In July, Washington state will join a small but growing group of jurisdictions beginning to incorporate the self-regulating Payment Card Industry data security standards into their state laws.
HB 1149 is very similar to Minnesota's Plastic Card Security Act, which went into effect in 2008, and essentially provides financial institutions a statutory mechanism by which to recoup the costs associated with reissuing credit/debit cards following a data breach from merchants/card processors responsible for the breach.
The purpose of the regulation is clearly laid out in the first section of the law, which states that " … data breaches of credit and debit card information contribute to identity theft and fraud and can be costly to consumers … remedial measures such as reissuance of credit or debit cards affected by the breach can help to reduce the incidence of identity theft and associated costs to consumers"
While this might be the stated purpose, the reality is that the regulation was intended to help financial institutions minimize fraud on card accounts by enabling them to recoup the high costs of closing accounts and reissuing cards when data breaches affecting card data occur — which in the end does help the consumer and provide added protection, since in theory it encourages reissuance of cards by banks.
Class actions involving large national data breaches like those at TJX, BJ's Wholesale Club and Heartland Payment Systems have been brought by consumers as well as smaller regional banking and credit unions and associations to recoup just such losses. However, on the whole these suits and claims by financial institutions forced to reissue cards have failed to make it very far. In many situations financial institutions were forced to either accept settlement agreements between the card brands — where they were paid back pennies on the dollar for their card reissuance costs — or receive nothing.
HB 1149 provides for new, yet narrow avenues for recouping the costs associated with card reissuance in certain data breach situations. These are narrow in that there are several exceptions to applicability of the law. For instance if the data exposed in a payment card breach is encrypted or if the offending company was deemed to be PCI-compliant within the year before the breach, the regulations won't apply.
It's also important to note that this regulation really focuses on two distinct groups: Payment card processors; and merchants and businesses that are larger in size (those that process more than 6 million credit/debit card transactions a year).
Merchants or businesses that cause PCI data breaches but process less than 6 million transactions annually, while having to worry about answering to payment card brands such as MasterCard, Visa, American Express and Discover for certain costs, are not actually covered by the new regulation.
Obviously the costs that come into play when card reissuance is required tend to be higher when a payment processor or large merchant such as TJX, BJ's or Heartland is affected by a data breach. But small situations can still be costly for banks and other financial institutions.
While critics of the regulation correctly point out the bill still doesn't go far enough, the reality is that this is at least a step in the right direction and begins to shed light on the issue of security from both a consumer protection standpoint and a business standpoint.
As Doug Johnson, vice president of risk management policy at the American Bankers Association, so aptly put it: "Banks know that they're only as strong as their weakest link, and based on past events, retailers have been that weak link in the security chain."
Hopefully HB 1149 is just the first step toward realizing that by shifting the burden to businesses to protect sensitive PCI data, the consumer, the financial institutions and even the business will benefit.