On behalf of its 19 participating trade association members from the merchant and financial services industries, the Merchant Financial Cyber Partnership (MFCP) announced "8 Next Steps" to protect customers and their sensitive data from the ever-growing host of cyberthreats. The 8 Next Steps are as follows:
- Establishing a formal administrative link and protocols for information sharing between merchants and financial services institutions;
- Holding threat information sharing forums;
- Hosting exercises that simulate significant cyber attacks;
- Implementing and refining the National Institute of Standards and Technology’s Cybersecurity Framework for developing a listing of leading cybersecurity practices;
- Developing formal breach notification response programs;
- Outlining recommendations for merchants, issuers, acquirers, and processors to collaborate in developing technology standards to combat cyber threats to payment systems;
- Outlining technological and other principles for protecting payment systems; and
- Proposing tailored, effective legislation in support of cyberthreat information sharing.
The essence of these principles has been echoed by policymakers in the United States and other countries. President Obama, during his most recent State of the Union address, stated that he intends to propose comprehensive federal legislation regarding data privacy and cybersecurity. Many are hopeful that federal legislation will mean a single data privacy breach law that will obviate the need to meet the differing obligations under state and federal data privacy laws and regulations. Depending on the precise language of the federal legislation ultimately enacted, it is possible that a single federal data privacy breach notification law could actually result in a heavier compliance burden on businesses than exists today.
MFCP members include the American Bankers Association, American Hotel and Lodging Association, Financial Services Forum, International Council of Shopping Centers, and the National Retail Federation. All industry stakeholders will want to stay abreast of the MFCP developments, as well as the ever-changing state, federal, and foreign data privacy and cybersecurity legal landscapes.