Washington Governor Christine Gregoire recently signed HB 1149 into law. Under HB 1149, if a person or entity that meets the definition of a “processor” or “business” that fails to take reasonable steps to guard against unauthorized access to credit or debit card account information that is in its possession, and such failure is found to be the proximate cause of a breach, the processor or business is liable to the financial institution for reimbursement of reasonable actual costs related to the reissuance of credit or debit cards, even if the financial institution has not suffered an injury as a result of the breach.
The processor or business may also be liable to the financial institution for attorneys’ fees and costs incurred in connection with any legal action. In addition, vendors of card processing software and equipment may be held liable for the damages incurred by a financial institution if the vendor’s negligence was the proximate cause of such damages.
For this purpose, a “processor” is defined as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined below, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.
A “business” is defined, for this purpose, as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington.
Under HB 1149, a “vendor” means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own.
The new law provides for several exemptions. Processors, businesses and vendors that are compliant with PCI Data Security Standards at the time of the breach are not liable to financial institutions. They are considered to be compliant if their PCI data security compliance was validated by an annual assessment, and if the assessment took place no more than one year prior to the date of the breach. In addition, processors, businesses and vendors are not liable if the breach involved encrypted card information.
The new law goes into effect on July 1, 2010.