Does New Breach Law Have Teeth?WA Tries to Help Banking Institutions Recoup Costs from Card Hacks
HB 1149, which takes effect on July 1, is intended in part to help banking institutions recover costs of a card breach from a merchant or related service provider The two other states with data breach statutes that use PCI standards as a measure are Minnesota and Nevada.
But while state and national banking associations hail HB 1149 as a victory for banks and credit unions that have spent millions cleaning up after merchant and processor breaches, one legal expert cautions: The tough new standard may be even tougher to enforce.
"It is only a victory against those merchants who are completely absent in PCI security," says David Navetta, an attorney specializing in security and privacy law.
Inside HB 1149
On its face, this new legislation appears to be a real win for financial institutions, stating:
- Any business that processes more than 6 million debit or credit transactions per year is liable when it fails to exercise reasonable care through encryption of account information.
- Vendors such as data processors are liable for damages due to a defect in the vendor's software or equipment related to the encryption if the defect caused the breach.
- Financial institutions may recoup from businesses or vendors reasonable actual costs of reissuing cards to Washington residents affected by a data breach.
But according to Navetta, the law provides only a narrow field of possible recovery. Businesses are immune from action when the information they process is encrypted and the business itself is certified PCI compliant, Navetta says. "A lot of the smaller banks were looking for something like this, as their only way to recoup their losses now is through the credit card companies."
HB 1149 has safe harbor provisions for businesses that can show they are PCI compliant., Navetta says. "It will really catch those companies that have so far been scoffing at PCI."
Liability provisions will apply only if the [business] hasn't validated compliance. "As long as they've gone through the motions, filed a self-assessment questionnaire regarding PCI-DSS compliance, they're covered," he says.
Under HB 1149, a "Regulated Entity" is considered compliant if it was validated by an annual security assessment, as long as an assessment took place no more than one year prior to the time of the breach. With all of the "loop holes" being offered in the Safe Harbor provision for merchants, Navetta says this law doesn't have any real teeth for enforcement. "Except for the biggest scofflaws who have done nothing," he says. "They will be the ones that would be affected by this law."
Banking Associations: "Appreciative"
Washington credit unions lobbied hard for HB 1149 and are pleased to see it is now law, says John Annaloro, head of the Washington Credit Union League. "Washington credit unions have spent millions of dollars cleaning up the mess left by merchants and data processors when large-scale data compromises occur," Annaloro says. "The private financial information these third-party processors hold has too often been negligently stored or transmitted. Credit and debit card fraud can be the result. This new law thoughtfully addresses that responsibility by placing recovery costs back on the negligent party."
According to Doug Johnson, Vice President of Risk Management Policy at the American Bankers Association, financial institutions -- especially community banks -- "are appreciative of anything that allows them to recoup card costs and fraud losses when there is a breach."
Does this new law serve as a wake-up call for merchants and processors?
"I think the financial services industry would welcome anything that causes retailers to wake up and heighten their security posture to the financial services industry standards," Johnson says. "Banks know that they're only as strong as their weakest link, and based on past events, retailers have been that weak link in the security chain."