AGENCY:

Office of Personnel Management.

ACTION:

Direct final rule.

SUMMARY:

The Office of Personnel Management (OPM) is publishing this direct final rule to implement the requirements of the Social Security Number Fraud Prevention Act of 2017 (Act). In accordance with the Act, OPM is amending its privacy procedures to prohibit the inclusion of Social Security numbers (SSNs) on any document sent through the mail unless the Director of OPM deems it necessary. This rule also establishes requirements for safeguarding SSNs sent through the mail by partially redacting SSNs where feasible and prohibiting the display of SSNs on the outside of any package or envelope sent by mail.

DATES:

This rule is effective on June 26, 2024, without further action unless significant adverse comments are received by June 11, 2024. If significant adverse comments are received, OPM will withdraw this direct final rule and publish a proposed rule.

ADDRESSES:

You may submit comments for this direct final rule using the following method:

• Federal Rulemaking Portal: https://www.regulations.gov. Follow the instructions for sending comments.

All submissions received must include the agency name and docket number for this direct final rule. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing at https://www.regulations.gov as they are received, without change, including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT:

Kirsten J. Moncada, Executive Director, Office of the Executive Secretariat, Privacy, and Information Management, 202-936-0251.

SUPPLEMENTARY INFORMATION:

The Social Security Number Fraud Prevention Act of 2017, Public Law 115-59, 42 U.S.C. 405 note, restricts the inclusion of SSNs on documents sent by mail unless the head of the agency determines that the inclusion of the SSNs on the documents is necessary. The Act also directs agencies to issue regulations that specify when inclusion of an SSN is necessary and include requirements for the safeguarding of SSNs by partially redacting SSNs where feasible and prohibiting the display of SSNs on the outside of any package or envelope sent by mail.

To implement the Act, OPM is adding new subpart F, titled “Protecting Social Security Numbers in Mailed Documents,” to its privacy procedures at 5 CFR part 297. The new requirements in subpart F prohibit the inclusion of SSNs on any document OPM program offices send through the mail unless the Director of OPM, on the advice of the Senior Agency Official for Privacy, deems it necessary and precautions are taken to protect the SSNs. In addition, subpart F includes requirements for OPM program offices to partially redact SSNs where feasible and specifically prohibits the display of complete or partial SSNs on the outside of any package or envelope sent by mail or through the window of an envelope or package. Subpart F applies to all OPM office activities and written or printed documents OPM sends by mail that include a complete or partial SSN.

OPM is also amending 5 CFR 297.102 to add the definitions of “document,” and “mail” to make explicit OPM's meaning of the terms in this new subpart F. For the purposes of this rule, a document is a record of some information that can be used as an authority or for reference, further analyses, or study. This includes all records OPM maintains and uses to identify, track, and correspond with agencies, Federal employees, contractors, and annuitants, among others. Mail is defined as artifacts used to assemble letters and packages that are sent or delivered by the United States Postal Service or other commercial letter or parcel delivery services.

Direct Final Rule Justification

This rule of agency organization, procedure, or practice is exempt from the prior public notice and comment requirements of the Administrative Procedure Act. See 5 U.S.C. 553(b)(3)(A). This rule will not have any effect on the rights, obligations, or interests of any affected parties, as it is merely procedural and reflects a statutory requirement that is already in effect. The rule restricts and safeguards the inclusion of SSNs in documents that are mailed to prevent unauthorized disclosure of SSNs and protect individual privacy. Accordingly, OPM for good cause finds that the notice and comment requirements are unnecessary. See 5 U.S.C. 553(b)(3)(B).

This rule is also suitable for direct final rulemaking because it is non-controversial and consistent with Federal law and policy regarding the appropriate handling and protection of SSNs. The provisions of the rule will be beneficial to members of the public and Federal employees because it protects their personally identifiable information. Because this non-substantive rule makes no changes to the legal obligations or rights of any affected parties ( i.e., reflects a statutory requirement that is already in effect) and because it is in the public interest to have this rule be effective as soon as possible, OPM does not expect to receive any significant adverse comments.

