2018-21440. Maintenance of and Access to Records Pertaining to Individuals  

  • Start Preamble Start Printed Page 50053

    AGENCY:

    Office of the Secretary (OST), U.S. Department of Transportation (DOT).

    ACTION:

    Noticed of proposed rulemaking.

    SUMMARY:

    This proposed rulemaking would amend the Department of Transportation's Privacy Act regulations to exempt the Department of Transportation's new insider threat program system of records from certain requirements of the Privacy Act to protect properly classified information from disclosure, preserve the integrity of insider threat inquiries, and protect the identities of sources in such inquiries and any related investigations.

    DATES:

    Submit comments on or before December 3, 2018.

    ADDRESSES:

    You may file comments identified by the docket number DOT-OST-2016-0028 by any of the following methods:

    • Federal Rulemaking Portal: Go to http://www.regulations.gov and follow the online instructions for submitting comments.
    • Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Ave. SE, West Building Ground Floor, Room W12-140, Washington, DC 20590-0001.
    • Hand Delivery or Courier: West Building Ground Floor, Room W12-140, 1200 New Jersey Ave. SE, between 9:00 a.m. and 5:00 p.m. ET, Monday through Friday, except Federal holidays.
    • Fax: 202-493-2251.

    Instructions: You must include the agency name and docket number DOT-OST-2016-0028 or the Regulatory Identification Number (RIN) for the rulemaking at the beginning of your comment. All comments received will be posted without change to http://www.regulations.gov,, including any personal information provided.

    Privacy Act: Anyone is able to search the electronic form of all comments received in any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.) You may review DOT's system of records notice for dockets in the Federal Register notice published on January 17, 2008 (73 FR 3316-3317).

    Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov or to the street address listed above. Follow the online instructions for accessing the docket.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Claire Barrett, Departmental Chief Privacy Officer, Office of the Chief Information Officer, U.S. Department of Transportation, 1200 New Jersey Avenue SE, Washington, DC 20590 or privacy@dot.gov or (202) 366-8135.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, directs Federal departments and agencies to establish insider threat programs consistent with guidance and standards developed by the National Insider Threat Task Force, which was established under section 6 of Executive Order 13587. The National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs were issued in November 2012. As described in Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, insider threat programs are intended to deter and detect insider threats and mitigate the risks associated with an individual using his or her authorized access to Government information and facilities to do harm to the security of the United States. The potential harms posed by an insider threat can include espionage, terrorism, unauthorized disclosure of national security information, or the loss or degradation of Government resources or capabilities.

    The DOT has established an Insider Threat Program within the Office of the Secretary (OST) and the Federal Aviation Administration (FAA). Together, these programs are referred to as the “DOT Insider Threat Program.” The DOT Insider Threat Program will adhere to the requirements of Executive Order 13587, and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, and include protocols for reporting and responding to potential or suspected insider threat activity.

    The Privacy Act of 1974, 5 U.S.C. 552a, requires that agencies tell the public when they maintain information about a person in a file which is retrieved by reference to that person's name or some other identifying particular. A group of these files is a “system of records,” and the existence of each system must be published in a “system of records notice” (SORN). In accordance with the Privacy Act, DOT proposes to create a new DOT system of records titled, “DOT/ALL 26 Insider Threat Program” for insider threat program records. This notice will be published in the Federal Register.

    The DOT Insider Threat Program will maintain information about DOT employees about whom the DOT Insider Threat Program has received reports of indicia of potential insider threats from other Federal agencies, DOT employees, or any other source. As defined in Executive Order 12968, a DOT employee, for purposes of the DOT Insider Threat Program, means “a person, other than the President and Vice President, employed by, detailed or assigned to, an agency, including members of the Armed Forces; an expert or consultant to an agency; an industrial or commercial contractor, licensee, certificate holder; or any other category of person who acts for or on behalf of an agency, as determined by the” Secretary of Transportation or, for the FAA, the FAA Administrator. A licensee, certificate holder (such an airman), or grantee, who is not also a DOT employee, is generally excluded from the DOT Insider Threat Program; however, such individuals may be included if a determination is made that the nature and extent of an individual's access to DOT personnel, facilities, equipment, systems, networks, operations, and information necessitates their inclusion.

    The DOT Insider Threat Program will review reports of indicia of potential insider threats in accordance with established DOT and FAA Insider Threat Program management policy and procedures, as applicable. Based on this review, an appropriate authorized OST or FAA official will determine whether to proceed with an insider threat inquiry, refer the matter to appropriate law enforcement officials, close the matter, or take other appropriate action. Insider threat inquiries will be comprised primarily of existing DOT information assets, including, but not limited to, records from information security, personnel security, and human resources, and also may include information obtained from other Federal agencies or from publicly available resources (such as internet searches). The DOT Insider Threat Program records also will be used to track reports of indicia of potential insider threats, whether or not an inquiry was opened, the rationale for opening or not opening an inquiry; the disposition of all inquiries, and referrals to law Start Printed Page 50054enforcement (such as the DOT Office of the Inspector General or the Federal Bureau of Investigation), and to report on DOT's Insider Threat Program activities.

