HOUSE BILL REPORT

HB 1149

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Reported by House Committee On:

Financial Institutions & Insurance

Title: An act relating to protecting consumers from breaches of security.

Brief Description: Protecting consumers from breaches of security.

Sponsors: Representatives Williams, Roach, Simpson, Kirby, Dunshee, Nelson and Ormsby.

Brief History:

Committee Activity:

Financial Institutions & Insurance: 1/22/09, 2/17/09 [DPS]; 1/19/10 [DP2S].

Brief Summary of Second Substitute Bill

Modifies the state security breach law.

Provides a cause of action for a financial institution against a person or business if there is a breach of security affecting 5,000 or more unencrypted individual names or account numbers.

HOUSE COMMITTEE ON FINANCIAL INSTITUTIONS & INSURANCE

Majority Report: The second substitute bill be substituted therefor and the second substitute bill do pass. Signed by 9 members: Representatives Kirby, Chair; Kelley, Vice Chair; Hurst, McCoy, Nelson, Roach, Rodne, Santos and Simpson.

Minority Report: Do not pass. Signed by 2 members: Representatives Bailey, Ranking Minority Member; Parker, Assistant Ranking Minority Member.

Staff: Jon Hedegard (786-7127).

Background:

State Security Breach Law (Chapter 19.255 RCW).

In 2005 the Legislature enacted a security breach law. The law requires any person or business to notify possibly affected persons when security is breached and unencrypted personal information is (or is reasonably believed to have been) acquired by an unauthorized person. A person or business is not required to disclose a technical breach that does not seem reasonably likely to subject customers to a risk of criminal activity.

"Personal information" is defined as an individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted:

Social Security number;
driver's license number or Washington identification card number; or
account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

The notice required must be either written, electronic, or substitute notice. If it is electronic, the notice provided is consistent with federal law provisions regarding electronic records, including consent, record retention, and types of disclosures. Substitute notice is only allowed if the cost of providing direct notice exceeds $250,000; the number of persons to be notified exceeds 500,000; or there is insufficient contact information to reach the customer. Substitute notice consists of all of the following:

electronic mail (e-mail) notice when the person or business has an e-mail address for the subject persons;
conspicuous posting of the notice on the website page of the person or business, if the person or business maintains one; and
notification to major statewide media.

A customer injured by a violation of the security breach law has the right to a civil action for damages.

State Disposal of Personal Information Law.

State law places restrictions on how certain types of personal information may be disposed. If a person or business is disposing of records containing personal financial and health information and personal identification numbers issued by a government entity, the person or business must take all reasonable steps to destroy, or arrange the destruction of, the information.

An individual injured by the failure of an entity to comply with the disposal or personal information law may sue for:

$200 or actual damages, whichever is greater, and costs and reasonable attorneys' fees if the failure to comply is due to negligence; or
$600 or three times actual damages (up to $10,000), whichever is greater, and costs and reasonable attorneys' fees if the failure to comply is willful.

The Attorney General may bring a civil action in the name of the state for damages, injunctive relief, or both, against an entity that fails to comply with the law. The court may award damages that are the same as those awarded to individual plaintiffs.

Additional Federal and State Privacy Protections.

Federal and state health privacy laws generally include security provisions and safeguards for health information, including information relating to an individual's identity and payment information. These duties are imposed on health insurers, providers, and others in the health system.

Federal banking and insurance laws generally include security provisions and safeguards for individually identifiable health and financial information. These duties are placed on individuals and businesses in the banking community.

–––––––––––––––––––––––––––––––––

Summary of Second Substitute Bill:

A number of definitions are created, including "financial institution," "processors," vendors," and "merchants."

Processors and merchants are liable to a financial institution for a failure to exercise reasonable care through encryption of account information is the proximate cause of a breach of security. A financial institution may recover reasonable actual costs to mitigate potential damages to its account holders due to the breach. If an action is brought, the prevailing party is entitled to recover its reasonable attorneys' fees and costs incurred in connection with the legal action.

Vendors are liable to a financial institution to the extent that the damages are due to a defect in the vendor's software or equipment related to the encryption.

There is immunity for processors, merchants, or vendors if:

the breached account information was encrypted; and
the processor, merchant, or vendor was certified compliant with security standards by any payment system network through which transactions are conducted.

There is nothing that prevents:

any entity responsible for handling account information on behalf of a merchant or processor from being sued; or
a processor, merchant, or vendor from asserting any defense including defenses of contributory or comparative negligence.

Second Substitute Bill Compared to Original Bill:

A number of the definitions are changed. The liability provisions are modified. The immunity provisions are modified. A safe harbor threshold of six million transactions for a merchant is built into the definition of "merchant." Attorneys' fees are no longer awarded to the prevailing party in court. The changes to the existing data breach law are removed. The prohibitions on a person or a service provider from retaining certain financial information unless the information is encrypted are removed. The safe harbor threshold for a breach of less than 5,000 accounts is removed. The authorization of a fee to subsidize insurance to pay for security breaches is removed. Arbitration provisions are removed. The provisions applied to transient accommodations and rental car businesses are removed.

–––––––––––––––––––––––––––––––––

Appropriation: None.

Fiscal Note: Available.

Effective Date of Second Substitute Bill: The bill takes effect on July 1, 2010.

Staff Summary of Public Testimony:

See House Bill Report in 2009.

Persons Testifying: See House Bill Report in 2009.

Persons Signed In To Testify But Not Testifying: See House Bill Report in 2009.