|
Data security remains a top subject in many 2010 legislative sessions, but at least two states have taken up the cause of retailers complaining about card "swipe fees." Vermont has approved legislation broadening the rights of merchants to pass on interchange fees through pricing and discount practices and other measures, while Georgia also is considering interchange-related legislation.
Florida
Debit surcharge bill introduced
This bill, also seen in other states (New York), would prohibit the imposition of a surcharge by a seller in a sales transaction on a holder who uses a debit card and to clarify that sellers may offer discounts to induce consumers to make payments with means other than payment cards.
Companion bills S.B. 586 and H.B. 279 on data security prefiled
A pair of companion bills in Florida, S.B. 586 and H.B. 279, were prefiled for introduction and would require companies to follow federal guidelines when disposing of personal data. The bills would require businesses and government agencies to follow the “Guidelines for Media Sanitization” set by the National Institute of Standards and Technology to make all personal data disposed of by companies and agencies inaccessible. If signed by the governor, the proposed law would take effect July 1, 2010.
Georgia
House Bill 1456 on interchange introduced, crossover deadline missed
This bill is a clone of Vermont’s S.138 to allow for setting of purchase maximums and minimums, to allow selective acceptance of payment cards, and to terminate ‘default’ interchange rates. It is a bipartisan bill intended to "… bring much-needed restraint to an out-of-control industry," said GACS chairman Rob Patterson, president of Macon-based Mini-Foods Inc. The bill was not acted on by the legislature and missed the crossover deadline, rendering it effectively dead for this year.
Massachusetts
Massachusetts becomes the first U.S. state to require set of data security practices
Massachusetts became the first U.S. state to require business entities that own or license “personal information,” as defined under the Massachusetts security breach notification statute, to implement a list of specific data security practices. The final data security regulations apply to “personal information” that is maintained about Massachusetts residents. “Personal information” is defined consistent with the state's security breach notification statute to mean a person's first name and last name, or first initial and last name, in combination with any of the following data elements: (1) Social Security number; (2) driver's license number or state identification card number; or (3) financial account number, or credit or debit card number, in combination with any required security code, access code, personal identification number, or password that would permit access to an individual's financial account.
The regulations require businesses that own or license personal information about Massachusetts residents to “develop, implement, and maintain a comprehensive written information security program,” taking into account: (1) the size, scope and type of the business; (2) the amount of resources available to the business; (3) the amount of stored data; and (4) the need for security and confidentiality of both consumer and employee information.
Michigan
HB 5821, Payday debit card changes introduced
Legislation was introduced in the House that would allow employers to issue payroll through a debit card with employees able to withdraw that money from a bank with no fee. While businesses already can issue payroll on a card, employers have to get permission from their employees to do so. Employees would also benefit because they could take out the money for free once during each pay period, which is not currently part of the law. The legislation, which has bipartisan co-sponsors, was referred to the Banking and Financial Services Committee.
H.B. 4732, Red Flags Rule introduced
This bill would create a state version of the Federal Trade Commission's Red Flags Rule. It would require creditors in the state to implement programs aimed at spotting tell-tale signs—or “red flags”—of possible identity theft and put in place mitigation measures. H.B. 4732 would require businesses with 50 or more employees that are “engaged in extending credit in the form of covered accounts to residents of this state” to implement identity theft mitigation programs similar to those required under the federal Fair and Accurate Credit Reporting Act Red Flags Rule. Companies that complied with the federal Red Flags Rule would be exempt from the state law.
Minnesota
S.F.2493, identity theft with scanners bill introduced
The bill would apply criminal penalties for use of scanning device and reencoder to acquire information from payment cards and treat it as identity theft.
2010-03: H.F.3623 and S.F 3213, PIN debit conversion bills introduced
The bill would require all debit cards to be issued as PIN-based cards and transactions made with those cards to be processed as PIN-based transactions, outlawing signature debit.
For a look at existing state by state breach notification law, download the latest pdf listing here. |
