
from fraud." As such, opponents claim that "this bill fails to
recognize the shared responsibility of the consumer in
conducting online financial transactions."
Despite these concerns, the author has informed the Committee
that he has met with the opponents and is committed to
addressing their concerns as the bill moves forward.
It is important to note that the bill does not appear to impose
very stringent requirements on a business that provides Internet
banking or financial services. It requires businesses to
implement their own policies and procedures, but does not
specify what those policies and procedures must be. On the
other hand, this lack of specificity is not unprecedented. As
noted in the analysis, Civil Code Section 1798.81.5 similarly
requires certain businesses to implement and maintain reasonable
security procedures and practices in order to protect any
�
AB 1677
Page 6
personal information contained in customer records. Like this
bill, it imposes a civil penalty if the business fails to comply
with those procedures. This bill tracks that statute and
applies it to authentication of Internet consumer transactions.
Possible Amendment : In order to provide more guidance to
businesses that must comply with this bill and ensure that
policies and procedures adopted will provide more effective
authentication techniques, the Committee may wish to ask the
author his openness to amend the bill as follows:
After subdivision (a) insert new subdivision (b) which reads as
follows:
(b) The policies and procedures that a business implements
pursuant to subdivision (a) shall, at a minimum, be consistent
with current best industry practices, including, but not limited
to, those issued by the Federal Financial Institutions
Examination Council or the relevant Recommended Practices of the
California Office of Privacy Protection once they are
promulgated and made public.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file
Opposition (to pre-amended version)
Association of California Insurance Companies
California Bankers Association
California Chamber of Commerce
California Financial Services Association
California Mortgage Bankers Association
Capital One
Internet Alliance
Investment Company Institute
Securities Industry Financial Markets Association
State Farm
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334