On October 17, 2014, the White House released its plans for a “BuySecure Initiative” in an executive order entitled “Improving the Security of Consumer Financial Transactions.” The initiative aims to push the market toward adopting more secure payment methods and to reduce the burden on consumers seeking to remediate identity theft incidents. The White House simultaneously published a fact sheet explaining the impetus for the action, the changes proposed in the order, and the potential downstream effects from the steps outlined.
The White House explained that the initiative is intended to “move [the U.S.] economy toward stronger, more secure technologies that better secure transactions and safeguard sensitive data” by having federal agencies “lead by example.” Although the president’s executive order is limited in its application to agencies within the executive branch, the White House stated that it will work with “a number of major corporations” to advance these goals and, in a speech announcing the order, President Obama announced plans for a White House summit on cybersecurity and consumer protection. Although the initiative is intended to encourage further implementation of secure payment systems and to identity theft remediation practices, the White House used the announcement to reiterate its calls for Congress to pass data breach and cybersecurity legislation.
Securing Government Payments
The president’s order mandates that executive departments and agencies begin transitioning payment processing terminals and agency credit, debit, and other payment cards to more secure systems, specifically systems incorporating chip-and-PIN technology.1 Under the order, the Department of the Treasury will, no later than January 1, 2015, take “all necessary steps” to ensure that payment processing terminals acquired by the federal government incorporate chip-and-PIN technology. Further, the order mandates that the Department of the Treasury and General Services Administration (GSA) only issue payment cards with similar security features by that date; the order also calls for the GSA to begin replacing less secure payment cards no later than January 1, 2015. All other agencies are required to provide to the Office of Management and Budget (OMB), no later than January 1, 2015, their plans for ensuring that their payment cards have enhanced security features.
Although the order’s mandates directly affect only the executive branch agencies, the White House has indicated that these measures are intended to nudge the U.S. marketplace towards a quicker adoption of chip-and-PIN and other enhanced security measures for payment mechanisms. Already, the market has demonstrated that retailers’ prior hesitation to invest in the infrastructure needed for acceptance of chip-and-PIN payment cards is evaporating. As the fact sheet explains, a number of large companies—including American Express, Home Depot, Target, Visa, Walgreens, and Walmart—are in the process of establishing a wide framework for acceptance of chip-and-PIN cards in the private sector. Many of these private sector efforts were well under way before the order; given recent data breaches triggered by inadequate point-of-sale card security, efforts by card issuers and credit unions to shift greater risk for unauthorized charges to retailers, and the reliance of many foreign markets on chip-and-PIN payment cards, the “BuySecure Initiative” is not groundbreaking in its push for widespread adoption of more secure payment mechanisms. By involving the federal government in this push, however, the initiative commits the government to these efforts to transition payment mechanisms and cards to use enhanced security features and may expedite adoption throughout the private sector by virtue of the White House endorsement.
Identity Theft Remediation
The executive order included measures aimed at reducing the burden on consumers who have been victimized by identity theft, including steps to reduce the amount of time an individual consumer would need to remediate a typical identity-theft incident. The order mandates that by February 15, 2015, the Department of Justice (DOJ) and Department of Homeland Security (DHS) issue guidance to promote regular submissions by federal law enforcement agencies of identified, compromised credentials to the National Cyber-Forensics and Training Alliance’s Internet Fraud Alert System. This will be followed by the DOJ, the Department of Commerce, and the Social Security Administration which will identify, and provide information relating to all publicly available resources for identity theft victims to the Federal Trade Commission (FTC), with the expectation that these agencies will work together to streamline these resources and consolidate them (where possible) on the FTC’s website, IdentityTheft.gov. The White House expects that the consolidation of these resources will occur no later than March 15, 2015. Under the order, the OMB and GSA are required to assist the FTC in enhancing the website, including coordinating with the national credit bureaus to ensure improved reporting and remediation processes in connection with the credit bureaus’ systems, with the goal of launching an improved IdentityTheft.gov no later than May 15, 2015.
The White House’s fact sheet explains that the “BuySecure Initiative” also includes a number of public-private partnerships and measures aimed at improving identity theft remediation. In both the fact sheet and in President Obama’s announcement of the initiative, the White House lauded a number of leaders in the financial services industry, under the leadership of the Consumer Financial Protection Bureau (CFPB), that have or will be providing their individual customers with free access to FICO scores, and that certain card issuers, including MasterCard, will provide customers with additional support in resolving identity theft and fraud claims.
Securing Federal Data Disclosures
The White House also mandated that federal agencies take measures to ensure that sensitive data is shared by the government only with the appropriate recipients. Specifically, the order directed the National Security Council staff, the Office of Science and Technology Policy, and OMB to present to the White House a plan no later than January 15, 2015, that would ensure that all federal agencies making data accessible to citizens through digital applications require the use of multi-factor authentication and a process that is effective at proving individual identity. Any such plan would need to be consistent with the 2011 National Strategy for Trusted Identities in Cyberspace. Relevant federal agencies are expected to have eighteen months following the presentation of the joint plan to implement any necessary steps for ensuring such identity verification.
1 “Chip-and-PIN” technology generally refers to any payment card containing EMV smart card technology that relies upon an embedded chip and a user-supplied PIN.