Download Zipped Introduced WordPerfect HB0468.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]
H.B. 468
1
RESPONSIBILITY FOR ACCESS DEVICES
2
AND SECURITY BREACHES
3
2008 GENERAL SESSION
4
STATE OF UTAH
5
Chief Sponsor: Stephen H. Urquhart
6
Senate Sponsor:
____________
7
8
LONG TITLE
9
General Description:
10
This bill modifies the Consumer Credit Protection Act to address costs related to
11
security breaches and access devices.
12
Highlighted Provisions:
13
This bill:
14
. defines terms;
15
. requires that certain transactional information not be retained;
16
. requires a person to pay costs of security breach under certain circumstances; and
17
. provides for cause of action for failure to pay.
18
Monies Appropriated in this Bill:
19
None
20
Other Special Clauses:
21
None
22
Utah Code Sections Affected:
23
AMENDS:
24
13-44-301, as enacted by Laws of Utah 2006, Chapter 343
25
ENACTS:
26
13-44-203, Utah Code Annotated 1953
27
28
Be it enacted by the Legislature of the state of Utah:
29
Section 1.
Section
13-44-203
is enacted to read:
30
13-44-203. Cost of security breaches to depository institutions.
31
(1) As used in this section:
32
(a) (i) "Access device" means a card issued by a depository institution that contains:
33
(A) a magnetic stripe;
34
(B) a microprocessor chip; or
35
(C) another means for storage of information.
36
(ii) "Access device" includes:
37
(A) a credit card;
38
(B) a debit card; or
39
(C) a stored value card.
40
(b) "Card security code" means the number:
41
(i) (A) printed on an access device; or
42
(B) contained in the microprocessor chip or magnetic stripe of an access device; and
43
(ii) that is used to validate information related to the access device during an
44
authorization process.
45
(c) "Depository institution" is as defined in Section
7-1-103
.
46
(d) "Magnetic stripe data" means the data contained in the magnetic stripe of an access
47
device.
48
(e) "Microprocessor chip data" means the data contained in the microprocessor chip of
49
an access device.
50
(f) "PIN" means a personal identification code that identifies the holder of an access
51
device.
52
(g) "PIN verification code number" means the data used to verify the identity of a
53
holder of an access device when a PIN is used in a transaction.
54
(h) "Service provider" means a person that stores, processes, or transmits access device
55
data on behalf of another person.
56
(2) (a) A person conducting business in the state that accepts an access device in
57
connection with a transaction may not retain the following more than 48 hours after the
58
transaction is authorized:
59
(i) card security code data;
60
(ii) a PIN verification code number; or
61
(iii) the full contents of any track of magnetic stripe data.
62
(b) A person is considered to be in violation of this Subsection (2) if the person's
63
service provider retains the information listed in Subsection (2)(a) after the time period
64
provided in Subsection (2)(a).
65
(3) (a) If there is a breach of the security system of a person who violates Subsection
66
(2), or that person's service provider, the person shall reimburse the depository institution that
67
issued an access device affected by the breach for:
68
(i) the costs of reasonable actions taken by the depository institution as a result of the
69
breach in order to:
70
(A) protect the information of the holder of the access device; or
71
(B) continue to provide services to the holder of the access device; and
72
(ii) the damages paid by the depository institution to a holder of an access device who
73
is injured by the breach of the security system that are not recovered by the depository
74
institution from another person.
75
(b) A reasonable action described in Subsection (3)(a) includes:
76
(i) the cancellation or reissuance of an access device affected by a breach of the
77
security system;
78
(ii) the closure of a deposit, transaction, share draft, or other account affected by a
79
breach of the security system;
80
(iii) an action to stop payment or block a transaction with respect to an account
81
described in Subsection (3)(b)(ii);
82
(iv) the opening or reopening of a deposit, transaction, share draft, or other account
83
affected by a breach of the security system;
84
(v) a refund or credit made to a holder of an access device to cover the cost of an
85
unauthorized transaction relating to a breach of the security system; and
86
(vi) the notification of a holder of an access device affected by a breach in the security
87
system.
88
(4) If a person fails to pay the amount due under Subsection (3), the depository
89
institution may bring an action in a court of compensation to require the person to pay an
90
amount equal to:
91
(a) the amount described in Subsection (3);
92
(b) the costs of collection of the amount described in Subsection (3); and
93
(c) attorney fees.
94
(5) The remedies of this section are cumulative and do not restrict any other right or
95
remedy otherwise available to a depository institution.
96
Section 2.
Section
13-44-301
is amended to read:
97
13-44-301. Enforcement.
98
(1) The attorney general may enforce this chapter's provisions.
99
(2) (a) Nothing in this chapter creates a private right of action.
100
(b) Nothing in this chapter affects any private right of action existing under other law,
101
including contract or tort.
102
(3) A person who violates this chapter's provisions is subject to a civil fine of:
103
(a) no greater than $2,500 for a violation or series of violations concerning a specific
104
consumer; and
105
(b) no greater than $100,000 in the aggregate for related violations concerning more
106
than one consumer.
107
(4) In addition to the penalties provided in Subsection (3), the attorney general may
108
seek injunctive relief to prevent future violations of this chapter in:
109
(a) the district court located in Salt Lake City; or
110
(b) the district court for the district in which resides a consumer who is affected by the
111
violation.
112
(5) This section does not apply to a violation of Section
13-44-203
.
Legislative Review Note
as of 2-11-08 11:06 AM