LRB-3970/1
CTS:bjk&kjf:nwn
2007 - 2008 LEGISLATURE
February 1, 2008 - Introduced by Senators Wirch, Breske, Ellis, Hansen, A. Lasee,
Lassa, Lehman, Olsen, Roessler, Schultz and Sullivan, cosponsored by
Representatives Davis, Newcomer, Albers, Ballweg, Bies, Boyle, Gronemus,
Gunderson, Hahn, Hilgenberg, Hintz, Jeskewitz, Kaufert, Kerkman, F.
Lasee, Montgomery, Mursau, Musser, Nelson, Nygren, A. Ott, Pridemore,
Seidel, Sheridan, Suder, Tauchen, Turner, Van Akkeren, Vos, M. Williams,
Zepnick and Ziegelbauer. Referred to Committee on Veterans and Military
Affairs, Biotechnology and Financial Institutions.
SB439,1,2
1An Act to create 100.545 of the statutes;
relating to: prohibiting the retention
2of certain information obtained in transactions using account access devices.
Analysis by the Legislative Reference Bureau
This bill prohibits the retention of certain data by a person who accepts
payment for goods or services in the form of a card issued by a financial institution,
generally, a credit card or debit card. The bill prohibits a person who accepts such
payment for a sale from retaining a security code, personal identification number, or
certain other data, after the sale is authorized. If a person violates the prohibition,
the person must reimburse the financial institution that issued the card for the cost
of reasonable action taken to protect personal information pertaining to, or to
continue to provide service to, the financial institution's customers. A financial
institution that is injured by a violation of the prohibition on data retention may
bring an action for damages against the violator.
Under the bill, persons are exempt from the prohibition on data retention if
they comply with certain federal privacy and security standards or with certain
industry standards for data encryption and security.
For further information see the state fiscal estimate, which will be printed as
an appendix to this bill.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB439, s. 1
1Section
1. 100.545 of the statutes is created to read:
SB439,2,3
2100.545 Account access devices; retention of information. (1) 3Definitions. In this section:
SB439,2,54
(a) "Account access device" means a card issued by a financial institution that
5contains a means for storage of electronic data.
SB439,2,66
(b) "Financial institution" has the meaning given in s. 134.97 (1) (b).
SB439,2,87
(c) "Security code" means digits printed or electronically stored on an account
8access device that are used to validate information during the authorization process.
SB439,2,109
(d) "Service provider" means a person that stores, processes, or transmits
10account access device data on behalf of another person.
SB439,2,18
11(2) Retention of certain information prohibited. No person that accepts an
12account access device in connection with a sale of goods or services shall retain a
13security code, a personal identification number, or the full contents of any track of
14data from a magnetic stripe on the access device obtained from an account access
15device, or permit the person's service provider to retain a security code, a personal
16identification number, or the full contents of any track of data from a magnetic stripe
17on the access device obtained from an account access device, after the sale is
18authorized.
SB439,2,25
19(3) Liability. If a person violates this section and the violation causes the
20security, confidentiality, or integrity of another person's personal information to be
21compromised, the violator shall reimburse the financial institution that issued any
22account access device affected by the violation for the cost of reasonable action taken
23by the financial institution to protect personal information pertaining to, or to
24continue to provide service to, the financial institution's customers, including the
25cost of doing any of the following:
SB439,3,1
1(a) Canceling or reissuing an account access device affected by the violation.
SB439,3,32
(b) Closing an account affected by the violation and taking action to stop
3payments or block transactions involving the account.
SB439,3,44
(c) Opening or reopening an account affected by the violation.
SB439,3,65
(d) Refunding or crediting a customer to cover the cost of an unauthorized
6transaction relating to the violation.
SB439,3,77
(e) Notifying customers affected by the violation.
SB439,3,8
8(4) Exemption. This section does not apply to any of the following:
SB439,3,109
(a) A person that is subject to, and in compliance with, the privacy and security
10requirements of
15 USC 6801 to
6827.
SB439,3,1311
(b) A person that encrypts transmission of data pertaining to a holder of an
12account access device across open and public networks using Wi-Fi Protected Access
13or Wi-Fi Protected Access 2 security specifications.
SB439,3,1514
(c) A person who complies with the Payment Card Industry Data Security
15Standard.
SB439,3,19
16(5) Remedies. Any financial institution injured by a violation of this section
17may bring an action against the violator for damages. Notwithstanding s. 814.04 (1),
18a court shall award reasonable attorney fees to a plaintiff who prevails in an action
19under this subsection.