2019-18159. Agency Information Collection Activities: Information Collection Renewal; Submission for OMB Review; Guidance Regarding Unauthorized Access to Customer Information
-
Start Preamble
Start Printed Page 44354
AGENCY:
Office of the Comptroller of the Currency (OCC), Treasury.
ACTION:
Notice and request for comment.
SUMMARY:
The OCC, as part of its continuing effort to reduce paperwork and respondent burden, invites the general public and other federal agencies to take this opportunity to comment on a continuing information collection as required by the Paperwork Reduction Act of 1995 (PRA).
In accordance with the requirements of the PRA, the OCC may not conduct or sponsor, and respondents are not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number.
The OCC is soliciting comment concerning the renewal of its information collection titled, “Guidance Regarding Unauthorized Access to Customer Information.” The OCC also is giving notice that it has submitted the collection to OMB for review.
DATES:
Comments must be submitted on or before September 23, 2019.
ADDRESSES:
Commenters are encouraged to submit comments by email, if possible. You may submit comments by any of the following methods:
- Email: prainfo@occ.treas.gov.
- Mail: Chief Counsel's Office, Attention: Comment Processing, 1557-0227, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
- Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
- Fax: (571) 465-4326.
Instructions: You must include “OCC” as the agency name and “1557-0227” in your comment. In general, the OCC will publish comments on www.reginfo.gov without change, including any business or personal information provided, such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.
Additionally, please send a copy of your comments by mail to: OCC Desk Officer, 1557-0227, U.S. Office of Management and Budget, 725 17th Street NW, #10235, Washington, DC 20503 or by email to oira_submission@omb.eop.gov.
You may review comments and other related materials that pertain to this information collection [1] following the close of the 30-day comment period for this notice by any of the following methods:
- Viewing Comments Electronically: Go to www.reginfo.gov. Click on the “Information Collection Review” tab. Underneath the “Currently under Review” section heading, from the drop-down menu select “Department of Treasury” and then click “submit.” This information collection can be located by searching by OMB control number “1557-0227” or “Notice Regarding Unauthorized Access to Customer Information.” Upon finding the appropriate information collection, click on the related “ICR Reference Number.” On the next screen, select “View Supporting Statement and Other Documents” and then click on the link to any comment listed at the bottom of the screen.
- For assistance in navigating www.reginfo.gov,, please contact the Regulatory Information Service Center at (202) 482-7340.
- Viewing Comments Personally: You may personally inspect comments at the OCC, 400 7th Street SW, Washington, DC. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 649-6700 or, for persons who are deaf or hearing impaired, TTY, (202) 649-5597. Upon arrival, visitors will be required to present valid government-issued photo identification and submit to security screening in order to inspect comments.
FOR FURTHER INFORMATION CONTACT:
Shaquita Merritt, OCC Clearance Officer, (202) 649-5490 or, for persons who are deaf or hearing impaired, TTY, (202) 649-5597, Chief Counsel's Office, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
Under the PRA (44 U.S.C. 3501 et seq.), federal agencies must obtain approval from the OMB for each collection of information they conduct or sponsor. “Collection of information” is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. The OCC asks OMB to extend its approval of the information collection contained in this notice.
Title: Guidance Regarding Unauthorized Access to Customer Information.
OMB Control No.: 1557-0227.
Description: Section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)) requires the OCC to establish appropriate standards for national banks relating to administrative, technical, and physical safeguards: (1) To insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer.
The Interagency Guidelines Establishing Information Security Standards, 12 CFR part 30, appendix B (Security Guidelines), which implement section 501(b), require each entity supervised by the OCC (supervised institution) to consider and adopt a response program, as appropriate, that specifies actions to be taken when the supervised institution suspects or detects that unauthorized individuals have gained access to customer information systems.
The Interagency Guidance on Response Programs for Unauthorized Customer Information and Customer Notice (Breach Notice Guidance),[2] which interprets the Security Guidelines, states that, at a minimum, a supervised institution's response program should contain procedures for:
(1) Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
(2) Notifying its primary federal regulator as soon as possible when the supervised institution becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information;
(3) Taking appropriate steps to contain and control the incident in an effort to prevent further unauthorized access to, or use of, customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and
(4) Notifying customers when warranted.
The Breach Notice Guidance states that, when a financial institution Start Printed Page 44355becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that the information has been misused. If the institution determines that the misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.
Type of Review: Regular.
Affected Public: Businesses or other for-profit.
Estimated Number of Respondents: 20.
Total Estimated Annual Burden: 720 hours.
Frequency of Response: On occasion.
On April 9, 2019, the OCC issued a notice for 60 days of comment concerning this collection, 84 FR 14194. No comments were received. Comments continue to be invited on:
(a) Whether the collection of information is necessary for the proper performance of the functions of the OCC, including whether the information has practical utility;
(b) The accuracy of the OCC's estimate of the burden of the information collection;
(c) Ways to enhance the quality, utility, and clarity of the information to be collected;
(d) Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology; and
(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.
Start SignatureDated: August 19, 2019.
Theodore J. Dowd,
Deputy Chief Counsel, Office of the Comptroller of the Currency.
Footnotes
1. On April 9, 2019, the OCC published a 60-day notice for this information collection, 84 FR 14194.
Back to Citation2. 12 CFR part 30, appendix B, supplement A.
Back to Citation[FR Doc. 2019-18159 Filed 8-22-19; 8:45 am]
BILLING CODE 4810-33-P
Document Information
- Published:
- 08/23/2019
- Department:
- Comptroller of the Currency
- Entry Type:
- Notice
- Action:
- Notice and request for comment.
- Document Number:
- 2019-18159
- Dates:
- Comments must be submitted on or before September 23, 2019.
- Pages:
- 44354-44355 (2 pages)
- PDF File:
- 2019-18159.pdf