Information on Merchant Accounts,
Ecommerce and Credit Card Processing

May 18th, 2007 by Jamie Estep

Texas businesses liable for data security breaches, Jan 09

Filed in: Fraud, Industry News | 3 comments

I’m a few days behind on this one. I completely forgot to write about it last week, but the PCI and Data Security Compliance Blog reminded me when I saw it in my feed reader.

Last week, Texas legislation passed a bill that makes businesses liable for any monetary expenses resulting from data security breaches of their company. The data that is specifically covered under this is credit card or other magnetic or chip stored information, and personally sensitive information. The bill also states that businesses must safeguard sensitive information and that they must take action if a data security breach is discovered.

Businesses will be responsible for any costs that a financial institution incurs when they have to replace customer’s cards that may have been compromised as well as repay the financial institution’s legal fees. More importantly, the business is completely liable for any refunded transactions that the bank has to make to the customer (This is the first time that I have ever seen a bill, law, or regulation that takes chargeback liability from the business that actually accepted the card.) Also one of the only logical regulations I have seen regarding the payment processing industry.

The bill does not specify how the data must be stored, so any business that keeps copies of sensitive data, either in an electronic database, or on paper, is subject to this bill. Also, businesses that are PCI compliant are protected.

This is an extremely important bill and I imagine that many states are likely to follow suit. In my opinion the most significant part of this bill is placing liability on the business where the breach occurred. Realistically, this could be a very positive change for online businesses and others that are subject to stolen card fraud. I’m not sure if there is a measurable percentage of fraud that occurs from breaches, but if there is it could definitely help take the load off businesses being hit with this type of fraud.

Texas BILL HB03222E (text document)
Actual Texas BILL HB03222E

Other blogs about this law:
Texas first state to make PCI law –
PCI Codified into Texas law (nearly) –
The Law of PCI –
PCI Takes A Twist –

3 Responses to “Texas businesses liable for data security breaches, Jan 09”

  1. Mark October 29, 2007 at 6:06 pm

    They should be held accountable.. it was their responsibility

  2. Jim January 10, 2009 at 2:55 pm

    Sorry for the comment on an old post, but it should be noted that this Texas bill never became law. It passed the House, but died in committee when it got to the Senate.

  3. jestep January 12, 2009 at 9:20 am

    Thanks for the update on the status of this.