2018-09333. Privacy Act of 1974; System of Records  

  • Start Preamble

    AGENCY:

    Federal Trade Commission (FTC).

    ACTION:

    Notice of modified systems of records.

    SUMMARY:

    The FTC proposes to modify all FTC Privacy Act system of records notices (SORNs) by amending and bifurcating an existing routine use relating to assistance in data breach responses, to conform with Office of Management and Budget (OMB) guidance to federal agencies, OMB Memorandum 17-12.

    DATES:

    Comments must be submitted by June 4, 2018. This routine use, which is being published in proposed form, shall become final and effective July 2, 2018, without further notice unless otherwise amended or repealed by the Commission on the basis of any comments received.

    ADDRESSES:

    Interested parties are invited to submit written comments by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Comments should refer to “Privacy Act of 1974; System of Records: FTC File No. P072104” to facilitate the organization of comments. Please file your comment online at https://ftcpublic.commentworks.com/​ftc/​privacyactroutineuse by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    G. Richard Gold and Alex Tang, Attorneys, Office of the General Counsel, FTC, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326-2424.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:Start Printed Page 19561

    Request for Comments

    You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before June 4, 2018. Write “Privacy Act of 1974; System of Records: FTC File No. P072104” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission website, at https://www.ftc.gov/​policy/​public-comments.

    Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, the Commission encourages you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/​ftc/​privacyactroutineuse by following the instructions on the web-based form. If this Notice appears at www.regulations.gov, you also may file a comment through that website.

    If you file your comment on paper, write “Privacy Act of 1974; System of Records: FTC File No. P072104” on your comment and on the envelope, and mail it to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street, SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

    Because your comment will be placed on the publicly accessible FTC website at www.ftc.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

    Once your comment has been posted on the public FTC website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c).

    The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before June 4, 2018. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at www.ftc.gov/​privacy.

    Analysis to Aid Public Comment

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, this document provides public notice that the FTC is proposing to modify and bifurcate an existing routine use relating to assistance in data breach responses, which is applicable to all FTC SORNs, to conform with OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017). A list of the agency's current Privacy Act records systems is set out below and can be viewed on the FTC's website at: www.ftc.gov/​about-ftc/​foia/​foia-reading-rooms/​privacy-act-systems. The modified and bifurcated routine use would be included in Appendix I, Authorized Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records, which describes routine uses that apply globally to all FTC Privacy Act records systems. Appendix I was previously published at 73 FR 33592 (June 12, 2008), the text of which is available on the FTC's website at the above hyperlink and would be updated accordingly.

