Minnesota made waves in 2007 when it became the first state to make part the Payment Card Industry (“PCI”) Data Security Standard applicable to its Plastic Card Security Act ( PDF Link). Although it has taken over two years, Nevada has become the second state to incorporate PCI and it has done so by making all of the PCI standard applicable.
Nevada’s existing Security of Personal Information law now requires that affected parties comply with PCI as a whole. Unfortunately, the Nevada amendment (PDF link) does not get off to a good start, requiring compliance deadlines that do not exist under the PCI standard, but are (in actuality) created independently by the card issuers. Amending the existing Security of Personal Information law, the amendment (PDF link) requires that each affected party meet the following standard:
If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.
The effect of the amendment itself is quite interesting. First, the amendment creates statutory authority for required compliance with the PCI standard, where before this requirement (as applied to merchants) existed only through contractual relationships. This will be academic for many merchants already complying, but it does go a long way to closing the existing gap whereby the PCI standard applied to merchants only because of contractual obligations with those parties directly affected.
Second, the amendment proposes a standard that creates some interesting outcomes. This safe guard provides that “[a] data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.” Previously, an affected party would have recourse under various theories of law, with varying (and often undefined) standards of care or duty. Arguably, absent gross negligence or willful misconduct, an otherwise PCI-compliant merchant that experiences a data loss may escape liability in Nevada.
It is also likely that a savvy litigator will argue that the standards created in existing contractual relationships should be replaced with the statutory standard. Whether such an argument would prevail remains to be seen, but it is likely to be tested sooner than later.
Notwithstanding the inexplicable compliance deadline error, the Nevada amendment blazes the way for other states to incorporate the PCI standard into their existing and new laws. With the addition of the safe harbor set forth by Nevada, these laws may be a welcome addition to merchants that are PCI-compliant but experience a data loss.