    An agency wishing to exempt portions of some systems of records from certain provisions of the Privacy Act must notify the public of that exemption in both the SORN and in an exemption rule. This proposed rule would exempt certain records maintained by the DOT Insider Threat Program from the access and notification provisions of the Privacy Act. An exemption from these requirements would be necessary to: Protect classified national security information; preclude the subject of an inquiry from frustrating an inquiry or evading detection; avoid disclosure of insider threat inquiry techniques; protect the identity of confidential informants and third parties; and support DOT and FAA's ability to obtain information relevant to resolving an insider threat concern. The DOT or FAA may take administrative or other appropriate action within scope of their respective legal authorities in response to an insider threat inquiry or, if circumstances indicate a potential violation of law or a national security concern, refer the matter to the appropriate law enforcement or intelligence entity, such as the DOT Office of Inspector General or the Federal Bureau of Investigation. Thus, the system of records may include some classified national security information and, thus, insofar as it does, the subsection (k)(1) exemption (5 U.S.C. 552a(k)(1)) would be applicable. In addition, an insider threat inquiry is comprised of records compiled for law enforcement and the subsection (k)(2) exemption (5 U.S.C. 552a(k)(2) would be applicable to this system of records.

    In appropriate circumstances, where compliance with the request would not appear to interfere with or adversely affect the conduct of an insider threat inquiry or result in the unauthorized disclosure of classified information, OST or FAA may opt to waive these exemptions. In addition, some information may be available under the Freedom of Information Act, 5 U.S.C. 552 (FOIA). Any request for information from this system under the FOIA would be assessed on a case-by-case basis to determine what, if any, information could be released consistent with section (b)(2) of the Privacy Act, 5 U.S.C. 552a(b)(2).

    The DOT identifies a system of records that is exempt from one or more provisions of the Privacy Act (pursuant to 5 U.S.C. 552a(j) or (k)) both in the SORN published in the Federal Register for public comment and in an Appendix to DOT's regulations implementing the Privacy Act (49 CFR part 10, Appendix). This rule would exempt records in the Insider Threat Program system of records from subsections (c)(3) (Accounting of Certain Disclosures), (d) (Access to Records), (e)(1) and (e)(4)(G) through (I) (Agency Requirements) and (f) (Agency Rules) of the Privacy Act to the extent that records are properly classified, in accordance with 5 U.S.C. 552a(k)(1), or consist of investigatory material compiled for law enforcement purposes in accordance with 5 U.S.C. 552a(k)(2).

    Regulatory Analysis and Notices

    A. Executive Order 12866 (Regulatory Planning and Review) and DOT Regulatory Policies and Procedures

    The DOT has considered the impact of this proposed rulemaking action under Executive Orders 12866 and 13563 (January 18, 2011, “Improving Regulation and Regulatory Review”), and the DOT's regulatory policies and procedures (44 FR 11034; February 26, 1979). The DOT has determined that this action would not constitute a significant regulatory action within the meaning of Executive Order 12866 and within the meaning of DOT regulatory policies and procedures. This rulemaking has not been reviewed by the Office of Management and Budget. This rulemaking is not anticipated to result in any costs. Since these records would be exempt from certain provisions of the Privacy Act, DOT would not have to expend any funds in order to administer those aspects of the Act.

    B. Regulatory Flexibility Act

    DOT has evaluated the effect these changes would have on small entities and does not believe that this rulemaking would impose any costs on small entities because the reporting requirements themselves are not changed and because the rule applies only to information on individuals that is maintained by the Federal Government or that is already publically available. Therefore, I hereby certify that this proposal would not have a significant economic impact on a substantial number of small entities.

    C. National Environmental Policy Act

    The Department has analyzed the environmental impacts of this proposed action pursuant to the National Environmental Policy Act of 1969 (42 U.S.C. 4321 et seq.) and has determined that it is categorically excluded pursuant to DOT Order 5610.1C, Procedures for Considering Environmental Impacts (44 FR 56420, Oct. 1, 1979). Categorical exclusions are actions identified in an agency's NEPA implementing procedures that do not normally have a significant impact on the environment and therefore do not require either an environmental assessment (EA) or environmental impact statement (EIS). See 40 CFR 1508.4. In analyzing the applicability of a categorical exclusion, the agency must also consider whether extraordinary circumstances are present that would warrant the preparation of an EA or EIS. Id. Paragraph 3.c.5 of DOT Order 5610.1C incorporates by reference the categorical exclusions for all DOT Operating Administrations. This action is covered by the categorical exclusion listed in the Federal Highway Administration's implementing procedures, “[p]romulgation of rules, regulations, and directives.” 23 CFR 771.117(c)(20). The purpose of this rulemaking is to amend the Appendix to DOT's Privacy Act regulations. The Department does not anticipate any environmental impacts and there are no extraordinary circumstances present in connection with this rulemaking.

