Washington has enacted a statute to provide financial institutions with a cause of action against certain entities involved in payment card transactions that fail to take reasonable care to guard against unauthorized access to account information where that failure is found to be the proximate cause of the breach. The law goes into effect on July 1, 2010. The new Washington law is similar to an existing statute in Minnesota and shows that Payment Card Industry Data Security Standards (“PCI DSS”) compliance continues to be codified on a state by state basis.
The new law applies to businesses, processors and vendors, which are defined terms in the bill. A business is defined as an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington.” A processor is defined as an entity “that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.” Finally, a vendor is defined as an entity “that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information it does not own.”
The law imposes liability on a processor or business that fails to “take reasonable care” to prevent unauthorized access to account information in its possession or control. Account information is defined as: (i) the full, unencrypted magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device (an “identification device” is defined as an item that uses radio frequency identification technology or facial recognition technology); or (iii) the unencrypted primary account number on a credit card or debit card or identification device in combination with an unencrypted cardholder name, expiration date, or service code. A processor or business suffering a data breach may now be liable to a financial institution for “reimbursement of reasonable actual costs related to the reissuance of credit and debit cards” incurred by the financial institution as part of efforts to mitigate current or future damages to its cardholders. A vendor may also be liable to a financial institution for the same damages if the damages were proximately caused by the vendor’s negligence and if the claim is not limited by another law or by contract.
Notably, the bill exempts processors, businesses, and vendors from liability if the account information was encrypted at the time of the breach or if the business was “certified compliant with the payment card industry data security standards” in effect at the time of the breach. A business is considered compliant if its PCI DSS compliance was validated by an annual security assessment conducted no more than one year prior to the breach. As such, the bill represents another incentive for companies to become PCI DSS compliant and another area of potential liability in the absence of such certification.
Washington joins Minnesota in enacting, in part, the PCI DSS provisions. In 2007, Minnesota enacted Minn. Stat. § 325E.64, which prohibits the retention of card security code data, the PIN verification code number, or the full contents of magnetic stripe data for more than 48 hours about authorization of a transaction. The statute also imposes liability in the event of a data security breach for any person or entity in violation of the statute, mandating that the person or entity shall reimburse a financial institution affected by the breach for the costs of reasonable actions undertaken to protect the information of its cardholders. Unlike the Washington law, the Minnesota statute focuses on retention of data rather than encryption of data or wholesale PCI DSS compliance.
The Minnesota statute provides for costs including, but not limited to: “(1) the cancellation or reissuance of any access device affected by the breach; (2) the closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts; (3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach; (4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and (5) the notification of cardholders affected by the breach.” Minn. Stat. § 325E.64, subd. 3. The law further states that this remedy is cumulative. In contrast, the Washington statute does not itemize grounds for damages but does provide that, in addition to reasonable actual costs, the prevailing party in any legal action brought under the statute is entitled to reasonable attorneys’ fees and costs.
Since Minnesota codified existing Card Brand regulations and Requirement 3.2 of the PCI DSS standard in 2007, a number of other states, including Texas and California, have been debating codifying PCI DSS. Nevada became the first state to mandate compliance with PCI DSS earlier this year. [See our prior Client Advisory.] At this time, PCI DSS compliance appears to be shaping up as a slow but steady march towards state by state codification. This trend is likely to lead to increased exposure to potential liability for businesses operating nationally or in the states in which PCI DSS compliance is no longer just an industry standard best practice.