FEDERAL WAY, Wash. (2/19/08)--Legislation that would allow a credit union to sue negligent third-party data breachers if the credit union incurred costs to protect its members from fraud and identity theft passed the Washington State House of Representatives Friday. “Passage of this bill confirms the logic that says careless businesses that expose consumers to financial fraud should be responsible for the costs of cleaning up their own mess,” said Washington Credit Union League President/CEO John Annaloro. The bill, HB 2838, now moves to the state Senate, where it is expected to face opposition from bankers and retailers who argue that credit unions should contract for reimbursement with large credit card issuers (Focus Newsletter Feb. 18). Bill sponsor and State Rep. Brendan Williams (D-22) said it’s reasonable to expect businesses to take precautions to protect their customers’ data. Financial institutions, instead of the negligent third parties, pay the bill for the breaches, he added. “While it’s true that businesses pay fees to credit card companies, these fees should not be viewed as immunizing businesses from the necessity to safeguard their customers’ privacy,” Williams said. “There should be some sanction for gross negligence that compromises credit and debit card information.” Last year, Washington credit unions spent more than $1 million to protect their members from fraud and identity theft because of third-party negligence, according to Stacy Augustine, league senior vice president and general counsel. If enacted, the bill would be the second state statute addressing data breach reimbursement.