SENATE BILL 347
51st legislature - STATE OF NEW MEXICO - first session, 2013
INTRODUCED BY
Sander Rue
AN ACT
RELATING TO FINANCE; ENACTING THE ACCESS DEVICE DATA ACT; PROVIDING AN ACTION FOR CIVIL LIABILITY FOR A BREACH OF THE ACT.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
SECTION 1. [NEW MATERIAL] SHORT TITLE.--Sections 1 through 3 of this act may be cited as the "Access Device Data Act."
SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the Access Device Data Act:
A. "access device" means a credit card, debit card or other commercial instrument a cardholder receives from a card issuer for the purpose of electronically conducting a financial transaction;
B. "access device data" means:
(1) a cardholder account number printed or embossed on an access device;
(2) the contents of a magnetic stripe, including its tracks of data, a microprocessor chip or any other mechanism for storing electronically encoded information in an access device;
(3) a service code;
(4) a card verification value, card authentication value, card validation code or card security code for the access device; or
(5) a personal identification number for the access device;
C. "authorization process" means the verification of access device data and the verification of sufficiency of funds in a credit line or a financial institution account of a cardholder for completion of a financial transaction;
D. "breach of access device data" means the retention of an unencrypted cardholder account number or unencrypted service code or the retention of a card verification value, card authentication value, card validation code, card security code or personal identification number by a merchant services provider after the conclusion of the authorization process:
(1) without the approval or direction of the card issuer;
(2) resulting in the compromised security and confidentiality of access device data; and
(3) creating a material risk of harm or actual harm to a cardholder;
E. "cardholder" means a person to whom an access device has been issued by a card issuer;
F. "card issuer" means a financial institution that issues an access device;
G. "financial institution" means an insured state or national bank, a state or federal savings and loan association or savings bank or a state or federal credit union;
H. "financial transaction" means an interaction between two or more persons, by mutual agreement, involving a simultaneous creation or liquidation of a financial asset and the counterpart liability, or a change in ownership of a financial asset or an assumption of a liability;
I. "merchant services" means processing, transmitting, retaining or storing access device data to facilitate a financial transaction that affects a cardholder's account;
J. "merchant services provider" means a person that engages in merchant services on the person's own behalf or for the benefit of another person; and
K. "person" means an individual, partnership, joint venture, corporation, association or any other group, however organized, whose principal place of residence or business is in the state.
SECTION 3. [NEW MATERIAL] BREACH OF ACCESS DEVICE DATA-- CIVIL LIABILITY--REASONABLE ATTORNEY FEES.--
A. A card issuer may file a civil complaint against a merchant services provider whose retention of access device data constitutes a breach of access device data. If the card issuer is the prevailing party, a court may award the reasonable costs that a card issuer incurs for:
(1) canceling or reissuing an access device;
(2) stopping payments or blocking financial transactions to protect any account of the cardholder;
(3) closing, reopening or opening any affected financial institution account of a cardholder;
(4) refunding or crediting a cardholder for any financial transaction that the cardholder did not authorize and that occurred as a result of the breach; or
(5) notifying affected cardholders.
B. In an action pursuant to this section, the court may award to the prevailing party reasonable attorney fees.
SECTION 4. Section 38-1-16 NMSA 1978 (being Laws 1959, Chapter 153, Section 1, as amended) is amended to read:
"38-1-16. PERSONAL SERVICE OF PROCESS OUTSIDE STATE.--
A. Any person, whether or not a citizen or resident of this state, who in person or through an agent does any of the acts enumerated in this subsection [thereby], submits [himself] or [his] the person's personal representative submits to the jurisdiction of the courts of this state as to any cause of action arising from:
(1) the transaction of any business within this state;
(2) the operation of a motor vehicle upon the highways of this state;
(3) the commission of a tortious act within this state;
(4) the contracting to insure any person, property or risk located within this state at the time of contracting;
(5) the contracting to provide merchant services to a person within the state pursuant to the provisions of the Access Device Data Act; or
[(5)] (6) with respect to actions for divorce, separate maintenance or annulment, the circumstance of living in the marital relationship within the state, notwithstanding subsequent departure from the state, as to all obligations arising from alimony, child support or real or personal property settlements under Chapter [22] 40, Article [7 NMSA 1953] 4 NMSA 1978 if one party to the marital relationship continues to reside in the state.
B. Service of process may be made upon any person subject to the jurisdiction of the courts of this state under this section by personally serving the summons upon the defendant outside this state and such service has the same [force and] effect as though service had been personally made within this state.
C. Only causes of action arising from acts enumerated in this section may be asserted against a defendant in an action in which jurisdiction is based upon this section.
D. Nothing contained in this section limits or affects the right to serve any process in any other manner [now or hereafter] provided by law."
- 6 -