FEDERAL WAY, Wash. (1/16/08)--A new league-backed bill in the Washington State legislature would make costs associated with data breaches--such as the massive TJX Cos. breach--a responsibility of the merchant. According to Washington Credit Union League President/CEO John Annaloro, "the league supports SB 6425 because the massive monetary costs associated with data insecurity continue to be a plague on the card payment system, costing the state's financial institutions millions of dollars each year." The league wrote the bill, which is sponsored by Rep. Brendan Williams (D-22) in the House and Sen. Rosa Franklin (D-29) in the Senate. The bill was "dropped" or introduced in the opening days of the 2008 state legislative session, said the league. The bill requires merchants accepting plastic to reimburse card-issuing financial institutions for the costs associated with care reissuance after a data breach. The bill also would deter financial fraud and identity theft in three ways:
* By requiring businesses accepting plastic cards to encrypt or dispose of sensitive consumer data promptly; * By making businesses that store sensitive consumer data and fail to meet basic security standards responsible for the costs of consumer notification and card replacement; and * By establishing a safe harbor for businesses that meet basic security standards.
According to Stacy Augustine, league senior vice president and general counsel, SB 6425 represents good public policy because it provides a powerful financial incentive for data custodians to take the steps necessary to prevent security breaches. It also encourages all financial institutions to take steps to quickly reissue compromised cards and monitor accounts to avoid fraud and identity theft, she said. The hard cost of reissuing a plastic card is estimated at about $20. However, the cost of reissuance, customer care and maintenance, including soft costs, is estimated at $00 to $180 per account. "What the bill does not do is prohibit businesses from retaining encrypted information or certain unencrypted elements needed for on-going marketing," said Augustine. "The league feels that this data-breach-reimbursement legislation proposes reasonable information security standards and needed encouragement to financial institutions to take extraordinary measures to protect consumers from identity theft and fraud." If enacted, SB 6425 would be the second state data bill in the nation to make its way into law. Similar bills were introduced in Minnesota, Massachusetts, Texas and California in 2007. The Minnesota bill was enacted. The Massachusetts and Texas bills ran out of time during their legislative sessions. The California bill was vetoed by Gov. Arnold Schwarzenegger. Washington has enacted several consumer protection laws during the past five years. In 2007, it enacted a "credit freeze" bill to enable consumers to block access to new lines of credit for any reason. The league supported that bill also.