New Data Breach Law Says Assessor—Not Visa—Has The Final Word
Written by Evan SchumanOne of the top ongoing concerns about PCI compliance—the absence of a true safe harbor—has been obliterated in the state of Washington, thanks to a new law signed by Gov. Chris Gregoire. Well, obliterated to the extent that it otherwise requires reimbursement of a financial entity’s reasonable actual costs “even if the financial institution has not suffered a physical injury in connection with the breach.”
The absence of a safe harbor has meant that a retailer certified as PCI compliant isn’t really protected from anything when a breach happens. That’s because Visa and others do not hesitate to conduct post-breach probes and find something–anything–to conclude that the chain wasn’t actually compliant at the time of the breach. That’s how Visa has been telling audiences that “no compromised entity has been found to be compliant at the time of the breach.” It’s a lesson processor Heartland learned well.
In Washington state, the new law is trying to force retailers to reimburse various financial institutions for any cost incurred due to a breach. The retail chain is now “liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders who reside in the state of Washington as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach.”
Physical injury? Are they seeing a lot of Seattle processors jumping out of windows after a breach or something? No matter. The more interesting part of the new law is the PCI section and wording that make it clear the Washington state government is now wise to the post-breach “Compliance? What compliance?” game.
First, the law gives a pass to any breached retailer that certified PCI compliant at the time of the breach. But the law then specifies that the post-breach game won’t fly in the state of Washington: A retailer “will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment and if this assessment took place no more than one year prior to the time of the breach. For the purposes of this subsection, a [retailer’s] security assessment of compliance is nonrevocable.”
Nonrevocable, eh? Finally, someone has bought into the concept of safe harbor. If a chain gets certified, it will be safe, at least from processors and banks in the state of Washington. (Speaking of Washington, if the feds do the same thing, we’ll be really getting somewhere.)
That said, the Washington law isn’t perfect. First, there is no reference to consumer compensation for the breach, so that issue is still active. Consumers who are impacted by the breach (such as time spent getting money back and bounced checks fixed and credit records repaired) but suffer no financial losses (because of reimbursements)—courtesy of zero liability—are still unprotected, even in the state of Washington, because the bill simply doesn’t address consumer compensation
In addition, the law has a vague reference to encryption, namely that the chain also gets a pass if “the account information was encrypted at the time of the breach.” But it doesn’t specify the level of encryption, nor does the law mention what happens if the cyberthief also obtained the encryption key. That’s not a hypothetical concern; it was an issue that TJX raised in an SEC filing shortly after announcing its data breach:”We believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.”
Flaws aside, the Washington state law at least gives Washington-state-based retailers (are you listening Amazon, Costco and Starbucks?) and retailers who have a substantial presence in the state a little more cost justification for PCI. And that can’t be a bad thing.
-Marc
May 13th, 2010 at 1:42 am
The Washington law is interesting in that it not only refers to PCI specifically, but that it appears to offer safe harbor if “compliance was validated by an annual security assessment.” Does this mean self-assessment doesn’t count? If so, is safe harbor only for Level 1 and some Level 2 merchants?
Also, while Washington offers safe harbor for a year after an assessment, it seems to ignore (or assume) the other, on-going PCI compliance requirements like a 6-month firewall rule review, passing quarterly external vulnerability scans, and daily log reviews. (See: http://www.storefrontbacktalk.com/securityfraud/pci-compliance-is-good-data-security-is-better/) What if a company validated (there is no such thing as “certified”) their compliance then failed their scans and did not remediate the vulnerabilities? Better yet, what if one of these vulnerabilities was the source of the breach?
Then, as you point out, there is the rather confusing/incomplete section on encryption. At least PCI spells out what constitutes strong encryption. Would, say, tokenization or hashing provide a merchant with safe harbor since neither is encryption?
I’m a big fan of safe harbor, but I would like it better if the card brands who understand the business would take it on rather than individual state governments that seem to rely on an imperfect or incomplete reading of PCI. Next we’ll get to see what happens as PCI changes and evolves. Remember, PCI is a data protection standard — not a security standard.
May 20th, 2010 at 2:43 pm
As a POS software developer, I am simply amazed at the idea that VISA USA, etc. can offer such a flawed product, (flawed in the sense that it is trivial to counterfeit), and yet everyone but VISA must spend serious money to shore up their flawed product.