Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches. Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities: businesses, processors and vendors. Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”
The new law, an addition to the state’s breach notification statute, provides that if a processor or business fails to take reasonable care to guard against unauthorized access to payment card account information in its possession or control, and that failure is the cause of the breach, the processor or business is liable to the relevant financial institution for reasonable actual costs related to the reissuance of payment cards to Washington residents to mitigate “potential current or future damages” to them. Similarly, a vendor will be liable to the financial institution for these costs to the extent the damages were caused by the vendor’s negligence.
The law contains a number of safe harbors. For example, there is no liability if the account information was encrypted at the time of the breach. Also, an entity is not liable if its compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) was validated by an annual security assessment that took place no more than one year prior to the breach, even if that security assessment is subsequently revoked.