To date we have at least 37 U.S. states that have enacted breach notice laws, (Maryland’s new breach notice law was signed May 17th), but these address how to react AFTER personally identifiable information (PII) has been compromised. Multiple federal-level bills proposed but none yet passed.
Now there is new motivation for organizations of all types that process credit card payments to strengthen their information security practices.
On May 21 Minnesota’s governor Tim Pawlenty signed the U.S.’s first law that makes it a liability if retailers and other merchants retain credit or debit card data beyond certain time limits and the retained data is breached.
A key requirement of H.F. 1758 is to set limitations on how long businesses can retain credit and debit card data.
The data retention requirements take effect August 1, 2007 along with a provision allowing banks to file lawsuits to recover breach costs for data breaches occurring on or after that date.
This law amends the Minnesota breach notification law, H.F. 2121, that took effect January 1, 2006.
The new Minnesota law prohibits merchants from retaining data from the magnetic strip of a credit card and the personal identification number or access code for such a card after completing a credit card transaction. For debit card transactions, merchants are prohibited from storing the information for longer than 48 hours after completion of a transaction. If a merchant retains this type of data in violation of the law and there is a breach of that information, banks are authorized to file lawsuits to recover from the merchant “the cost of reasonable actions undertaken” to respond to the breach.
Under the new law, banks are entitled to seek the costs of cancelling and reissuing credit cards, closing and/or reopening accounts affected by the breach, stop payment actions, unauthorized transaction reimbursements and the providing of breach notice to affected individuals.
It appears that this law only applies to electronic data, which is too bad; many privacy breaches occur as a result of organizations not safeguarding the PII on printed paper.
Look for more states to follow suit throughout the rest of this year until a comprehensive Federal data protection law is passed.
Tags: awareness and training, data retention, government, Information Security, IT compliance, Minnesota, policies and procedures, privacy, privacy bills, risk management, state data protection law