Passed by the House March 6, 2010 Yeas 65   FRANK CHOPP ________________________________________ Speaker of the House of Representatives Passed by the Senate March 2, 2010 Yeas 45   BRAD OWEN ________________________________________ President of the Senate | I, Barbara Baker, Chief Clerk of the House of Representatives of the State of Washington, do hereby certify that the attached is ENGROSSED SECOND SUBSTITUTE HOUSE BILL 1149 as passed by the House of Representatives and the Senate on the dates hereon set forth. BARBARA BAKER ________________________________________ Chief Clerk | |
Approved March 22, 2010, 2:25 p.m. CHRISTINE GREGOIRE ________________________________________ Governor of the State of Washington | March 22, 2010 Secretary of State State of Washington |
State of Washington | 61st Legislature | 2010 Regular Session |
READ FIRST TIME 01/21/10.
AN ACT Relating to protecting consumers from breaches of security; adding a new section to chapter 19.255 RCW; creating new sections; and providing an effective date.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1 The legislature recognizes that data
breaches of credit and debit card information contribute to identity
theft and fraud and can be costly to consumers. The legislature also
recognizes that when a breach occurs, remedial measures such as
reissuance of credit or debit cards affected by the breach can help to
reduce the incidence of identity theft and associated costs to
consumers. Accordingly, the legislature intends to encourage financial
institutions to reissue credit and debit cards to consumers when
appropriate, and to permit financial institutions to recoup data breach
costs associated with the reissuance from large businesses and card
processors who are negligent in maintaining or transmitting card data.
NEW SECTION. Sec. 2 A new section is added to chapter 19.255 RCW
to read as follows:
(1) For purposes of this section:
(a) "Account information" means: (i) The full, unencrypted
magnetic stripe of a credit card or debit card; (ii) the full,
unencrypted account information contained on an identification device
as defined under RCW 19.300.010; or (iii) the unencrypted primary
account number on a credit card or debit card or identification device,
plus any of the following if not encrypted: Cardholder name,
expiration date, or service code.
(b) "Breach" has the same meaning as "breach of the security of the
system" in RCW 19.255.010.
(c) "Business" means an individual, partnership, corporation,
association, organization, government entity, or any other legal or
commercial entity that processes more than six million credit card and
debit card transactions annually, and who provides, offers, or sells
goods or services to persons who are residents of Washington.
(d) "Credit card" has the same meaning as in RCW 9A.56.280.
(e) "Debit card" has the same meaning as in RCW 9A.56.280 and for
the purposes of this section, includes a payroll debit card.
(f) "Encrypted" means enciphered or encoded using standards
reasonable for the breached business or processor taking into account
the business or processor's size and the number of transactions
processed annually.
(g) "Financial institution" has the same meaning as in RCW
30.22.040.
(h) "Processor" means an individual, partnership, corporation,
association, organization, government entity, or any other legal or
commercial entity, other than a business as defined under this section,
that directly processes or transmits account information for or on
behalf of another person as part of a payment processing service.
(i) "Service code" means the three or four digit number in the
magnetic stripe or on a credit card or debit card that is used to
specify acceptance requirements or to validate the card.
(j) "Vendor" means an individual, partnership, corporation,
association, organization, government entity, or any other legal or
commercial entity that manufactures and sells software or equipment
that is designed to process, transmit, or store account information or
that maintains account information that it does not own.
(2) Processors, businesses, and vendors are not liable under this
section if (a) the account information was encrypted at the time of the
breach, or (b) the processor, business, or vendor was certified
compliant with the payment card industry data security standards
adopted by the payment card industry security standards council, and in
force at the time of the breach. A processor, business, or vendor will
be considered compliant, if its payment card industry data security
compliance was validated by an annual security assessment, and if this
assessment took place no more than one year prior to the time of the
breach. For the purposes of this subsection (2), a processor,
business, or vendor's security assessment of compliance is
nonrevocable. The nonrevocability of a processor, business, or
vendor's security assessment of compliance is only for the purpose of
determining a processor, business, or vendor's liability under this
subsection (2).
(3)(a) If a processor or business fails to take reasonable care to
guard against unauthorized access to account information that is in the
possession or under the control of the business or processor, and the
failure is found to be the proximate cause of a breach, the processor
or business is liable to a financial institution for reimbursement of
reasonable actual costs related to the reissuance of credit cards and
debit cards that are incurred by the financial institution to mitigate
potential current or future damages to its credit card and debit card
holders that reside in the state of Washington as a consequence of the
breach, even if the financial institution has not suffered a physical
injury in connection with the breach. In any legal action brought
pursuant to this subsection, the prevailing party is entitled to
recover its reasonable attorneys' fees and costs incurred in connection
with the legal action.
(b) A vendor, instead of a processor or business, is liable to a
financial institution for the damages described in (a) of this
subsection to the extent that the damages were proximately caused by
the vendor's negligence and if the claim is not limited or foreclosed
by another provision of law or by a contract to which the financial
institution is a party.
(4) Nothing in this section may be construed as preventing or
foreclosing any entity responsible for handling account information on
behalf of a business or processor from being made a party to an action
under this section.
(5) Nothing in this section may be construed as preventing or
foreclosing a processor, business, or vendor from asserting any defense
otherwise available to it in an action including, but not limited to,
defenses of contract, or of contributory or comparative negligence.
(6) In cases to which this section applies, the trier of fact shall
determine the percentage of the total fault which is attributable to
every entity which was the proximate cause of the claimant's damages.
(7) The remedies under this section are cumulative and do not
restrict any other right or remedy otherwise available under law,
however a trier of fact may reduce damages awarded to a financial
institution by any amount the financial institution recovers from a
credit card company in connection with the breach, for costs associated
with access card reissuance.
NEW SECTION. Sec. 3 This act takes effect July 1, 2010.
NEW SECTION. Sec. 4 This act applies prospectively only. This
act applies to any breach occurring on or after the effective date of
this section.