The state of Washington enacted a new law that provides financial institutions with a cause of action against retailers and credit card processors who suffer data breaches after failing to comply with the Payment Card Industry (PCI) standards. The Protecting Consumers from Breaches of Security law takes effect July 1.

The law will allow financial institutions to recover certain costs and damages from credit card processors and retailers that suffer data breaches as a result of failing to comply with current PCI security standards. It applies to three groups: businesses (defined as an entity that processes more than six million credit and debit transactions and that “provides, offers, or sells goods or services” to Washington residents), processors (an entity that “processes or transmits account information for or on behalf of another person as part of a payment processing service”), and vendors (entities that manufacture or sell software or equipment designed to process, transmit or store account information, or that maintain account data they do not own).

Liability is imposed if one of the covered entities fails to “take reasonable care” to prevent unauthorized access to account information in its possession or control. Account information includes the unencrypted magnetic stripe of a credit or debit card, and the primary account number in combination with cardholder name, expiration date, or service code.

Under the law, a financial institution may recover reimbursement of “reasonable actual costs” related to the reissuance of credit or debit cards. Entities are exempt from liability, however, if the account information was encrypted, or if the entity was “certified compliant” with the PCI standards no more than one year prior to the data breach.

The PCI standards are a set of procedural and technological requirements for enhancing data security and include practices such as installing and maintaining a firewall, encrypting cardholder data, creating unique passwords for vendor-supplied computer systems, and assigning a unique ID to each person with access to the transaction systems.

Minnesota and Nevada have similar laws on the books.

Why it matters: While most states now have reactive notification statutes in place, the new laws are an attempt at requiring companies to take proactive measures to prevent or limit data breaches by shifting costs. Any retailer that collects credit card information in the course of business should ensure that the data is encrypted and/or is compliant with the PCI data security standards. The definitions in the law of “business,” “processor,” and “vendor” all reach beyond the borders of Washington State, giving the new law a national application. Although there are just three states that currently require such compliance, the new laws are a trend likely to be adopted in other states.