RSS Alerts
Washington: protecting consumers from breaches of security? Well, not quite in this case.

Share

More services

Related Links

Related Stories

  • RSA: PCI DSS survey shows that encryption is tops when it comes to end-to-end security
    According to a survey of qualified security assessors (QSA), the optimum methodology for end-to-end security protection is encryption.
  • Firms failing on PCI DSS
    A huge 81% of organizations that are subject to the Payment Card Industry’s Data Security Standard (PCI DSS) were found to be non-compliant prior to a data breach, according to a new study.
  • The PCI Paradox - why PCI DSS isn't preventing data breaches
    PCI DSS has been criticized as being both too prescriptive and too vague. The standard’s effectiveness has come under scrutiny once again as PCI compliant organizations have suffered huge data breaches in recent times. Danny Bradbury looks at the standard to find the root of the problem
  • Heartland takes US$12.6m hit for breach
    Heartland Payment Systems has revealed that it lost US$12.6m as a result of its 2008 data breach, in the same week that it finally regained official Payment Card Industry Data Security standard (PCI DSS) compliance.
  • Paging Doctor Compliance
    With changes to the US healthcare system already underway – albeit at a snail’s pace – now is the perfect time to examine how the regulatory and compliance landscape may change with it. Esther Shein surveys the sector and seeks the proper prescription
    Members' Content

Top 5 Stories

News

Washington passes additional data breach measure

14 April 2010

The state of Washington recently enacted a supplemental data breach law intended to protect financial institutions from data breaches that occur as a result of negligence by businesses or card processors, primarily those that do not encrypt card data or fail to comply with PCI DSS rules.

This new law allows financial institutions with affected customers in Washington to recoup losses associated with protecting their clients via the state’s legal system. The law intends to facilitate financial firms’ willingness to issue new cards and account numbers when account and customer information is compromised, thereby reducing the likelihood of identity theft.

Washington’s new data breach law, HB 1149, was signed into law by Gov. Christine Gregoire in late March and will put the onus on card processors, businesses, and other third-party vendors using the information to ensure the security of card and account holder data or else be subjected to litigation on the behalf of financial institutions.

In short, businesses and card processors that fail to encrypt customer data or comply with industry processing standards, such as PCI DSS, and then subsequently suffer a breach will be affected by the law.

Although it is titled "Protecting Consumers from Breaches of Security", Infosecurity understands that this law is hardly a consumer protection statute. Rather, this bill, which goes into effect as of July 1, 2010, simply allows financial institutions to seek reparations via the courts for damages as a result of a data breach. As a spokesperson for the governor told us, the reasoning behind the bill was that financial institutions would be more likely to issue new cards and account numbers to their customers if institutions have some type of legal remedy to recover the loses that result from taking such measures following a data breach.

This falls in line with the intended aims of the law, as stated in the bill’s text:

The legislature recognizes that data breaches of credit and debit card information contribute to identity theft and fraud and can be costly to consumers. The legislature also recognizes that when a breach occurs, remedial measures such as reissuance of credit or debit cards affected by the breach can help to reduce the incidence of identity theft and associated costs to consumers. Accordingly, the legislature intends to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data.

The bill was passed unanimously by the Washington State Senate in early March, and by a more than two-to-one margin by the state House.

This article is featured in:
Compliance and Policy  • Data Loss

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012