Washington is the third state to enact an encryption law and a payment card law.1 Massachusetts and Nevada enacted encryption laws and Minnesota and Nevada enacted payment card laws. Since this law takes effect July 1, 2010, any entity that could be subject to this law should begin assessing whether they are subject to and in compliance with this law.

Applies to Business, Processor and Vendor This law applies to a business that (i) processes more than six million credit card and debit card transactions annually and (ii) provides, offers or sells goods or services to Washington residents. These typically are merchants that have the highest level of compliance obligations among businesses that process credit cards.

This law also applies to a processor that directly processes or transmits account information for or on behalf of another person as part of a payment processing service and a vendor that (i) manufactures and sells software or equipment designed to process, transmit or store account information or (ii) maintains account information that it does not own.

Account information means: (i) the full, unencrypted magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device; or (iii) the unencrypted primary account number on a credit card or debit card or identification device, plus cardholder name, expiration date or service code, if not encrypted.

Encrypted means enciphered or encoded using standards reasonable for the breached business or processor taking into account the business or processor’s size and the number of transactions processed annually.

Liability for Data Breach A business or processor is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders resulting from a data breach (even if the financial institution has not suffered a physical injury) if: (i) a business or processor fails to take reasonable care to guard against unauthorized access to account information in its possession or under its control and (ii) this failure is found to be the proximate cause of a data breach. The prevailing party is entitled to reasonable attorneys fees and costs incurred in connection with the legal action.

A vendor is liable to a financial institution for the foregoing damages: (i) to the extent that the damages were proximately caused by the vendor’s negligence and (ii) if the claim is not limited or foreclosed by another provision of law or by a contract to which the financial institution is a party.

A data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by a business.2 Personal information means an individual’s name together with any of the following elements, when both the name and element are not encrypted: (i) Social Security Number, (ii) Washington driver’s license number or identification card number or (iii) account number, credit card number or debit card number, together with any required security code, access code or password permitting access to their financial account.3

Encryption A business, processor or vendor is not liable if: (i) the account information was encrypted at the time of the data breach or (ii) the business, processor or vendor was certified compliant with the payment card industry data security standards, as adopted by the payment card security standards council (including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc.) and in force at the time of the data breach. The payment card industry data security standard include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures and are intended to help organizations proactively protect consumer account data.

A business, processor or vendor will be considered compliant if its payment card industry data security compliance was validated by an annual security assessment and this assessment took place no more than one year before the time of the data breach (for this purpose, this security assessment of compliance is nonrevocable).