    D. Executive Order 12898 (Environmental Justice)

    The Department evaluated the environmental effects of this proposed rule in accordance with Executive Order 12898, Federal Actions to Address Environmental Justice in Minority Populations and Low-Income Populations, and DOT Order, 5010.2(a), 91 FR 27534 (May 10, 2012) (available online at www.fhwa.dot.gov/​enviornment/​environmental_​justice/​ej_​at_​dot/​order_​56102a/​index.cfm), which require DOT to achieve environmental justice (EJ) as part of its mission by identifying and addressing, as appropriate, disproportionately high and adverse human health or environmental effects, including interrelated social and economic effects, of its programs, policies, and activities on minority and low income populations in the United States. The DOT Order requires DOT to address compliance with the Executive Order and the DOT Order in all rulemaking activities. The Department has evaluated this proposed rule under the Executive Order and the DOT Order, and has determined preliminarily that the rule would not cause disproportionately high and adverse human health and environmental effects on minority or low income populations.Start Printed Page 50055

    E. Executive Order 13132 (Federalism)

    This proposed action has been analyzed in accordance with the principles and criteria contained in Executive Order 13132, Federalism, dated August 4, 1999, and it has been determined that it would not have a substantial direct effect on, or sufficient Federalism implications for, the States, nor would it limit the policymaking discretion of the States. Therefore, the preparation of a Federalism Assessment is not necessary.

    F. Executive Order 13084 (Consultation and Coordination With Indian Tribal Governments)

    This action has been analyzed in accordance with the principles and criteria contained in Executive Order 13084 (“Consultation and Coordination with Indian Tribal Governments”). Because it would not effect on Indian Tribal Governments, the funding and consultation requirements of Executive Order 13084 do not apply.

    G. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501, et seq.), Federal agencies must obtain approval from the Office of Management and Budget for each collection of information they conduct, sponsor, or require through regulations. The DOT has determined that this action would not contain a collection of information requirement for the purposes of the PRA.

    H. Unfunded Mandates Reform Act

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA) (Pub. L. 104-4, 109 Stat. 48, March 22, 1995) requires Federal agencies to assess the effects of certain regulatory actions on State, local, and tribal governments; and the private sector. The UMRA requires a written statement of economic and regulatory alternatives for proposed and final rules that contain Federal mandates. A “Federal mandate” is a new or additional enforceable duty, imposed on any State, local, or tribal Government; or the private sector. If any Federal mandate causes those entities to spend, in aggregate, $143.1 million or more in any one year (adjusted for inflation), an UMRA analysis is required. This proposed rule would not impose Federal mandates on any State, local, or tribal governments; or the private sector.

    Start List of Subjects

    List of Subjects in 49 CFR Part 10

    • Penalties
    • Privacy
    End List of Subjects

    In consideration of the foregoing, DOT proposes to amend part 10 of title 49, Code of Federal Regulations, as follows:

    Start Amendment Part

    1. The authority citation for part 10 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 5 U.S.C. 552a; 49 U.S.C. 322.

    End Authority Start Amendment Part

    2. Amend the Appendix to Part 10 by:

    End Amendment Part Start Amendment Part

    a. In Part II, adding paragraphs A.10, B.4., F.5., and G.2.

    End Amendment Part

    The revisions and additions read as follows:

    APPENDIX TO PART 10—EXEMPTIONS

    Part II. Specific Exemptions

    A. * * *

    10. Insider Threat Program (DOT/ALL 26),

    B. * * *

    4. Insider Threat Program (DOT/ALL 26).

    * * * * *

    F. * * *

    5. Insider Threat Program (DOT/ALL 26).

    * * * * *

    G. * * *

    2. Insider Threat Program (DOT/ALL 26).

    Start Signature

    Issued in Washington, DC, on August 17, 2018.

    Elaine L. Chao,

    Secretary.

    End Signature End Supplemental Information

    [FR Doc. 2018-21440 Filed 10-3-18; 8:45 am]

    BILLING CODE 4910-9X-P

Document Information

Published:
10/04/2018
Department:
Transportation Department
Entry Type:
Proposed Rule
Action:
Noticed of proposed rulemaking.
Document Number:
2018-21440
Dates:
Submit comments on or before December 3, 2018.
Pages:
50053-50055 (3 pages)
Docket Numbers:
Docket No. OST-2016-0028
RINs:
2105-AE46: Maintenance of and Access to Records Pertaining to Individuals
RIN Links:
https://www.federalregister.gov/regulations/2105-AE46/maintenance-of-and-access-to-records-pertaining-to-individuals
Topics:
Penalties, Privacy
PDF File:
2018-21440.Pdf
CFR: (1)
49 CFR 10