Washington state recently amended its data breach statute1 to allow financial institutions to recover their costs related to the reissuance of credit/debit cards from large businesses, processors and vendors who were negligent in maintaining or transmitting card data. The amendments establish a “safe harbor” if the data was encrypted or if the organization was certified compliant with the payment card industry data security standards (PCI DSS) within a year of the breach.
The amendments take effect July 1, 2010, allowing organizations an opportunity to revise their data security practices to fall within the safe harbor provisions.
Scope of the amendments—large businesses, processors and vendors
The amendments apply to:
- Businesses selling goods or services to Washington residents that process more than six million credit card and debit card transactions annually (“business”);
- Payment processing service providers (“processor”);
- Vendors of software and equipment designed to process, transmit or store account information; and
- Vendors that maintain account information for third parties, who are negligent in maintaining or transmitting card data.
Requirements of liability
If a processor or business:
(i) fails to take reasonable care to guard against unauthorized access to account information2 that is in its possession or under its control, and
(ii) the failure is found to be the proximate cause of a breach, the processor or business is liable for reimbursement of reasonable actual costs related to the reissuance of credit/debit cards that are incurred by the financial institution (“damages”) to mitigate potential current or future damages to its card holders that reside in the state of Washington.
A vendor is liable to a financial institution for its damages to the extent that:
(i) the damages were proximately caused by the vendor’s negligence, and
(ii) the claim is not limited or foreclosed by another provision of law or by a contract to which the financial institution is a party.
Businesses, processors and vendors are not liable to financial institutions for damages that result from a data breach if:
(i) the account information was encrypted3 at the time of the breach,4 or
(ii) the business, processor or vendor was certified within the prior 12 months as being compliant with the applicable PCI DSS.
The legislation provides that a business, processor or vendor will be considered compliant if its PCI DSS compliance was validated by an annual security assessment within one year of the date of the breach.
Legislators focus on data security
Washington’s amendment to its data breach law evidences the increased focus of legislators on data security and preventive measures. Indeed, the Massachusetts Regulations,5 effective March 1, 2010, are to date the most comprehensive data security requirements under state law. The Regulations require businesses that own or license personal information about Massachusetts residents to implement and maintain a comprehensive written information security program.
Minnesota was the first state to respond to the growing number of credit card breaches with the enactment of the Plastic Card Security Act6 in 2007. The act prohibits merchants with customers in Minnesota from storing sensitive authentication data after a transaction is authorized. Organizations violating the law face strict liability to financial institutions for the costs associated with a card security breach.
Nevada’s7 Security of Personal Information Law, effective Jan. 1, 2010, went further than the Minnesota law, imposing PCI DSS compliance on businesses accepting credit cards and encryption on all other businesses transmitting or transporting covered data.
Washington’s legislation is narrower than the Minnesota and Nevada acts as it only addresses a party’s liability for damages incurred by a financial institution and fails to mandate encryption or PCI DSS compliance.
The Massachusetts Regulations, the Minnesota and Nevada acts, and the PCI DSS are summarized in the table below.
Click here to view the table.