Download Zipped Introduced WordPerfect HB0468.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]
H.B. 468
1
2
3
4
5
6
7
8 LONG TITLE
9 General Description:
10 This bill modifies the Consumer Credit Protection Act to address costs related to
11 security breaches and access devices.
12 Highlighted Provisions:
13 This bill:
14 . defines terms;
15 . requires that certain transactional information not be retained;
16 . requires a person to pay costs of security breach under certain circumstances; and
17 . provides for cause of action for failure to pay.
18 Monies Appropriated in this Bill:
19 None
20 Other Special Clauses:
21 None
22 Utah Code Sections Affected:
23 AMENDS:
24 13-44-301, as enacted by Laws of Utah 2006, Chapter 343
25 ENACTS:
26 13-44-203, Utah Code Annotated 1953
27
28 Be it enacted by the Legislature of the state of Utah:
29 Section 1. Section 13-44-203 is enacted to read:
30 13-44-203. Cost of security breaches to depository institutions.
31 (1) As used in this section:
32 (a) (i) "Access device" means a card issued by a depository institution that contains:
33 (A) a magnetic stripe;
34 (B) a microprocessor chip; or
35 (C) another means for storage of information.
36 (ii) "Access device" includes:
37 (A) a credit card;
38 (B) a debit card; or
39 (C) a stored value card.
40 (b) "Card security code" means the number:
41 (i) (A) printed on an access device; or
42 (B) contained in the microprocessor chip or magnetic stripe of an access device; and
43 (ii) that is used to validate information related to the access device during an
44 authorization process.
45 (c) "Depository institution" is as defined in Section 7-1-103 .
46 (d) "Magnetic stripe data" means the data contained in the magnetic stripe of an access
47 device.
48 (e) "Microprocessor chip data" means the data contained in the microprocessor chip of
49 an access device.
50 (f) "PIN" means a personal identification code that identifies the holder of an access
51 device.
52 (g) "PIN verification code number" means the data used to verify the identity of a
53 holder of an access device when a PIN is used in a transaction.
54 (h) "Service provider" means a person that stores, processes, or transmits access device
55 data on behalf of another person.
56 (2) (a) A person conducting business in the state that accepts an access device in
57 connection with a transaction may not retain the following more than 48 hours after the
58 transaction is authorized:
59 (i) card security code data;
60 (ii) a PIN verification code number; or
61 (iii) the full contents of any track of magnetic stripe data.
62 (b) A person is considered to be in violation of this Subsection (2) if the person's
63 service provider retains the information listed in Subsection (2)(a) after the time period
64 provided in Subsection (2)(a).
65 (3) (a) If there is a breach of the security system of a person who violates Subsection
66 (2), or that person's service provider, the person shall reimburse the depository institution that
67 issued an access device affected by the breach for:
68 (i) the costs of reasonable actions taken by the depository institution as a result of the
69 breach in order to:
70 (A) protect the information of the holder of the access device; or
71 (B) continue to provide services to the holder of the access device; and
72 (ii) the damages paid by the depository institution to a holder of an access device who
73 is injured by the breach of the security system that are not recovered by the depository
74 institution from another person.
75 (b) A reasonable action described in Subsection (3)(a) includes:
76 (i) the cancellation or reissuance of an access device affected by a breach of the
77 security system;
78 (ii) the closure of a deposit, transaction, share draft, or other account affected by a
79 breach of the security system;
80 (iii) an action to stop payment or block a transaction with respect to an account
81 described in Subsection (3)(b)(ii);
82 (iv) the opening or reopening of a deposit, transaction, share draft, or other account
83 affected by a breach of the security system;
84 (v) a refund or credit made to a holder of an access device to cover the cost of an
85 unauthorized transaction relating to a breach of the security system; and
86 (vi) the notification of a holder of an access device affected by a breach in the security
87 system.
88 (4) If a person fails to pay the amount due under Subsection (3), the depository
89 institution may bring an action in a court of compensation to require the person to pay an
90 amount equal to:
91 (a) the amount described in Subsection (3);
92 (b) the costs of collection of the amount described in Subsection (3); and
93 (c) attorney fees.
94 (5) The remedies of this section are cumulative and do not restrict any other right or
95 remedy otherwise available to a depository institution.
96 Section 2. Section 13-44-301 is amended to read:
97 13-44-301. Enforcement.
98 (1) The attorney general may enforce this chapter's provisions.
99 (2) (a) Nothing in this chapter creates a private right of action.
100 (b) Nothing in this chapter affects any private right of action existing under other law,
101 including contract or tort.
102 (3) A person who violates this chapter's provisions is subject to a civil fine of:
103 (a) no greater than $2,500 for a violation or series of violations concerning a specific
104 consumer; and
105 (b) no greater than $100,000 in the aggregate for related violations concerning more
106 than one consumer.
107 (4) In addition to the penalties provided in Subsection (3), the attorney general may
108 seek injunctive relief to prevent future violations of this chapter in:
109 (a) the district court located in Salt Lake City; or
110 (b) the district court for the district in which resides a consumer who is affected by the
111 violation.
112 (5) This section does not apply to a violation of Section 13-44-203 .
Legislative Review Note
as of 2-11-08 11:06 AM