: Washington : Privacy Law Blog

Home > Washington >

Bellwether or Bust? Washington Governor Signs Payment Card Data Breach Liability Provisions Into Law

Posted on April 13, 2010 by Brendon Tavelli

On March 22, 2010, Washington Governor Christine Gregoire signed H.B. 1149 into law, making her state the second behind Minnesota (see our post here) to hold businesses and governmental entities responsible to financial institutions for certain costs arising from payment card information breaches. As of July 1, entities that process more than 6 million credit or debit card transactions annually (referred to in PCI parlance as “level 1” merchants) who fail to reasonably safeguard card information can be required to reimburse financial institutions for the costs related to the re-issuance of cards as well as attorneys fees and costs in the event that a security breach involving payment card information is a proximate result. H.B. 1149 also includes a provision to make vendors of card processing software and equipment liable to financial institutions for these costs to the extent such damages are proximately caused by the vendor’s negligence. The amount of such damages, of course, will depend on the particular breach.

H.B. 1149’s safe harbors and exemptions, however, help to minimize the scope and potential impact of the new law. For example, the new law exempts businesses that are certified as compliant with the Payment Card Industry Data Security Standards (“PCI DSS”) at the time of a breach. Most large merchants and card processors are well-acquainted with PCI DSS requirements and have already implemented safeguards aimed at PCI DSS compliance. So the new law should not require Herculean efforts or wholesale changes to covered entities’ cardholder information security programs. However, their liability exposure for losses arising from non-compliance is increased as a result of H.B. 1149.

Entities also are not liable if the payment card information was encrypted at the time of the breach.

The bill signed by Governor Gregoire does not include provisions from earlier versions of the bill that would have, among other things, prohibited covered entities from retaining cardholder data without the express consent of customers and held such entities liable in the event of a breach involving unencrypted cardholder data about more than 5,000 individuals. Likewise, a provision that would have allowed merchants to charge an extra two cents for each payment card transaction in order to cover the cost of insurance against potential liabilities under the law did not survive in the enacted version of the legislation.

With the enactment of H.B. 1149, Washington joins Minnesota as the only state to statutorily impose liability for breach-related costs on negligent merchants, payment card processors and vendors. It also distinguishes itself from the handful of other states in which attempts to enact such laws have failed; states like California, where Governor Schwarzenegger vetoed a similar measure in 2007. Additionally, with the adoption of H.B. 1149, Washington joins Nevada in its quest to incorporate parts of the PCI DSS into its state law. As we previously wrote, Nevada exempts certain entities that are PCI DSS compliant from some of the state’s encryption requirements.

Tags: Financial Privacy, PCI DSS, Washington, financial institution, merchant, security breach

CAN of Worms?: New Decision Opens CAN-SPAM Private Right of Action to Non-ISPs

Posted on November 6, 2008 by Proskauer Rose LLP

A recent decision in the Western District of Washington broadly defines the reach of the private right of action under the federal CAN-SPAM statute. In that case, Haselton v. Quicken Loans Inc., W.D. Wash., C-07-1777, 10/14/08, the court held that a company had standing to sue alleged spammers even though it is not an Internet service provider (ISP) and does not provide e-mail accounts to its customers.

Plaintiff Peacefire’s website allows its users to circumvent website filtering and content-control software. Peacefire successfully argued that it is an “Internet access service” (IAS) within the protection of CAN-SPAM. CAN-SPAM uses the COPPA definition of IAS: “a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers. Such term does not include telecommunications services.” 47 U.S.C. § 231(e)(4); 15 U.S.C. § 7702(11). Defendants unsuccessfully argued that only ISPs have standing to sue as IASs. The court rejected that argument, holding that Peacefire qualifies as an IAS because it provides “further access” to the Internet, even though it does not provide consumers with an initial connection point as an ISP. The plain language of this definition, according to the court, does not require an IAS to provide Internet connectivity to end users.

In holding that Peacefire is an IAS, the court relied in part on previous rulings, such as the one we discussed here, that social networking sites such as Facebook and MySpace are IASs even though they are not ISPs.

The court also held that Peacefire was “adversely affected” by the alleged spamming activity even though it does not provide consumer e-mail accounts. The court agreed that the alleged harms, “reduc[ing] their network speeds, impair[ing] their ability to notify subscribers about new ways to access services, and requir[ing] them to increase server and memory capacity,” were cognizable under CAN-SPAM. The court recognized that CAN-SPAM’s legislative history contemplated precisely these kinds of harms, in addition to the harm caused to individual e-mail account holders.

The Haselton ruling clarifies that potential CAN-SPAM plaintiffs extend beyond ISPs. While the court recognized that a private right of action requires greater harm than the spam-related harms suffered by all consumers and businesses, it defined the range of harms broadly enough to allow a wide range of IASs to qualify.

Tags: CAN-SPAM, Facebook, IAS, ISP, Internet, MySpace, Washington, private right of action, spam

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

More Breach Notification Laws -- 42 States and Counting

Posted on April 7, 2008 by Proskauer Rose LLP

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).