This rule will be effective June 26, 2024, without further action unless significant adverse comments are received. A significant adverse comment is one that explains: (1) why the rule is inappropriate, including challenges to the rule's underlying premise or approach; or (2) why the direct final rule will be ineffective or unacceptable without a change. If such comments are received, this direct final rule will be withdrawn and a proposed rule for comments will be published. If no such comments are received, this direct final rule will become effective 15 days after the comment period expires. In determining whether a significant adverse comment necessitates withdrawal of this direct final rule, OPM will consider whether the Start Printed Page 25750 comment raises an issue serious enough to warrant a substantive response had it been submitted in a standard notice and comment process. A comment recommending an addition to the rule will not be considered significant and adverse unless the comment explains how this direct final rule would be ineffective without the addition.

Expected Impact of This Direct Final Rule

SSNs are used as unique identifiers by government agencies, businesses, and other entities. The theft and fraudulent use of SSNs can result in significant repercussions for the SSN holder, as well as the entities from which SSNs were stolen. This direct final rule formalizes in regulation OPM's current practice of safeguarding SSNs in mailed documents and will support efforts to protect individual privacy. In accordance with the E-Government Act (2002), OPM currently applies encryption technology and other security controls, such as password protection, to minimize the risk of unauthorized disclosure of SSNs. OPM program offices are also required to conduct proper assessments to minimize the use of SSNs and the impact to individual privacy as a result of their inclusion in any document. This rule supplements these procedures and is beneficial because it protects individual privacy and standardizes OPM's procedures for mailing documents with SSNs. There are no alternatives to this rule because it is required by statute.

Regulatory Review

Executive Orders 13563, 12866, and 14094 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). The Office of Information and Regulatory Affairs in the Office of Management and Budget has determined this rule is not a “significant regulatory action” under section 3(f) of Executive Order 12866, as amended by Executive Order 14094.

Regulatory Flexibility Act

The Director of OPM certifies that this rule will not have a significant economic impact on a substantial number of small entities because it is a procedural rule that only applies only to OPM.

E.O. 13132, Federalism

This rule will not have substantial direct effects on the States, on the relationship between the National Government and the States, or on distribution of power and responsibilities among the various levels of government. Therefore, in accordance with Executive Order 13132, OPM has determined that this direct rule does not have federalism implications that require preparation of a federalism summary impact statement.

E.O. 12988, Civil Justice Reform

OPM has determined that this rule meets the relevant standards of Executive Order 12988.

Unfunded Mandates Reform Act of 1995

This rule will not result in the expenditure by State, local, or tribal governments, or the private sector of more than $100 million annually. Thus, no written assessment of unfunded mandates is required.

Congressional Review Act

Subtitle E of the Small Business Regulatory Enforcement Fairness Act of 1996 (known as the Congressional Review Act or CRA) (5 U.S.C. 801, et seq.) requires rules to be submitted to Congress before taking effect. OPM will submit to Congress and the Comptroller General of the United States a report regarding the issuance of this rule before its effective date, as required by 5 U.S.C. 801. The Office of Information and Regulatory Affairs in the Office of Management and Budget has determined that this rule is not a major rule as defined by the CRA (5 U.S.C. 804).

Paperwork Reduction Act of 1995

This regulatory action will not impose any reporting or recordkeeping requirements under the Paperwork Reduction Act (44 U.S.C. Chapter 35).

List of Subjects in 5 CFR Part 297

• Privacy

For reasons stated in the preamble, OPM amends 5 CFR part 297 as follows:

PART 297—PRIVACY PROCEDURES FOR PERSONNEL RECORDS

1. The authority citation for part 297 is revised to read as follows:

Authority: 5 U.S.C. 552a; Pub. L. 115-59, 113 Stat. 1152 (42 U.S.C. 405 note).

2. Amend § 297.102 by adding in alphabetical order the definitions for “Document” and “Mail” to read as follows:

3. Add subpart F, consisting of §§ 297.601 and 297.602, to read as follows:

Subpart F—Privacy and Social Security Number Fraud Prevention