New Bills Concerning Encryption and Retail Liability

The New Year is bringing renewed attempts to legislate data security. Michigan and Washington both have bills pending that would make retailers liable for payment card data security breaches (Michigan bill – Washington bill). The Washington bill explicitly requires compliance with the Payment Card Industry Data Security Standard to avoid liability.

Both States also have bills that require encryption of personal data (Michigan bill – Washington bill). Both bills require encryption of stored personal data consistent with generally accepted industry standards (undefined). The Michigan bill sets forth criminal penalties for non-compliance, including imprisonment for up to 30 days and a fine of up to $1,000, or both.