On March 22, 2010, Washington’s governor signed a new law that holds businesses and card processors liable for the cost of reissuing cards following a security breach caused by their negligence. The legislation, H.B. 1149, goes into effect on July 1, 2010. H.B. 1149 § 3 (2010). For a copy of H.B. 1149, click here.
Covered businesses are those that process more than 6 million card transactions a year and provide goods and services to Washington residents. Id. § 2(1)(c). The law also includes an unusual new type of liability – one imposed on vendors. Covered vendors include those providing card processing technology or those maintaining account information. The law appears to cover outsourcing vendors holding any kinds of data if they are holding account information. Thus, general cloud computing storage vendors are covered if they are providing services to processors or merchants holding account information. The new law will appear in chapter 19.255 of the Revised Code of Washington.
At the heart of H.B. 1149 is the provision holding processors and covered businesses liable for failing to take reasonable care to prevent unauthorized access to account information. They are responsible for card reissuance costs.
If a processor or business fails to take reasonable care to guard against unauthorized access to account information that is in the possession or under the control of the business or processor, and the failure is found to be the proximate cause of a breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders that reside in the state of Washington as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach.
H.B. 1149 § 2(3)(a) (emphasis added). In any litigation to recover such costs, the prevailing party is entitled to attorneys’ fees and costs. Id.
In addition, the Washington law includes a novel vendor liability provision applying to situations where a technology or outsourcing vendor’s negligence caused the damages.
A vendor, instead of a processor or business, is liable to a financial institution for the damages described in (a) of this subsection to the extent that the damages were proximately caused by the vendor's negligence and if the claim is not limited or foreclosed by another provision of law or by a contract to which the financial institution is a party.
Id § 2(3)(b). Vendors have largely escaped liability for security breaches, but this provision changes the situation. If it becomes a trend, it may open the door to much greater liability.
The legislation, though, preserves defenses against the claimants, namely financial institutions, where the vendors have contracts with financial institutions limiting liability. See id. In general, the law states that it does not foreclose any applicable defenses, including those based on contracts or comparative fault. See id. § 2(5). In fact, in any trial, the trier of fact must make a finding concerning the percentage of fault that can be ascribed to each party. See id. § 2(6). Any liable party also receives a set-off based on the financial institution’s separate recovery of reissuance costs from a credit card company. See id. § 2(7).
The other significant part of the new law is the section containing safe harbors from liability. The law provides two safe harbors. First, no liability attaches to any party if account information was encrypted at the time of the breach. Id. § 2(2)(a). Encryption is defined to mean encryption “using standards reasonable for the” business in light of its size and transaction volume. Id. § 2(1)(f). Thus, unlike many other encryption laws around the country, totally weak encryption will not suffice for the safe harbor.
Second, no liability attaches to a party that was certified to be compliant with the Payment Card Industry Data Security Standard in force at the time of the breach. Id. § 2(2)(b). The provision also says that a party is compliant if it had an annual security assessment within the year before the breach. Id. Thus, no new assessment need be done. Nonetheless, if the PCI standard changes after the security assessment but before a breach, the safe harbor does not apply. Therefore, if the standard changes, covered entities should be reassessed. Nonetheless, the latest version is a year and a half old, so the standard does not seem to change often.
Partner, Cooke Kobrick & Wu LLP