AGENCY:

Postal Service.^TM

ACTION:

Notice of modifications to three existing systems of records.

SUMMARY:

The Postal Service proposes to revise the following existing systems of records titled, “USPS 810.100, http://www.usps.com Registration,” “USPS 810.200, http://www.usps.com Ordering, Payment and Fulfillment,” and “USPS 860.000, Financial Transactions.” The modifications clarify user information in Categories of Records in the System, Purpose, Retention and Disposal and Systems Manager(s).

Background: The Postal Service's commitment to universal service is based on a foundation of providing secure products and services to postal customers. As a trusted organization, the Postal Service faces a variety of security challenges which require investigative, preventive, and security responses.

The Postal Service works collaboratively with internal and external groups to ensure new postal products and services are secure, thus maintaining customers' confidence in the mail and satisfying their personal and business needs.

This includes providing postal customers with secure access to products and services in all channels. As online access to retail products and services has grown, new types of fraudulent activities have emerged to challenge the security of online transactions.

The Postal Service has responded by developing fraud prevention initiatives designed to protect the security of financial transactions on usps.com. These initiatives include enhanced capabilities for ensuring the accuracy and security of credit card transactions conducted by national and international customers on usps.com. Modifications to the systems of records will be reflected in the Categories of Records in the System as it relates to business-specific and user information, purpose, and retention and disposal of online user information.

DATES:

The revisions will become effective without further notice on June 9, 2008 unless comments received on or before that date result in a contrary determination.

ADDRESSES:

Comments may be mailed or delivered to the Records Office, United States Postal Service, 475 L'Enfant Plaza, SW., Room 5821, Washington, DC 20260-2200. Copies of all written comments will be available at this address for public inspection and photocopying between 8 a.m. and 4 p.m., Monday through Friday.

FOR FURTHER INFORMATION CONTACT:

Deborah D. Hubbard, 202-268-7119.

SUPPLEMENTARY INFORMATION:

This notice is in accordance with the Privacy Act requirement that agencies publish their amended systems of records in the Federal Register when there is a revision, change, or addition. The Postal Service has reviewed its systems of records and has determined that USPS 810.100, http://www.usps.com Registration, should be revised to modify existing categories of records in the system, and retention and disposal of such records. Collection, retention, and disposal of user information will be added to enhance the understanding and fulfillment of customer needs and for ensuring the security of registration transactions conducted on usps.com.

In addition, the Postal Service has reviewed its systems of records and has determined that USPS 810.200, http://www.usps.com Ordering, Payment and Fulfillment, should be revised to modify existing categories of records in the system, purpose, and retention and disposal of such records. Categories of records in the system will be revised to include online user information. The purpose of collection will be revised to support law enforcement investigations, and retention and disposal of this information will be added.

The Postal Service has also determined that USPS 860.000, Financial Transactions, should be revised to include online user information within the categories of records in the system. The purpose of collection will be revised to support law enforcement investigations, and retention and disposal of this information will be added.

Privacy Act Systems of Records USPS 810.100, USPS 810.200, and USPS 860.000 were originally published in the Federal Register on April 29, 2005 (70 FR 22548).

The Postal Service proposes amending the systems as shown below:

USPS 810.100, http://www.usps.com Registration

CATEGORIES OF RECORDS IN THE SYSTEM AND RETENTION AND DISPOSAL:

[Revise to read as follows:]

Categories of Records in the System will be changed to read:

7. Online user information: Internet Protocol (IP) address, domain name, operating system versions, browser version, date and time of connection, and geographic location.

Retention and Disposal will be changed to read:

4. Online user information may be retained for 6 months.

Additionally, the System Manager(s) title has been changed to Chief Marketing Officer and Executive Vice President.

USPS 810.200, http://www.usps.com Ordering, Payment and Fulfillment

CATEGORIES OF RECORDS IN THE SYSTEM, PURPOSE, RETENTION AND DISPOSAL, AND SYSTEM MANAGER:

[Revise to read as follows:]

Categories of Records in the System will be changed to read:

5. Online user information: Internet Protocol (IP) address, domain name, operating system version, browser version, date and time of connection, and geographic location.

Purpose will be changed to read:

5. To support investigations related to law enforcement for fraudulent financial transactions.

Retention and Disposal will be changed to read:

3. Online user information may be retained for 6 months.

Additionally, the System Manager(s) and Address will reflect the following addition:

Chief Financial Officer and Executive Vice President, 475 L'Enfant Plaza, SW., Washington, DC 20260.

Also, the existing System Manager's title has been changed to Chief Marketing Officer and Executive Vice President.

