Washington State is following closely on the heels of Nevada, which updated its data breach statute at the beginning of this year to add encryption usage and compliance with the Payment Card Industry — Data Security Standards (PCI-DSS) as a factor in determining liability for damages (see Tech Razor post on 1/1/10). The Governor of Washington today signed into law an amendment to the state’s data breach statute that exposes certain businesses to liability for damages incurred by financial institutions unless the subject business utilized encryption or was PCI-DSS compliant at the time of the breach.
The new provisions, which are effective July 1, 2010, will subject any business that processes over 6 million credit or debt card transactions annually to liability to financial institutions for not exercising reasonable care to prevent unauthorized access to account information unless the business encrypts processed account information or is compliant with PCI-DSS standards. Similarly, vendors of software and equipment designed to process, transmit or store account information or vendors that maintain account information for third parties will also be liable to financial institutions for damages that result from a data breach caused by the vendor’s negligence with respect to their software, equipment or services unless the data was encrypted or the vendor was certified within the prior 12 months as being compliant with applicable PCI-DSS requirements.
Compared to the Nevada Act, the Washington legislation is narrower. Washington’s latest revision is only focused on damages incurred by financial institutions and does not mandate encryption or PCI compliance, whereas Nevada imposes PCI-DSS compliance on businesses accepting credit cards and encryption on all other businesses transmitting or transporting covered data. Although this amendment may be viewed as an attempt to address the very real concerns of financial institutions, which incurred substantial card re-issuance and other costs following several major data breaches over the past few years — most notably from the TJX/TJ Maxx and Heartland Systems incidents — the amendment is also a harbinger of both the increased attention focused on data security issues and of similar legislation that may be expected in the near future from other states. In addition, the differing scopes of the Washington and Nevada statutes highlight the challenge that businesses will face by having to keep up with another layer in the patchwork of data-security requirements as such state-level legislation continues to emerge.
PDF of Washington Amendment: HB 1149 Washington State