Increasingly, generally-accepted industry standards and best practices seem to be saving our legislators much of the detail work when it comes to enacting laws pertaining to technical or otherwise complex fields. For instance, we know that the internal control framework disseminated by the Committee of Sponsoring Organizations of the Treadway Commission (thankfully, generally shortened to “COSO”) is identified by name by the U.S. Securities and Exchange Commission as a standard that businesses may use to achieve compliance with the rigorous internal control evaluation and disclosure requirements contained in the Sarbanes-Oxley Act of 2002 and related regulations.
Now, legislation proposed in Texas goes one step further and stops just shy of naming an industry standard by name in the text of a bill designed to ensure the security of personal data stored in portable “access devices,” such as credit cards. Texas House Bill No. 3222 contains the following provisions:
A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry [“PCI”] data security standards [“DSS”].…[and]…
A financial institution may bring an action against a business that is subject to a breach of system security if, at the time of the breach, the business is [not in compliance with PCI DSS].
The bill goes on to provide that a business may avoid a lawsuit brought under the statute if the business was certified by a “[PCI]-approved auditor” as being in compliance with PCI DSS at least 90 days before the date of a security breach. However, if the business was not in compliance, and if the lawsuit moves forward, the business may end up having to pay the financial institution’s “actual damages” – including costs incurred in connection with “cancellation or reissuance of an access device affected by the breach,” “closing of a deposit, transaction, share draft, or other account affected by the breach and any action to stop payment or block a transaction with respect to the account,” “opening or reopening of a deposit, transaction, share draft, or other account affected by the breach,” “refund or credit made to an account holder to cover the cost of any unauthorized transaction related to the breach,” and “notification of account holders affected by the breach” – in addition to the financial institution’s attorney’s fees. Obviously, for even a moderately large breach of, for example, credit card account information, the potential penalties flowing from this legislation for noncompliance with PCI DSS could be staggering.
The interesting part of this for me, though, is the bill’s almost express naming (but for the initial capital letters) of a specific industry standard – the Data Security Standard published by the Payment Card Industry Security Standards Council – to substitute for a detailed description of the actions a business must take to be in compliance with the law. Businesses should expect to see ever more numerous examples of this sort of legislation in coming years, making familiarity with and early adoption of generally-accepted business standards all the more advisable.
You can read the full text of HB 3222 here.
In addition, you can download a free copy of the PCI DSS here.
Comments (1)
With implications on non compliance reaching up to fines of $500,000 it is important that all companies and businesses affected by PCI DSS understand what is required out of them. With the multitude of information being posted this can be quite an overwhelming task! Businesses should refer to the PCI DSS page for detailed info on on all aspects, as well as refer to some white papers which are available freely online (such as PCI DSS Made Easy) to better understand what is involved and required for compliance.
Posted by Sara | May 24, 2007 8:02 AM
Posted on May 24, 2007 08:02