USPS 860.000, Financial Transactions

CATEGORIES OF RECORDS IN THE SYSTEM, PURPOSE AND RETENTION AND DISPOSAL AND SYSTEM MANAGER:

[Revise to read as follows:]

Categories of Records in the System will be changed to read:

7. Online user information: Internet Protocol (IP) address, domain name, operating system version, browser version, date and time of connection, and geographic location.

Purpose will be changed to read:

4. To support investigations related to law enforcement for fraudulent financial transactions.

Retention and Disposal will be changed to read:

8. Online user information may be retained for 6 months.

Additionally, the System Manager(s) title has been changed to Chief Start Printed Page 26156Marketing Officer and Executive Vice President.

USPS 810.100, http://www.usps.com Registration

System Location:

Computer Operations Service Centers.

Categories of Individuals Covered by the System:

Customers who register via the USPS Web site at http://www.usps.com.

Categories of Records in the System:

1. Customer information: Name; customer ID(s); company name; job title and role; home, business, and billing address; home and business phone and fax number; e-mail; URL; and Automated Clearing House (ACH) information.

2. Identity verification information: Question, answer, username, user ID, and password.

3. Business-specific information: Business type and location, business IDs, annual revenue, number of employees, industry, nonprofit rate status, product usage information, annual and/or monthly shipping budget, payment method and information, planned use of product, and age of Web site.

4. Customer preferences: Preferences to receive USPS marketing information, preferences to receive marketing information from USPS partners, preferred means of contact, preferred e-mail format, product and/or service marketing preference.

5. Customer feedback: Method of referral to Web site.

6. Registration information: Date of registration.

7. Online user Information: Internet Protocol (IP) address, domain name, operating system versions, browser version, date and time of connection, and geographic location.

Authority for Maintenance of the System:

39 U.S.C. 401, 403, and 404.

Purpose(s):

1. To provide online registration with single sign on services for customers.

2. To obtain accurate contact information in order to deliver requested products, services, and other material.

3. To authenticate customer logon information for http://www.usps.com.

4. To permit customer feedback in order to improve http://www.usps.com or USPS products and services.

5. To enhance understanding and fulfillment of customer needs.

Routine Uses of Records in the System, Including Categories of Users and the Purposes of Such Uses:

Standard routine uses 1 through 7, 10, and 11 apply.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

Automated database, computer storage media, and paper.

Retrievability:

By customer name, customer ID(s), phone number, or mail or e-mail address.

Safeguards:

Paper records, computers, and computer storage media are located in controlled-access areas under supervision of program personnel. Access to these areas is limited to authorized personnel, who must be identified with a badge.

Access to records is limited to individuals whose official duties require such access. Contractors and licensees are subject to contract controls and unannounced on-site audits and inspections.

Computers are protected by mechanical locks, card key systems, or other physical access control methods. The use of computer systems is regulated with installed security software, computer logon identifications, and operating system controls including access controls, terminal and transaction logging, and file management software. Online data transmissions are protected by encryption.

For small business registration, computer storage tapes and disks are maintained in controlled-access areas or under general scrutiny of program personnel. Access is controlled by logon ID and password as authorized by the Marketing organization via secure Web site. Online data transmissions are protected by encryption.

Retention and Disposal:

1. ACH records are retained up to 2 years.

2. Records stored in the registration database are retained until the customer cancels the profile record, 3 years after the customer last accesses records, or until the relationship ends.

3. For small business registration, records are retained 5 years after the relationship ends.

4. Online user information may be retained for 6 months.

Records existing on paper are destroyed by burning, pulping, or shredding. Records existing on computer storage media are destroyed according to the applicable USPS media sanitization practice.

System Manager(s) and Address:

Chief Marketing Officer and Executive Vice President, United States Postal Service, 475 L'Enfant Plaza SW., Washington, DC 20260.

Notification Procedure:

Customers wanting to know if information about them is maintained in this system of records must address inquiries in writing to the system manager. Inquiries must contain name, address, and other identifying information.

Record Access Procedures:

Requests for access must be made in accordance with the Notification Procedure above and USPS Privacy Act regulations regarding access to records and verification of identity under 39 CFR 266.6.

Contesting Record Procedures:

See Notification Procedure and Record Access Procedures above.

Record Source Categories:

Customers.

USPS 810.200, http://www.usps.com Ordering, Payment, and Fulfillment

System Location:

Computer Operations Service Centers.

Categories of Individuals Covered by the System:

Customers who place orders and/or make payment for USPS products and services through http://www.usps.com.

Categories of Records in the System:

1. Customer information: Name, customer ID(s), phone and/or fax number, mail address and e-mail address.

2. Payment information: Credit and/or debit card number, type, and expiration date, billing information, ACH information.

3. Shipping and transaction information: Product and/or service ID numbers, descriptions, and prices; name and address(es) of recipients; order number and delivery status; electronic address lists; electronic documents or images; job number.

