The processor or business may also be liable to the financial institution for attorneys’ fees and costs incurred in connection with any legal action. In addition, vendors of card processing software and equipment may be held liable for the damages incurred by a financial institution if the vendor’s negligence was the proximate cause of such damages.
For this purpose, a “processor” is defined as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined below, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.
A “business” is defined, for this purpose, as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington.
Under HB 1149, a “vendor” means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own.
The new law provides for several exemptions. Processors, businesses and vendors that are compliant with PCI Data Security Standards at the time of the breach are not liable to financial institutions. They are considered to be compliant if their PCI data security compliance was validated by an annual assessment, and if the assessment took place no more than one year prior to the date of the breach. In addition, processors, businesses and vendors are not liable if the breach involved encrypted card information.
The new law goes into effect on July 1, 2010.