New Data Breach Law Says Assessor—Not Visa—Has The Final Word

One of the top ongoing concerns about PCI compliance—the absence of a true safe harbor—has been obliterated in the state of Washington, thanks to a new law signed by Gov. Chris Gregoire. Well, obliterated to the extent that it otherwise requires reimbursement of a financial entity's reasonable actual costs "even if the financial institution has not suffered a physical injury in connection with the breach."

The absence of a safe harbor has meant that a retailer certified as PCI compliant isn't really protected from anything when a breach happens. That's because Visa and others do not hesitate to conduct post-breach probes and find something--anything--to conclude that the chain wasn't actually compliant at the time of the breach. That's how Visa has been telling audiences that "no compromised entity has been found to be compliant at the time of the breach." It's a lesson processor Heartland learned well.

In Washington state, the new law is trying to force retailers to reimburse various financial institutions for any cost incurred due to a breach. The retail chain is now "liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders who reside in the state of Washington as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach."

Physical injury? Are they seeing a lot of Seattle processors jumping out of windows after a breach or something? No matter. The more interesting part of the new law is the PCI section and wording that make it clear the Washington state government is now wise to the post-breach "Compliance? What compliance?" game.

First, the law gives a pass to any breached retailer that certified PCI compliant at the time of the breach. But the law then specifies that the post-breach game won't fly in the state of Washington: A retailer "will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment and if this assessment took place no more than one year prior to the time of the breach. For the purposes of this subsection, a [retailer's] security assessment of compliance is nonrevocable."

Nonrevocable, eh? Finally, someone has bought into the concept of safe harbor. If a chain gets certified, it will be safe, at least from processors and banks in the state of Washington. (Speaking of Washington, if the feds do the same thing, we'll be really getting somewhere.)

That said, the Washington law isn't perfect. First, there is no reference to consumer compensation for the breach, so that issue is still active. Consumers who are impacted by the breach (such as time spent getting money back and bounced checks fixed and credit records repaired) but suffer no financial losses (because of reimbursements)—courtesy of zero liability—are still unprotected, even in the state of Washington, because the bill simply doesn't address consumer compensation

In addition, the law has a vague reference to encryption, namely that the chain also gets a pass if "the account information was encrypted at the time of the breach." But it doesn't specify the level of encryption, nor does the law mention what happens if the cyberthief also obtained the encryption key. That's not a hypothetical concern; it was an issue that TJX raised in an SEC filing shortly after announcing its data breach:"We believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX."

Flaws aside, the Washington state law at least gives Washington-state-based retailers (are you listening Amazon, Costco and Starbucks?) and retailers who have a substantial presence in the state a little more cost justification for PCI. And that can't be a bad thing.