    System number and nameFederal Register citations 1
    FTC-I-1—Nonpublic Investigational and Other Nonpublic Legal Program Records76 FR 60125 75 FR 52749-52751 74 FR 17863-17866 * 73 FR 33591-33634
    FTC-I-2—Disciplinary Action Investigatory Files* 73 FR 33591-33634
    FTC-I-3—Informal Advisory Opinion Request and Response Files* 73 FR 33591-33634
    FTC-I-4—Clearance Application and Response Files* 73 FR 33591-33634
    FTC-I-5—Matter Management System* 82 FR 50872-50882
    FTC-I-6—Public Records* 73 FR 33591-33634
    FTC-I-7—Office of Inspector General Investigative Files* 82 FR 50872-50882
    FTC-I-8—Stenographic Reporting Services Request System80 FR 9460-9465 * 73 FR 33591-33634
    FTC-II-1—General Personnel Records80 FR 9460-9465 74 FR 17863-17866 * 73 FR 33591-33634
    FTC-II-2—Unofficial Personnel Records80 FR 9460-9465 74 FR 17863-17866 * 73 FR 33591-33634
    FTC-II-3—Worker's Compensation* 82 FR 50872-50882
    Start Printed Page 19562
    FTC-II-4—Employment Application-Related Records* 80 FR 9460-9465 73 FR 33591-33634
    FTC-II-5—Equal Employment Opportunity Statistical Reporting System* 82 FR 50872-50882
    FTC-II-6—Discrimination Complaint System75 FR 52749-52751 73 FR 33591-33634
    FTC-II-7—Ethics Program Records80 FR 9460-9465 75 FR 52749-52751 74 FR 17863-17866 * 73 FR 33591-33634
    FTC-II-8—Employee Adverse Action and Disciplinary Records80 FR 9460-9465 * 73 FR 33591-33634
    FTC-II-9—Claimants Under Federal Tort Claims Act and Military Personnel and Civilian Employees' Claims Act80 FR 9460-9465 74 FR 17863-17866 * 73 FR 33591-33634
    FTC-II-10—Employee Health Care Records* 82 FR 50872-50882
    FTC-II-11—Personnel Security, Identity Management, and Access Control Records System80 FR 9460-9465 * 73 FR 33591-33634
    FTC-II-12—e-Train Learning Management System80 FR 9460-9465 75 FR 52749-52751 73 FR 33591-33634
    FTC-II-13—Staff Time and Activity Reporting (STAR) System* 73 FR 33591-33634
    FTC-III-1—Personnel Payroll System80 FR 9460-9465 74 FR 17863-17866 * 73 FR 33591-33634
    FTC-III-2—Travel Management System* 82 FR 50872-50882
    FTC-III-3—Financial Management System80 FR 9460-9465 * 73 FR 33591-33634
    FTC-III-4—Automated Acquisitions System* 73 FR 33591-33634
    FTC-III-5—Employee Transportation Program Records* 82 FR 50872-50882
    FTC-IV-1—Consumer Information System80 FR 9460-9465 74 FR 17863-17866 * 73 FR 33591-33634
    FTC-IV-2—Miscellaneous Office Correspondence Tracking System Records* 73 FR 33591-33634
    FTC-IV-3—National Do Not Call Registry System74 FR 17863-17866
    FTC-V-1—Freedom of Information Act Requests and Appeals* 73 FR 33591-33634
    FTC-V-2—Privacy Act Requests and Appeals* 82 FR 50872-50882
    FTC-VI-1—Mailing and Contact Lists* 73 FR 33591-33634
    FTC-VII-1—Automated Library Management System* 73 FR 33591-33634
    FTC-VII-2—Employee Locator (STAFFID) System80 FR 9460-9465 * 73 FR 33591-33634
    FTC-VII-3—Computer Systems User Identification and Access Records80 FR 9460-9465 74 FR 17863-17866
    FTC-VII-4—Call Detail Records80 FR 9460-9465 74 FR 17863-17866
    FTC-VII-5—Property Management System* 73 FR 33591-33634
    FTC-VII-6—Document Management and Retrieval System* 73 FR 33591-33634
    FTC-VII-7—Information Technology Service Ticket System80 FR 9460-9465
    FTC-VII-8—Administrative Service Call System* 73 FR 33591-33634
    1 An asterisk (*) designates the last full Federal Register notice that includes all of the elements that are required to be in a System of Records Notice.

    Appendices Applicable to all FTC Systems

    Appendix I—Authorized Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records73 FR 33591-33634
    Appendix II—How To Make A Privacy Act Request.73 FR 33591-33634
    Appendix III—Locations of FTC Buildings and Regional Offices.80 FR 9460-9465

    The Privacy Act authorizes the agency to adopt routine uses that are consistent with the purpose for which information is collected. 5 U.S.C. 552a(b)(3); see also 5 U.S.C. 552a(a)(7).

    On June 8, 2007, in response to a recommendation by The President's Identity Theft Task Force [2] and using model language issued by the Department of Justice, the FTC published a new routine use that allowed for disclosure of records to appropriate persons and entities for purposes of response and remedial efforts in the event of a breach of data contained in the protected systems. 72 FR 31835. This routine use, currently included in Appendix I, Authorized Start Printed Page 19563Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records, states as follows:

    (22) May be disclosed to appropriate agencies, entities, and persons when: (a) The FTC suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (b) the FTC has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the FTC or another agency or entity) that rely upon the compromised information; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.