4. Claims submitted for defective merchandise.

5. Online user information: Internet Protocol (IP) address, domain name, operating system versions, browser version, date and time of connection, and geographic location. Start Printed Page 26157

Authority for Maintenance of the System:

39 U.S.C. 401, 403, and 404.

Purpose(s):

1. To fulfill orders for USPS products and services.

2. To promote increased use of the mail by providing electronic document preparation and mailing services for customers.

3. To provide shipping supplies and services, including return receipts and labels.

4. To provide recurring ordering and payment services for products and services.

5. To support investigations related to law enforcement for fraudulent financial transactions.

Routine Uses of Records in the System, Including Categories of Users and the Purposes of Such Uses:

Standard routine uses 1 through 7, 10, and 11 apply. In addition:

a. Customs declaration records may be disclosed to domestic and foreign customs officials pursuant to 19 U.S.C. 2071 (note) and international agreements or regulations.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

Automated databases, computer storage media, and paper.

Retrievability:

By customer name, customer ID(s), phone number, mail or e-mail address, or job number.

Safeguards:

Paper records, computers, and computer storage media are located in controlled-access areas under supervision of program personnel. Access to these areas is limited to authorized personnel, who must be identified with a badge.

Access to records is limited to individuals whose official duties require such access. Contractors and licensees are subject to contract controls and unannounced on-site audits and inspections.

Computers are protected by mechanical locks, card key systems, or other physical access control methods. The use of computer systems is regulated with installed security software, computer logon identifications, and operating system controls including access controls, terminal and transaction logging, and file management software.

Online data transmission is protected by encryption, dedicated lines, and authorized access codes. For shipping supplies, data is protected within a stand-alone system within a controlled-access facility.

Retention and Disposal:

1. Records related to mailing online and online tracking and/or confirmation services supporting a customer order are retained for up to 30 days from completion of fulfillment of the order, unless retained longer by request of the customer. Records related to shipping services and domestic and international labels are retained up to 90 days. Delivery Confirmation and return receipt records are retained for 6 months. Signature Confirmation records are retained for 1 year. ACH records are retained for up to 2 years.

2. Other customer records are retained for 3 years after the customer relationship ends.

3. Online user information may be retained for 6 months.

Records existing on paper are destroyed by burning, pulping, or shredding. Records existing on computer storage media are destroyed according to the applicable USPS media sanitization practice.

System Manager(s) and Address:

Chief Financial Officer and Executive Vice President, 475 L'Enfant Plaza, SW., Washington, DC 20260.

Chief Marketing Officer and Executive Vice President, United States Postal Service, 475 L'Enfant Plaza SW., Washington, DC 20260.

Notification Procedure:

Customers wanting to know if information about them is maintained in this system of records must address inquiries in writing to the system manager. Inquiries must contain name, address, customer ID(s), and order number, if known.

Record Access Procedures:

Requests for access must be made in accordance with the Notification Procedure above and USPS Privacy Act regulations regarding access to records and verification of identity under 39 CFR 266.6.

Contesting Record Procedures:

See Notification Procedure and Record Access Procedures above.

Record Source Categories:

Customers.

USPS 860.000, Financial Transactions

System Location:

USPS Headquarters; Integrated Business Solutions Services Centers; Accounting Service Centers; anti-money laundering support group; and contractor sites.

Categories of Individuals Covered by the System:

1. Customers who use online payment or funds transfer services.

2. Customers who file claims or make inquiries related to online payment services, funds transfers, money orders, and stored-value cards.

3. Customers who purchase funds transfers or stored-value cards in an amount of $1000 or more per day, or money orders in an amount of $3000 or more per day, or who purchase or redeem any such services in a manner requiring collection of information as potential suspicious activities under anti-money laundering requirements. Recipients of funds transfers and the beneficiaries of funds from money orders totaling $10,000 in 1 day.

Categories of Records in the System:

1. Customer information: Name, customer ID(s), mail and e-mail address, telephone number, occupation, type of business, and customer history.

2. Identity verification information: Date of birth, username and/or ID, password, Social Security Number (SSN) or tax ID number, and driver's license number (or other type of ID if driver's license is not available, such as Alien Registration Number, Passport Number, Military ID, Tax ID Number).

(Note:

For online payment services, SSNs are collected, but not retained, in order to verify ID.)

3. Billers registered for online payment services: Biller name and contact information, bill detail, and bill summaries.

4. Transaction information: Name, address, and phone number of purchaser, payee, and biller; amount, date, and location; credit and/or debit card number, type, and expiration; sales, refunds, and fees; type of service selected and status; sender and recipient bank account and routing number; bill detail and summaries; transaction number, serial number, and/or reference number or other identifying number, pay out agent name and address; type of payment, currency, and exchange rate; Post Office information such as location, phone number, and terminal; employee ID numbers, license number and state, and employee comments.

