OLYMPIA, Wash. – A new law signed by Gov. Christine Gregoire Monday will lift some of the burdens on credit unions for reissuing credit cards in data breaches by making the offending parties liable.
“Washington credit unions have spent millions of dollars cleaning up the mess left by merchants and data processors when large-scale data compromises occur. The private financial information these third-party processors hold has too often been negligently stored or transmitted. Credit and debit card fraud can be the result,” said John Annaloro, president of the Washington CU League, which lobbied for the bill. “This new law thoughtfully addresses that responsibility by placing recovery costs back on the negligent party, and is likely a national model for state data breach legislation.”
The new law finds businesses that process more than 6 million debit or credit transactions per year to be liable for reissuance costs when they fail to exercise reasonable care through encryption of account information or due to a defect in the vendor’s software or equipment related to the encryption if the defect resulted in the breach.
Businesses are immune from action when the information they process is encrypted and the business itself is certified compliant.
“When the first notification of a data breach occurs, having the financial institution immediately begin blocking and reissuing compromised plastic is the most proactive step a credit union or bank could take to protect the consumer from harm,” said Annaloro. “Allowing financial institutions to recoup these costs from a negligent data-breacher removes the financial burden from affected financial institutions. This encourages institutions to always take action on consumers’ behalf.”