The Obama Administration is taking new steps aimed at improving the security of consumer financial transactions. Specifically recognizing that identity crimes, including credit card fraud, are a risk to U.S. economic activity, President Barack Obama issued an executive order on October 17, 2014 touching on three areas: government payments, identity theft remediation, and online federal transactions.
Government Payments. The order first tries to strengthen data security for citizens doing business with the federal government by requiring all executive departments and agencies to transition payments processing terminals as well as credit, debit, and other payment cards to use “enhanced security features, including chip-and-PIN technology.” More specifically, the Secretary of the Treasury must ensure that all newly acquired terminals have enhanced security features and, by January 1, 2015, have developed a plan for federal agencies to install enabling software in older terminals that supports these enhanced security features. The Secretary of the Treasury must also ensure that prepaid debit cards used for administering government benefits have enhanced security features and, by January 1, 2015, have developed a plan for the replacement of such debit card that do not have these features. The Administrator of the General Services Administration (GSA) must similarly ensure that all credit, debit, and payment cards provided through GSA contracts have enhanced security features and that, by January 1, 2015, it has begun replacing all existing cards without these features. Finally, all other agencies with credit, debit, and other payment cards must, by January 1, 2015, provide the Office of Management and Budget (OMB) plans for ensuring that these cards have enhanced security features.
Identity Theft Remediation. The order next aims to reduce the burden and delays of remediation, for consumers who have been victims of identity theft. It orders the Attorney General, in coordination with the Secretary of Homeland Security, to issue guidance by February 15, 2015 to “promote regular submission . . . by Federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance’s Fraud Alert System.” It directs the Department of Justice, the Department of Commerce, and the Social Security Administration to identify and provide to the Federal Trade Commission (FTC) all “publicly available agency resources for victims of identity theft” no later than March 15, 2015 and then to work together to “streamline” and “consolidate” these resources on IdentityTheft.gov. It further orders the OMB and GSA to assist the FTC in enhancing the functionality of that website and making it available to the public by May 15, 2015. Under the order, the website’s enhanced functionality, to the extent possible, must include coordination with the credit bureaus to streamline the reporting and remediation process in the bureaus’ systems.
Online Federal Transactions. Finally, the order gives the National Security Council, the Office of Science and Technology Policy, and OMB 90 days to present President Obama with a plan “to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process” and 18 months to complete implementation of the plan.
In addition to issuing the order, President Obama encouraged the financial and retail sectors to follow the government’s lead and make the move to “chip-and-PIN” technology. While such technology may not eliminate credit card fraud altogether, it is far more secure than the magnetic strips that have been at the heart of many recent data breaches. Finally, he encouraged Congress to pass comprehensive data breach and cybersecurity legislation to help address the problems created by the current patchwork of laws governing a company’s obligations in the event of a breach. A copy of President Obama’s executive order can be found here.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