5. Information to determine credit worthiness: Period at current residence, previous address, and period of time with same phone number.

6. Information related to claims and inquiries: Name, address, phone number, signature, SSN, location where product was purchased, date of issue, Start Printed Page 26158amount, serial number, and claim number.

7. Online user information: Internet Protocol (IP) address, domain name, operating system versions, browser version, date and time of connection, and geographic location.

Authority for Maintenance of the System:

39 U.S.C. 401, 403, and 404; 31 U.S.C. 5318, 5325, 5331, and 7701.

Purpose(s):

1. To provide financial products and services.

2. To respond to inquiries and claims related to financial products and services.

3. To fulfill requirements of anti-money laundering statutes and regulations.

4. To support investigations related to law enforcement for fraudulent financial transactions.

Routine Uses of Records in the System, Including Categories of Users and the Purposes of Such Uses:

Standard routine uses 1 through 7, 10, and 11 apply. Legally required disclosures to agencies for law enforcement purposes include disclosures of information relating to money orders, funds transfers, and stored-value cards as required by anti-money laundering statutes and regulations.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

Automated database, computer storage media, microfiche, and paper.

Retrievability:

For online payment and funds transfer services, information is retrieved by customer name, customer ID(s), transaction number, or address.

Claim information is retrieved by name of purchaser or payee, claim number, serial number, transaction number, check number, customer ID(s), or ZIP Code.

Information related to anti-money laundering is retrieved by customer name; SSN; alien registration, passport, or driver's license number; serial number; transaction number; ZIP Code; transaction date; data entry operator number; and employee comments.

Safeguards:

Paper records, computers, and computer storage media are located in controlled-access areas under supervision of program personnel. Access to these areas is limited to authorized personnel, who must be identified with a badge.

Access to records is limited to individuals whose official duties require such access. Contractors and licensees are subject to contract controls and unannounced on-site audits and inspections.

Computers are protected by mechanical locks, card key systems, or other physical access control methods. The use of computer systems is regulated with installed security software, computer logon identifications, and operating system controls including access controls, terminal and transaction logging, and file management software. Online data transmissions are protected by encryption.

Retention and Disposal:

1. Summary records, including bill due date, bill amount, biller information, biller representation of account number, and the various status indicators, are retained 2 years from the date of processing.

2. For funds transfers, transaction records are retained 3 years.

3. Records related to claims are retained up to 3 years from date of final action on the claim.

4. Forms related to fulfillment of anti-money laundering requirements are retained 5 years from the end of the calendar quarter in which they were created.

5. Related automated records are retained the same 5-year period and purged from the system quarterly after the date of creation.

6. Enrollment records related to online payment services are retained 7 years after the subscriber's account ceases to be active or the service is cancelled.

7. Account banking records, including payment history, Demand Deposit Account (DDA) number, and routing number, are retained 7 years from the date of processing.

8. Online user information may be retained for 6 months.

Records existing on paper are destroyed by burning, pulping, or shredding.

Records existing on computer storage media are destroyed according to the applicable USPS media sanitization practice.

System Manager(s) and Address:

Chief Financial Officer and Executive Vice President, 475 L'Enfant Plaza, SW., Washington DC 20260.

Chief Marketing Officer and Executive Vice President, United States Postal Service, 475 L'Enfant Plaza, SW., Washington, DC 20260.

Notification Procedure:

For online payment services, funds transfers, and stored-value cards, individuals wanting to know if information about them is maintained in this system must address inquiries in writing to the Chief Marketing Officer. Inquiries must contain name, address, and other identifying information, as well as the transaction number for funds transfers.

For money order claims and anti-money laundering documentation, inquiries should be addressed to the Chief Financial Officer. Inquiries must include name, address, or other identifying information of the purchaser (such as driver's license, Alien Registration Number, Passport Number, etc.), and serial or transaction number. Information collected for anti-money laundering purposes will only be provided in accordance with Federal anti-money laundering laws and regulations.

Record Access Procedures:

Requests for access must be made in accordance with the Notification Procedure above and USPS Privacy Act regulations regarding access to records and verification of identity under 39 CFR 266.6.

Contesting Record Procedures:

See Notification Procedure and Record Access Procedures above.

Record Source Categories:

Customers, recipients, financial institutions, and USPS employees.

Systems Exempted From Certain Provisions of the Act:

USPS has established regulations at 39 CFR 266.9 that exempt information contained in this system of records from various provisions of the Privacy Act in order to conform to the prohibition in the Bank Secrecy Act, 31 U.S.C. 5318(g)(2), against notification of the individual that a suspicious transaction has been reported.