The Obama Administration has announced a series of initiatives to address the growing number of data breaches at major retailers. Millions of Americans and thousands of retailers have been the victims of data breaches over the past year, and consumers and legislators alike are increasingly looking for ways to secure sensitive data such as payment card account numbers. The most recent initiatives from the Administration focus on upgrading identity verification methods and point of sale terminals and could indicate the beginning of a major shift in data security practices among the nation’s retailers.
‘Kill the Password Dead’
As part of its efforts to improve the nation’s cybersecurity, the Obama Administration said recently that it would like to see companies reduce their reliance on passwords as a method of verifying individuals’ online identity. According to White House Cybersecurity Coordinator Michael Daniel, the Obama Administration wants to “kill the password dead.” Daniel’s remarks came during his keynote speech at the US Chamber of Commerce’s third annual Cybersecurity Summit.
Over 100 million Americans have been victims of data breaches over the past year, leading to millions of cases of credit card and identity fraud. Daniel noted that the technical solutions for replacing the password already exist, but non-technical barriers, such as liability and networking concerns, have discouraged the government and businesses from transitioning to more secure verification methods. In order to overcome these obstacles, the Obama Administration recently announced the National Strategy for Trusted Identities in Cyberspace, which will help fund private efforts to overcome the non-technical barriers and help speed the adoption of more secure technologies.
Transitioning Away from the Magnetic Credit Card Stripe
The vulnerability of the magnetic stripe on payment cards has also garnered increased attention as a growing number of retailers find themselves victim of large scale data breaches. In several of the retail breaches, hackers gained access to in-store cash register systems and then implanted malware that stole customer data directly off the magnetic stripes during payment. The Secret Service has estimated that more than 1,000 American businesses were affected by such attacks.
Chip-based payment card technology known as EMV can significantly reduce the impact of these types of breaches, but American retailers have been slow to adopt the payment terminals necessary for the use of chip-based cards. Nonetheless, credit card companies such as Visa and MasterCard have set an October 2015 deadline for retailers to upgrade their systems, and the Obama Administration recently announced a number of steps to encourage companies to speed their transition to chip-based payment cards. As one of its steps, the Administration announced that Home Depot, Target, Walgreens, and Walmart will be rolling out secure chip and PIN-compatible card terminals in all their stores as part of the Administration’s “Buy Secure Initiative.” The Administration also announced that American Express will start a new program to help small businesses pay for the cost of upgrading their point of sale terminals to more secure terminals.
Encouraging Cybersecurity Information Sharing
The Obama Administration is also supporting efforts to improve information-sharing between companies, which can help detect and mitigate the impact of large-scale data breaches. To this end, the Department of Justice and the Federal Trade Commission issued guidance earlier this year indicating that federal antitrust laws should not be a barrier to cybersecurity information-sharing between companies. The Administration has also announced its support for the Cybersecurity Information Sharing Act, which would create liability protections for companies that appropriately monitor their computer networks and share cyber information with the government.
Maintaining “commercially reasonable” data security standards can be critical to avoiding liability for data breaches, yet what constitutes “commercially reasonable” is constantly evolving depending on the available technology and industry practices. Although the security practices discussed above are on the leading edge of changing security standards, these practices are likely to grow more widespread in the months and years to come, and retailers should be sure to stay informed of any significant changes or improvements in security standards as developments may impact their practices.