Does New Breach Law Have Teeth?

WA Tries to Help Banking Institutions Recoup Costs from Card Hacks
Does New Breach Law Have Teeth?
In response to the Heartland Payment Systems data breach and similar incidents, Washington has become the third state to pass legislation incorporating the Payment Card Industry Data Security Standard (PCI) to help financial institutions recover costs from credit/debit card breaches.

HB 1149, which takes effect on July 1, is intended in part to help banking institutions recover costs of a card breach from a merchant or related service provider The two other states with data breach statutes that use PCI standards as a measure are Minnesota and Nevada.

But while state and national banking associations hail HB 1149 as a victory for banks and credit unions that have spent millions cleaning up after merchant and processor breaches, one legal expert cautions: The tough new standard may be even tougher to enforce.

"It is only a victory against those merchants who are completely absent in PCI security," says David Navetta, an attorney specializing in security and privacy law.

Inside HB 1149

On its face, this new legislation appears to be a real win for financial institutions, stating:

  • Any business that processes more than 6 million debit or credit transactions per year is liable when it fails to exercise reasonable care through encryption of account information.

  • Vendors such as data processors are liable for damages due to a defect in the vendor's software or equipment related to the encryption if the defect caused the breach.

  • Financial institutions may recoup from businesses or vendors reasonable actual costs of reissuing cards to Washington residents affected by a data breach.

But according to Navetta, the law provides only a narrow field of possible recovery. Businesses are immune from action when the information they process is encrypted and the business itself is certified PCI compliant, Navetta says. "A lot of the smaller banks were looking for something like this, as their only way to recoup their losses now is through the credit card companies."

HB 1149 has safe harbor provisions for businesses that can show they are PCI compliant., Navetta says. "It will really catch those companies that have so far been scoffing at PCI."

Liability provisions will apply only if the [business] hasn't validated compliance. "As long as they've gone through the motions, filed a self-assessment questionnaire regarding PCI-DSS compliance, they're covered," he says.

Under HB 1149, a "Regulated Entity" is considered compliant if it was validated by an annual security assessment, as long as an assessment took place no more than one year prior to the time of the breach. With all of the "loop holes" being offered in the Safe Harbor provision for merchants, Navetta says this law doesn't have any real teeth for enforcement. "Except for the biggest scofflaws who have done nothing," he says. "They will be the ones that would be affected by this law."

Banking Associations: "Appreciative"

Washington credit unions lobbied hard for HB 1149 and are pleased to see it is now law, says John Annaloro, head of the Washington Credit Union League. "Washington credit unions have spent millions of dollars cleaning up the mess left by merchants and data processors when large-scale data compromises occur," Annaloro says. "The private financial information these third-party processors hold has too often been negligently stored or transmitted. Credit and debit card fraud can be the result. This new law thoughtfully addresses that responsibility by placing recovery costs back on the negligent party."

According to Doug Johnson, Vice President of Risk Management Policy at the American Bankers Association, financial institutions -- especially community banks -- "are appreciative of anything that allows them to recoup card costs and fraud losses when there is a breach."

Does this new law serve as a wake-up call for merchants and processors?

"I think the financial services industry would welcome anything that causes retailers to wake up and heighten their security posture to the financial services industry standards," Johnson says. "Banks know that they're only as strong as their weakest link, and based on past events, retailers have been that weak link in the security chain."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.