A recent development to the State of Washington Breach Notification Law, RCW 19.255.010, has to deal with the adoption of a “retailer liability” provision. RCW 19.255.020 allows for banks, who incur significant costs due to security breaches, to have a remedy against retailers and payment processors that fail to protect against a security breach. The State of Washington Legislature determined that when a retailer’s computer system has released unauthorized information, it is usually the bank who incurs a significant expense in having to reissue credit and debit cards, change account passwords, and take other steps to protect their clientele from becoming a victim of identity theft.
The Law provides that if a business or payment processor fails to take “reasonable care” to guard against unauthorized customer account information, the business or payment processor will be liable to the financial institution for the costs associated with the breach. However, the business or payment processor is not liable if the customer account information was encrypted at the time of the breach, or certified as compliant under PCI/DSS. An immediate problem with the intent of this law is a determination on what is an adequate standard of encryption, and being certified PCI/DSS compliant only means that the business or payment processor was compliant on that particular day.