In July, Washington state will join a very small but growing group of jurisdictions beginning to incorporate the self-regulating Payment Card Industry Data Security Standards into their laws.
Washington's law is described as "an act relating to protecting consumers from breaches of security." In reality, it is very similar to Minnesota's Plastic Card Security Act, which took effect in 2008 and essentially gives financial institutions a statutory mechanism to recoup costs associated with reissuing credit/debit cards, after a data breach, from the merchants or card processors responsible for the breach.
The Washington law's purpose is clearly laid out in its first section: "Data breaches of credit and debit card information contribute to identity theft and fraud and can be costly to consumers. … remedial measures such as reissuance of credit or debit cards affected by the breach can help to reduce the incidence of identity theft and associated costs to consumers."
This law was intended to help financial institutions minimize potential fraud on card accounts by giving them the ability to recoup the high costs of closing accounts and reissuing cards when breaches affecting card data occur. (In the end this does, in fact, positively affect the consumer and provide added protection since, in theory, it encourages card reissuance by banks.)
Class actions spurred by large national data breaches like the ones at TJX, BJ's Wholesale Club and Heartland Payment Systems have been brought not just by consumers but also by smaller regional banking companies and credit unions and associations to recoup just such losses.
However, on the whole, these suits and claims by financial institutions forced to reissue cards have failed to make it very far. In many cases financial institutions had to accept settlement agreements between the card brands from which they got back pennies on the dollar or receive nothing.
The Washington law creates new, yet narrow, avenues for recouping the costs associated with card reissuance in certain data breach situations. These are narrow in that there are several exceptions to the law's applicability. For instance, if the data exposed in a payment card breach is encrypted or if the offending company was deemed to be PCI-compliant within a year before the breach, the law does not apply.
It is also important to note that this law focuses on two distinct groups: payment card processors and large merchants and businesses that process more than 6 million credit/debit card transactions annually.
Merchants or businesses that cause PCI data breaches but that process fewer than 6 million transactions annually, though having to worry about answering to payment card brands such as MasterCard, Visa, American Express, Discover etc. for certain costs, are not covered by the law. Obviously, the costs that come into play when card reissuance is required tend to be higher when a payment processor or large merchant is affected by the data breach, but small situations can still accrue costs in banks and other financial institutions.
Critics of the law correctly say that it does not go far enough, but it is at least a step in the right direction. As Doug Johnson, the vice president of risk management policy at the American Bankers Association so aptly put it: "Banks know that they're only as strong as their weakest link, and based on past events, retailers have been that weak link in the security chain."
One can hope the Washington law is just a first step toward realizing that shifting the burden to businesses to protect sensitive PCI data would benefit consumers, the financial institutions and even the businesses themselves.