On October 17, 2014, President Obama signed an Executive Order (the “Order”) with the stated intent of improving the security of consumer financial transactions. In order to effectuate the President’s new “Buy Secure Initiative,” the Order establishes mandatory requirements in the areas of securing governmental payments, improving identity theft remediation, and securing federal transactions online.
I. Secure Governmental Payments
The first directive of the President’s three-prong approach establishes a more secure payment system by requiring all federal agencies to begin, as soon as possible, a transition to chip-and-PIN technology. The chip-and-PIN requirement applies not only to governmentally-owned payment processing terminals, but also to all credit, debit and other payment cards issued by the government to federal employees. Specifically, Section 1 of the Order requires the following:
- Effective immediately, the Department of the Treasury (the “Department”) must ensure that all payment processing terminals acquired by federal agencies have enhanced security features.
- By January 1, 2015, the Department must develop a plan to install enabling software that supports enhanced security features on all payment processing terminals utilized by federal agencies.
- Effective immediately, all credit, debit, and other payment cards provided through General Services Administration (“GSA”) contracts must have enhanced security features.
- By January 1, 2015, the GSA must begin replacing all non-chip-and-PIN payment cards.
- Effective immediately, all Direct Express® payment debit cards must have enhanced security features.
- By January 1, 2015, the Department must develop a plan to replace all non-chip-and-PIN Direct Express® payment debit cards.
- By January 1, 2015, all other federal agencies with payment cards must provide the Office of Management and Budget (the “OMB”) with plans ensuring that such payment cards have enhanced security features.
II. Improved Identity Theft Remediation
The President’s second directive attempts to reduce the burden on consumers who have been victims of identity theft. In order to facilitate this goal, Section 2 of the Order requires the following:
- By February 15, 2015, the Attorney General and Secretary of Homeland Security must issue guidance that will promote regular submissions by federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance’s (NCFTA) Internet Fraud Alert System.
- By March 15, 2015, the Department of Justice, the Department of Commerce, and the Social Security Administration must identify all publicly available resources for victims of identity theft and provide that information to the Federal Trade Commission (the “FTC”). These four agencies must then streamline and consolidate such resources at the FTC’s public website www.identitytheft.gov.
- Effective immediately, the OMB and the GSA must assist the FTC in enhancing the functionality of www.identitytheft.gov, with a particular focus on coordinating with the various credit bureaus’ systems. The enhanced site must be available to the public by May 15, 2015.
III. Securing Federal Transactions Online
To advance the President’s third directive of ensuring that sensitive data is shared only with the appropriate person or people, Section 3 of the Order requires the following:
Within 90 days of the date of the Order, the National Security Council staff, the Office of Science and Technological Policy, and the OMB must present the President with a plan to ensure that all federal agencies providing access to personal data through digital applications require the use of multiple factors of authentication and an effective identity proofing process. Within 18 months of the date of the Order, all relevant federal agencies must implement the steps and suggestions set forth in the plan.
Press Release and Fact Sheet
Concurrent with the Order, the Office of the Press Secretary of the White House issued a press release (the “Release”) explaining the factors behind the President’s Buy Secure Initiative. The Release explains that over 100 million Americans fell victim to a data breach in 2014, and millions more suffer from credit card fraud and identity crimes. Although his authority is limited to the federal public sector, President Obama encouraged all stakeholders—including state governments and private industry—to join his clarion call for action. To promote such public-private cooperation, the President announced that the White House will host later this year a Summit on Cybersecurity and Consumer Protection.