Page 22 - GS210302
P. 22
CoverStory
Violations of the CCPA can result in civil penalties ranging from $2,500 to $7,500 All of these state initiatives mirror
for each violation. Additionally, private plaintiffs can bring civil actions against closely the tough stance taken by the
breached companies when those breaches result in theft or disclosure of their European Union with its 2018 enact-
private information. Consumers can seek up to $750 per incident, or actual ment of the General Data Protection
damages, whichever is greater, BakerHostetler noted. Regulation.
Virginia followed California's lead, passing a similar law on March 2, 2021, with "These privacy laws and regulations
an effective date of 2023. And proposals on the legislative dockets in several apply to clients as well as employ-
other states, including New York and Washington, would impose similar re- ees and vendors," Federgreen said.
quirements for safeguarding consumers' private information. "There are no distinctions made as
to the size of the business, revenues
or anything else."
Obligations for ISOs
and merchants
The laws have very real implications
for ISOs and acquirers. "ISOs and ac-
quirers need to improve their knowl-
edge of what the laws cover," Dunn
said. "They need to be aware of the
stringent liabilities involved and the
fines they could be subject to for fail-
ing to comply" with rules for protect-
ing against and reporting breaches
of personal information.
Most ISOs have agent portals that,
among other things, are conduits for
personal information about agents
(names, SSNs, etc.). That information
is covered by laws like the CCPA,
and if compromised, there are spe-
cific requirements for reporting and
rectifying the compromise, Dunn
noted.
Steve Eazell, executive vice president
for strategic partners at ComplyPact,
pointed out that acquirers and ISOs
can also land on the hot seat if they
don't properly vet customers that
run afoul of federal fraud and mon-
ey laundering laws. The U.S. De-
partment of Justice, as well as other
U.S. and foreign law enforcement
agencies, expect companies to estab-
lish compliance programs that keep
fraudsters and money launderers at
bay, or risk culpability. "They're hold-
ing merchants liable if [for example]
a rogue employee is skimming credit
card information and selling it on
the dark web," Eazell said.
In 2020, the DOJ updated prosecuto-
rial guidelines that illustrate why all
companies, regardless of size, need
comprehensive compliance pro-
grams that will hold up under the
22
