AGENCY:

Federal Trade Commission (FTC).

ACTION:

Notice of modified systems of records.

SUMMARY:

The FTC is publishing in final form a modification to all FTC Privacy Act system of records notices (SORNs) by amending and bifurcating an existing global routine use relating to assistance in data breach responses, to conform with Office of Management and Budget (OMB) guidance to federal agencies, OMB Memorandum 17-12.

DATES:

August 8, 2018, except that the new routine use shall be effective September 7, 2018.

FOR FURTHER INFORMATION CONTACT:

G. Richard Gold and Alex Tang, Attorneys, Office of the General Counsel, FTC, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326-2424.

SUPPLEMENTARY INFORMATION:

In a document previously published in the Federal Register, 83 FR 19560 (May 3, 2018), the Federal Trade Commission, as required by the Privacy Act, sought comments on a proposal to modify and bifurcate an existing routine use relating to assistance in data breach responses, which is applicable to all Federal Trade Commission SORNs, to conform with OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017). See 5 U.S.C. 552a(e)(4) and (11).

The comment period closed on June 4, 2018, and the FTC received three comments to the proposal to modify and bifurcate an existing routine use relating to assistance in data breach responses. The commenters were Xyampza Kerz, Thomas Dickinson, and Dave Root. Xyampza Kerz's comment expressed concerns about the privacy of homeowner's personal information posted on the Web when they buy a home and about internet searches that allow a searcher to find out your age and possibly lead to discrimination. M/M. Kerz also complains about the practices of an online entity and asks that the entity be shut down. These are important privacy issues but are not Start Printed Page 39096germane to the current public notice and comment process. We have referred M/M. Kerz's comment to the FTC's Consumer Response Center for entry into the Consumer Sentinel Network of complaints and related inquiries.

The second commenter, Thomas Dickinson, also filed a comment that is non-germane to the current public notice and comment process. Mr. Dickinson asks the FTC to apply a “monitor” to individuals' home phones that identifies violations of the Do-Not-Call Rule and allows the FTC to take appropriate punitive actions. We have also referred Mr. Dickinson's complaint to the FTC's Consumer Response Center for entry into the Consumer Sentinel Network.

The third commenter, Dave Root, commented that “due process and . . . [his] . . . privacy . . . [would] . . . be harmed by open access to sharing . . . [his] . . . personal info between all government agencies as outlined in this notice.” Mr. Root asked if there are “any safeguards against `political weaponization' without any accountability, by any federal, state or local governmental agency having access to this information.” Mr. Root asked for “`teeth' in the rule for anyone . . . that purposefully uses this information incorrectly . . . [meaning] . . . seriously enforced jail time for anyone who fails to act in the investigation and prosecution process.”

The revised routine use would not provide “open access” to “all government agencies” but would require that the FTC receive a request from another Federal agency or Federal entity that provides enough supporting information such that the FTC can determine that information from an FTC Privacy Act system or systems is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

The Privacy Act specifically provides civil remedies, 5 U.S.C. 552a(g), including damages, and criminal penalties, 5 U.S.C. 552a(i), for violations of the Act. In addition, an individual may be fined up to $5,000 for knowingly and willfully requesting or gaining access to a record about an individual under false pretenses. 5 U.S.C. 552a(i)(3).

As stated in the Federal Register Notice dated May 3, 2018, the FTC believes that the modified and bifurcated routine use on data breaches is compatible with the collection of information pertaining to individuals affected by a breach, and that the disclosure of such records will help prevent, minimize or remedy a data breach or compromise that may affect such individuals. By contrast, the FTC believes that failure to take reasonable steps to help prevent, minimize or remedy the harm that may result from such a breach or compromise would jeopardize, rather than promote, the privacy of such individuals.

The FTC provided a public comment period and notice to OMB and Congress as required by the Privacy Act and implementing OMB guidelines.^[1]

Accordingly, the FTC hereby amends Appendix I of its Privacy Act system notices, as published at 73 FR 33591, by revising item number (22), adding new item number (23), and re-designating the former item number (23) as (24) (without any other change) at the end of the existing routine uses set forth in that Appendix:

(22) To appropriate agencies, entities, and persons when (a) the FTC suspects or has confirmed that there has been a breach of the system of records; (b) the FTC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FTC (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(23) To another Federal agency or Federal entity, when the FTC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(24) May be disclosed to FTC contractors, volunteers, interns or other authorized individuals who have a need for the record in order to perform their officially assigned or designated duties for or on behalf of the FTC.

History

73 FR 33591-33634 (June 12, 2008).

Footnotes