BILL REQ. #:  H-4176.2 



_____________________________________________ 

SECOND SUBSTITUTE HOUSE BILL 1149
_____________________________________________
State of Washington61st Legislature2010 Regular Session

By House Financial Institutions & Insurance (originally sponsored by Representatives Williams, Roach, Simpson, Kirby, Dunshee, Nelson, and Ormsby)

READ FIRST TIME 01/21/10.   



     AN ACT Relating to protecting consumers from breaches of security; adding a new section to chapter 19.255 RCW; creating new sections; and providing an effective date.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 1   The legislature recognizes that data breaches contribute to identity theft and fraud and can be costly to consumers. The legislature also recognizes that when a breach occurs, remedial measures such as reissuance of credit or debit cards affected by the breach can help to reduce the incidence of identity theft and associated costs to consumers. Accordingly, the legislature intends to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large merchants or processors who are negligent in maintaining or transmitting card data.

NEW SECTION.  Sec. 2   A new section is added to chapter 19.255 RCW to read as follows:
     (1) For purposes of this section:
     (a) "Access device" has the same meaning as in RCW 9A.56.010.
     (b) "Account information" means: (i) The full, unencrypted magnetic stripe of a credit or debit card; (ii) the full, unencrypted account information contained on an identification device as defined under RCW 19.300.010; or (iii) the unencrypted primary account number on a credit or debit card or identification device, plus any of the following: Cardholder name, expiration date, or service code.
     (c) "Breach" has the same meaning as "breach of the security of the system" in RCW 19.255.010.
     (d) "Merchant" means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million access device transactions annually, and who offers or sells goods or services to persons who are residents of Washington.
     (e) "Processor" means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a merchant, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.
     (f) "Service code" means the three or four digit number in the magnetic stripe or on a credit or debit card that is used to specify acceptance requirements or to validate the card.
     (g) "Vendor" means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information using encryption.
     (2) Processors, merchants, or vendors are not liable under this section if (a) the breached account information was encrypted, and (b) the processor, merchant, or vendor was certified compliant with applicable information security standards promulgated or adopted by any payment system network through which transactions are conducted.
     (3)(a) If a processor or merchant fails to take reasonable care through the use of an industry standard level of encryption to guard against unauthorized access to account information that is in the possession or under the control of the merchant or processor, and the failure is found to be the proximate cause of a breach, the processor or merchant is liable to a financial institution, as defined in RCW 30.22.040, for reimbursement of reasonable actual costs incurred by the financial institution to mitigate potential current or future damages to its access device account holders as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach. In any legal action brought pursuant to this subsection, the prevailing party is entitled to recover its reasonable attorneys' fees and costs incurred in connection with the legal action.
     (b) A vendor is liable to a financial institution instead of a processor or merchant for the damages described in (a) of this subsection to the extent that the damages are attributable to a defect in the vendor's software or equipment related to the encryption of account information.
     (4) Nothing may prevent any entity responsible for handling account information on behalf of a merchant or processor from being made a party to an action under this section.
     (5) Nothing in this section may be construed as preventing or foreclosing a processor, merchant, or vendor from asserting any defense otherwise available to a negligence action including, but not limited to, defenses of contributory or comparative negligence.
     (6) In cases to which this section applies, the trier of fact shall determine the percentage of the total fault which is attributable to every entity which caused the claimant's damages.
     (7) The remedies under this section are cumulative and do not restrict any other right or remedy otherwise available to the financial institution.

NEW SECTION.  Sec. 3   This act takes effect July 1, 2010.

NEW SECTION.  Sec. 4   This act applies prospectively only. This act applies to any breach occurring on or after the effective date of this section.

--- END ---