Washington Revised Code Title 19. Business Regulations--Miscellaneous § 19.255.020. Liability of processors, businesses, and vendors

(a) “Account information” means: (i) The full, unencrypted magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device as defined under RCW 19.300.010; or (iii) the unencrypted primary account number on a credit card or debit card or identification device, plus any of the following if not encrypted: Cardholder name, expiration date, or service code.

(b) “Breach” has the same meaning as “breach of the security of the system” in RCW 19.255.010.

(c) “Business” means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington.

(d) “Credit card” has the same meaning as in RCW 9A.56.280.

(e) “Debit card” has the same meaning as in RCW 9A.56.280 and for the purposes of this section, includes a payroll debit card.

(f) “Encrypted” means enciphered or encoded using standards reasonable for the breached business or processor taking into account the business or processor's size and the number of transactions processed annually.

(g) “Financial institution” has the same meaning as in *RCW 30.22.040.

(h) “Processor” means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined under this section, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.

(i) “Service code” means the three or four digit number in the magnetic stripe or on a credit card or debit card that is used to specify acceptance requirements or to validate the card.

(j) “Vendor” means an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own.

(3)(a) If a processor or business fails to take reasonable care to guard against unauthorized access to account information that is in the possession or under the control of the business or processor, and the failure is found to be the proximate cause of a breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders that reside in the state of Washington as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach. In any legal action brought pursuant to this subsection, the prevailing party is entitled to recover its reasonable attorneys' fees and costs incurred in connection with the legal action.

(b) A vendor, instead of a processor or business, is liable to a financial institution for the damages described in (a) of this subsection to the extent that the damages were proximately caused by the vendor's negligence and if the claim is not limited or foreclosed by another provision of law or by a contract to which the financial institution is a party.