Requires that any business or person who owns or licenses computerized data which includes personal information to inform state residents of any security breach of that data. Allows anyone who has experienced an unauthorized expense as a result of the security breach to seek a refund or credit for any loss that was not recovered by the credit card company or appropriate financial institution. (See also Companion SB 5564).   Official Text and Analysis.

Removes the section that altered notification provisions in the existing security breach law, replaces the defined phrase “magnetic stripe data” with “access device account data” throughout the bill and the reference to magnetic strip was removed from the definition, prohibits a person or service provider from retaining certain financial information unless the information is encrypted, provides for liability of a person or a service provider who has violated the retention provisions and there is a breach of the security of the system, eliminates liability of a person whose service provider has violated the retention provisions and there is a breach of the security of the system and alters the application of debit card time-lines as they apply to transient accommodations and rental car businesses.

To change underlying definitions and to modify the liability provisions and immunity provisions. A safe harbor threshold of six million transactions for a merchant is built into the definition of "merchant." Attorneys' fees are no longer awarded to the prevailing party in court. The changes to the existing data breach law are removed as are the prohibitions on a person or a service provider from retaining certain financial information unless the information is encrypted. The safe harbor threshold for a breach of less than 5,000 accounts is removed. The authorization of a fee to subsidize insurance to pay for security breaches is removed. Arbitration provisions are removed. The provisions applied to transient accommodations and rental car businesses are removed.

To modify the definition of "merchant" by changing the defined word from "merchant" to "business." Definitions of "encrypted," "financial institution," and "vendor" are added. A provision that stated that the business, processor, or vendor is not liable if they comply with any applicable information security standard is modified. The protection from liability now occurs if the business, processor, or vendor has complied with standards adopted by the Payment Card Industry Security Council. Compliance is established if the business, processor, or vendor is completely validated on all components of security at an annual security assessment that occurred within twelve months of a breach of security. A provision that limited damages to all reasonable costs incurred to mitigate any possible damages to account holders is removed. A provision is added that limits damages to only reasonable costs related to the issuance of new access devices to persons who reside in the state. A provision is added that holds the vendor only liable to a financial institution if the claim is not foreclosed by another law or by a contract of the financial institution. A vendor is only liable to the degree that the damages are proximately caused and liability is allowed under law and under contract of the financial institution. A trier of fact may reduce any award by any amount recovered already recovered by a financial institution from a credit card company for the breach. Language and clarifying changes are also made.

Modifies the state security breach law and provides a cause of action for a financial institution if account information is compromised by a lack of reasonable care by a business, processor, or vendor.

To provide that businesses that process more than six million credit and debit card transactions are liable to a financial institution for a failure to exercise reasonable care through encryption of account information if they are proximate cause of a breach of security. Vendors are liable to a financial institution to the extent that the damages are due to a defect in the vendor's software or equipment related to the encryption. A claim against a vendor may be limited or forestalled by another provision of law or by a contract with the financial institution.

Modifies the state security breach law. Provides a cause of action for a financial institution if account information is compromised by a lack of reasonable care by a business, processor, or vendor.

Modifies the state security breach law. Provides a cause of action for a financial institution if account information is compromised by a lack of reasonable care by a business, processor, or vendor.