OLYMPIA, Wash. (3/24/10)--Washington Gov. Christine Gregoire Monday signed a law that will encourage financial institutions to take extraordinary measures to protect consumers from identity theft and financial fraud, said the Washington Credit Union League. H.B. 1149 removes the financial burden of reissuing compromised cards and accounts from credit unions and banks affected by large-scale data breaches, and encourages them to actively intervene on behalf of consumers. It also encourages businesses conducting credit and debit transactions to be careful with consumer data. “Washington credit unions have spent millions of dollars cleaning up the mess left by merchants and data processors when large-scale data compromises occur," said league President/CEO John Annalorao. "The private financial information these third-party processors hold has too often been negligently stored or transmitted. Credit and debit card fraud can be the result. “This new law thoughtfully addresses that responsibility by placing recovery costs back on the negligent party," Annalora said, noting it is "likely a national model for state data breach legislation,” Annaloro said. Under current Washington law, when a breach compromises a consumer's card data, the breached business must alert the consumer or the cardholder's financial institution unless the breach is part of an ongoing investigation. Because of reputation management issues and the cost of notifying customers, the breached business generally chooses to notify the card-issuing financial institution. At that point the financial institution has a choice--alert consumers of a possible risk of fraud or actively intervene. Either way, the financial institution unfairly bears the reputational and financial burden, said the league. The increase in frequency of large-scale data breaches, combined with the soaring reissuing cost of plastic cards---between $15 and $20---has stymied the once standard practice of blocking and reissuing cards, the league said. The new law seeks to revive this practice. “When the first notification of a data breach occurs, having the financial institution immediately begin blocking and reissuing compromised plastic is the most proactive step a credit union or bank could take to protect the consumer from harm,” said Annaloro. “Allowing financial institutions to recoup these costs from a negligent data-breacher removes the financial burden from affected financial institutions. This encourages institutions to always take action on consumers’ behalf,” he said. The highlights of the legislation are threefold:
* A business that processes more than six million debit or credit transactions per year is liable when it fails to exercise reasonable care through encryption of account information; * Vendors such as data processors are liable for damages due to a defect in the vendor’s software or equipment related to the encryption if the defect resulted in the breach; * Financial institutions may recoup from businesses or vendors reasonable actual costs of reissuing plastic cards to Washingtonians affected by a data breach.
Businesses are immune from action when the information they process is encrypted and the business itself is certified compliant. During the past five years, Washington has enacted several statutes to help consumers protect themselves from identity theft and financial fraud. This new law further improves consumer protections against these types of crimes, said the league. Washington is the second state to enact data breach legislation. Minnesota passed a similar law in 2007. Prime sponsors of the legislation include Rep. Brendan Williams (D-22), Rep. Dan Roach (D-31), and Sen. Jeanne Kohl-Welles (D-36). In addition to community banks, which had opposed the legislation until this year, this data breach protection legislation was supported by consumer groups and at least one national insurance company, CUNA Mutual Group.