Washington passes additional data breach measure

Washington: protecting consumers from breaches of security? Well, not quite in this case.
Washington: protecting consumers from breaches of security? Well, not quite in this case.

This new law allows financial institutions with affected customers in Washington to recoup losses associated with protecting their clients via the state’s legal system. The law intends to facilitate financial firms’ willingness to issue new cards and account numbers when account and customer information is compromised, thereby reducing the likelihood of identity theft.

Washington’s new data breach law, HB 1149, was signed into law by Gov. Christine Gregoire in late March and will put the onus on card processors, businesses, and other third-party vendors using the information to ensure the security of card and account holder data or else be subjected to litigation on the behalf of financial institutions.

In short, businesses and card processors that fail to encrypt customer data or comply with industry processing standards, such as PCI DSS, and then subsequently suffer a breach will be affected by the law.

Although it is titled "Protecting Consumers from Breaches of Security", Infosecurity understands that this law is hardly a consumer protection statute. Rather, this bill, which goes into effect as of July 1, 2010, simply allows financial institutions to seek reparations via the courts for damages as a result of a data breach. As a spokesperson for the governor told us, the reasoning behind the bill was that financial institutions would be more likely to issue new cards and account numbers to their customers if institutions have some type of legal remedy to recover the loses that result from taking such measures following a data breach.

This falls in line with the intended aims of the law, as stated in the bill’s text:

The legislature recognizes that data breaches of credit and debit card information contribute to identity theft and fraud and can be costly to consumers. The legislature also recognizes that when a breach occurs, remedial measures such as reissuance of credit or debit cards affected by the breach can help to reduce the incidence of identity theft and associated costs to consumers. Accordingly, the legislature intends to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data.

The bill was passed unanimously by the Washington State Senate in early March, and by a more than two-to-one margin by the state House.

What’s Hot on Infosecurity Magazine?