BILL REQ. #:  H-4615.2 



_____________________________________________ 

SUBSTITUTE HOUSE BILL 2838
_____________________________________________
State of Washington60th Legislature2008 Regular Session

By House Insurance, Financial Services & Consumer Protection (originally sponsored by Representatives Williams, Roach, Kirby, Simpson, Ericks, and Haler)

READ FIRST TIME 02/05/08.   



     AN ACT Relating to personal information associated with debit and credit cards issued by financial institutions; and adding a new section to chapter 19.255 RCW.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 1   A new section is added to chapter 19.255 RCW to read as follows:
     (1) Notwithstanding any other provision of law or contract, and in addition to other remedies provided by law, any person or business that is required to disclose a breach of the security of the system under RCW 19.255.010, if that breach was comprised of five thousand or more unencrypted individual names or account numbers, shall be liable to a financial institution in negligence for actions reasonably undertaken in order to protect consumers including, but not limited to, any costs incurred in connection with:
     (a) The cancellation or reissuance of an access device affected by the breach;
     (b) The closing of a deposit, transaction, checking, share draft, or other account affected by the breach and any action to stop payment or block a transaction with respect to the account;
     (c) The opening or reopening of a deposit, transaction, checking, share draft, or other account affected by the breach;
     (d) A refund or credit made to an account holder to cover the cost of any unauthorized transaction related to the breach;
     (e) The notification of account holders affected by the breach;
     (f) Credit monitoring services on accounts affected by the breach for a period of one year from the time the issuer of the access device is notified of the breach; and
     (g) Reasonable attorneys' fees and costs associated with the action.
     (2) A person or business will not be liable under this section if the person or business providing the data breach notice met industry standards for the handling, processing, and storage of personal information, maintained a policy on the treatment of personal information, and consistently provided training to staff on this policy at the time of the data breach.
     (3) In an action under this section, a financial institution that provided or approved equipment used to process payment transactions, to a person or business, will be precluded from recovering under this section against the person or business, provided that the breach of the security of the system was directly related to the equipment provided or approved by the financial institution, and the equipment was being used in the manner recommended by the financial institution.
     (4) The definitions in this subsection apply throughout this section unless the context clearly requires otherwise.
     (a) "Access device" has the same meaning as in RCW 9A.56.010.
     (b) "Breach of the security of the system" has the same meaning as in RCW 19.255.010.
     (c) "Financial institution" has the same meaning as in RCW 30.22.040.
     (d) "Unencrypted" means that the personal information was not transformed using an algorithm making the information unreadable to anyone except those possessing a key, using standards appropriate for the industry at the time of the breach of the security of the system.

--- END ---