    Since 2007, OMB has determined that agencies needed authority to make disclosures that go beyond those contemplated by the original routine use. Thus, in January 2017, OMB issued in M-17-12, directing the Senior Agency Official for Privacy (SAOP) of each agency to include the following routine use in each of the agency's SORNs to facilitate the agency's response to a breach of its own records:

    To appropriate agencies, entities, and persons when (1) [the agency] suspects or has confirmed that there has been a breach of the system of records, (2) [the agency] has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, [the agency] (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with [the agency's] efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.[3]

    In M-17-12, OMB also directed the SAOP to ensure that agencies are able to disclose records in their systems of records that may reasonably be needed by another agency in responding to a breach by incorporating the following additional routine use into each of the agency's SORNs:

    To another Federal agency or Federal entity, when [the agency] determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.[4]

    Although the first proposed routine use required by M-17-12 is very similar to the language of the FTC's original routine use as finalized in 2007, OMB's 2017 version more specifically addresses harm to individuals and expands the concept to make clear that it is not limited to identity theft or financial/property damage.

    With regard to the second proposed routine use, breaches affecting Federal personnel data have shown the need for an additional routine use that expressly allows an agency to disclose information from a system of records (e.g., current contact information for the agency's employees or other individuals) to another Federal agency when reasonably needed by that agency to respond to a breach (e.g., providing notice to the affected individuals), to take any other steps to prevent, minimize, or remedy the risk of harm to affected individuals or that agency's information systems, programs, or operations, and, if necessary, to address the broader risk of harm, if any, to the Federal Government or national security that may arise from the breach. The FTC's existing routine use, while allowing disclosure to other agencies, does so in the limited context of a breach of the FTC's own system(s) of records.

    For the reasons stated above, the FTC believes that it is compatible with the collection of information pertaining to individuals affected by a breach to disclose Privacy Act records about them when, in doing so, it will help prevent, minimize or remedy a data breach or compromise that may affect such individuals. By contrast, the FTC believes that failure to take reasonable steps to help prevent, minimize or remedy the harm that may result from such a breach or compromise would jeopardize, rather than promote, the privacy of such individuals. Accordingly, the Commission concludes that it is authorized under the Privacy Act to adopt the proposed and updated routine uses permitting disclosure of Privacy Act records for the purposes described above.

    In accordance with the Privacy Act, see 5 U.S.C. 552a(e)(4) and (11), the FTC is publishing notice of these routine uses and giving the public a 30-day period to comment before adopting them as final. The FTC has provided advance notice of this proposed system notice amendment to OMB and the Congress, as required by the Act, 5 U.S.C. 552a(r), and OMB Circular A-108 (2016). As set forth below, the Commission proposes that the new routine uses become effective on the date noted earlier, unless the Commission amends or revokes the routine uses on the basis of any comments received.

    Accordingly, the FTC hereby proposes to amend Appendix I of its Privacy Act system notices, as published at 73 FR 33591, by revising item number (22), adding new item number (23), and re-designating the former item number (23) as (24) (without any other change) at the end of the existing routine uses set forth in that Appendix:

    * * * * *

    (22) To appropriate agencies, entities, and persons when (a) the FTC suspects or has confirmed that there has been a breach of the system of records, (b) the FTC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FTC (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

    (23) To another Federal agency or Federal entity, when the FTC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

    (24) May be disclosed to FTC contractors, volunteers, interns or other authorized individuals who have a need for the record in order to perform their officially assigned or designated duties for or on behalf of the FTC.

    History

    73 FR 33591-33634 (June 12, 2008).

    Start Signature

    By direction of the Commission.

    Donald S. Clark,

    Secretary.

    End Signature End Supplemental Information

    Footnotes

    3.  Hereafter, this is referred to as the “first proposed routine use.”

    Back to Citation

    4.  Hereafter, this is referred to as the “second proposed routine use.”

    Back to Citation

    [FR Doc. 2018-09333 Filed 5-2-18; 8:45 am]

    BILLING CODE 6750-01-P

Document Information

Effective Date:
7/2/2018
Published:
05/03/2018
Department:
Federal Trade Commission
EntryType:
Notice
Action:
Notice of modified systems of records.
Document Number:
2018-09333
Dates:
Comments must be submitted by June 4, 2018. This routine use, which is being published in proposed form, shall become final and effective July 2, 2018, without further notice unless otherwise amended or repealed by the Commission on the basis of any comments received.
Pages:
19560-19563 (4 pages)
SectionNoes:
PDF File:
2018-09333.pdf