Privacy Act of 1974; System of Records, 31835-31836 [E7-11122]

Download as PDF Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Notices Staff now estimates, based on the ongoing experience of the Commission’s Consumer Response Center, that an individual will spend 5 minutes finding and reviewing filing instructions, 13 minutes filing the law enforcement report with the law enforcement agency (due to added entry fields), and 5 minutes submitting the law enforcement report and any additional information or documentation to the information furnisher or consumer reporting agency, resulting in an average of 23 minutes for each identity theft report. Thus, the annual information collection burden for the estimated 1.423 million new identity theft reports due to the Rule will be 545,000 hours, rounded to the nearest thousand (1.423 million x 23 minutes ÷ 60 minutes/hour). Estimated labor costs: $10,802,000 (rounded to the nearest thousand) Commission staff derived labor costs by applying appropriate hourly cost figures to the burden hours described above. Based on Bureau of Labor Statistics data, further adjusted for inflation, the average national hourly wage for individuals is $19.82.11 Applied to 545,000 total burden hours yields an estimated $10,802,000 in cumulative labor costs for all those who will newly obtain identity theft reports ($19.82 x 545,000 hours) as a projected result of the Rule. Estimated annual non-labor cost burden: $0 or minimal Staff believes that the Rule’s paperwork burden imposes negligible capital or other non-labor costs, as an identity theft victim is likely to have the necessary supplies and/or equipment already (telephone, computer, paper, envelopes) for purposes of obtaining the identity theft report and submitting it to information furnishers or consumer reporting agencies. William Blumenthal General Counsel [FR Doc. E7–11049 Filed 6–7–07: 8:45 am] [Billing code: 6750 – 01S] FEDERAL TRADE COMMISSION Privacy Act of 1974; System of Records AGENCY: Federal Trade Commission pwalker on PROD1PC71 with NOTICES (FTC). 11 An hourly rate of $18.62 was drawn from average annual Bureau of Labor Statistics National Compensation Survey data, June 2005 (with 2005 as the most recent whole year information available, and June the focal median point), http:// www.bls.gov/ncs/ocs/sp/ncbl0832.pdf (Table 1.1). Further adjusted by a multiplier of 1.06426 (a compounding for approximate wage inflation for 2005 and 2006, based on the BLS Employment Cost Index), the revised hourly wage is $19.82. VerDate Aug<31>2005 18:14 Jun 07, 2007 Jkt 211001 ACTION: Notice of routine use. SUMMARY: The FTC is adopting in final form a new routine use that permits disclosure of FTC records protected by the Privacy Act when reasonably necessary to respond and prevent, minimize, or remedy harm that may result from an agency data breach or compromise. The routine use is effective June 8, 2007. FOR FURTHER INFORMATION CONTACT: Alex Tang, Attorney, FTC, Office of General Counsel, 600 Pennsylvania Ave. NW, Washington, DC 20580, 202-326-2447, atang@ftc.gov. DATES: In a document previously published in the FEDERAL REGISTER, 72 FR 14814 (Mar. 29, 2007), the FTC, as required by the Privacy Act of 1974, 5 U.S.C. 552a, sought comments on a proposed new ‘‘routine use’’ of the FTC’s Privacy Act records systems.1 As the FTC explained, the new routine use, the text of which is set forth at the end of this document,2 is necessary to allow for disclosures of Privacy Act records by the FTC to appropriate persons and entities for purposes of response and remedial efforts in the event of a breach of data contained in the protected systems. The routine use will facilitate an effective response to a confirmed or suspected breach by allowing for disclosure to individuals affected by the breach, in cases, if any, where such disclosure is not otherwise authorized under the Act. The routine use will also authorize disclosures to others who are in a position to assist in response efforts, either by assisting in notification to affected individuals or otherwise playing a role in preventing, minimizing, or remedying harms from the breach. The FTC explained that this new routine use would be added to Appendix 1 of the FTC’s Privacy Act system notice; that Appendix describes the routine uses that apply globally to all FTC Privacy Act records systems.3 The Privacy Act authorizes agencies, after public notice and comment, to adopt routine uses that are compatible SUPPLEMENTARY INFORMATION: 1 The FTC simultaneously provided OMB and the Congress with 40 days advance notice of the proposed routine use, as required by the Privacy Act, 5 U.S.C. 552a(r), and OMB Circular A-130, Revised, Appendix I. 2 The text of the routine use was taken from the routine use that has already been published in final form by the Department of Justice after public comment. See 72 FR 3410 (Jan. 25, 2007). 3 See 57 FR 45678 (1992), http://www.ftc.gov/ foia/sysnot/appendix1.pdf. A list of the agency’s current Privacy Act records systems can be viewed on the FTC’s web site at: http://www.ftc.gov/foia/ listofpasystems.htm. PO 00000 Frm 00041 Fmt 4703 Sfmt 4703 31835 with the purpose for which information subject to the Act has been collected. 5 U.S.C. 552a(b)(3); see also 5 U.S.C. 552a(a)(7). The FTC believes that it is consistent with the agency’s collection of information pertaining to individuals under the Privacy Act to disclose such records when, in doing so, it will help prevent, minimize or remedy a data breach or compromise that may affect such individuals. By contrast, the FTC believes that failure to take reasonable steps to help prevent, minimize or remedy the harm that may result from such a breach or compromise would jeopardize, rather than promote, the privacy of such individuals. In seeking public comments on the proposed routine use, the FTC explained that it would take into account any such comments and make appropriate or necessary revisions, if any, before publishing the proposed routine use as final. In response, the FTC received one comment, from the Electronic Privacy Information Center (EPIC).4 First, EPIC urges that the FTC narrow the proposed routine use to the minimum required to fulfill the agency’s stated purpose. EPIC questions what standards or requirements the agency would follow in determining the Privacy Act disclosures to be made in the case of a data breach, and wonders whether the agency would now be routinely disclosing Social Security numbers or other sensitive personal information to other agencies, entities and persons in every data breach investigation. Recognizing that specific disclosures may be necessary, EPIC suggests, for example, that the FTC could create tiers of access, allowing specific categories of individuals limited access to data, according to the needs of the agency’s investigation. The FTC agrees that any disclosure of Privacy Act records in order to investigate or remedy a breach must be necessary and narrowly tailored to the circumstances. The FTC believes that the restriction on disclosures to those that are ‘‘reasonably necessary’’ accurately and appropriately describes the relevant limitation on disclosures under this routine use. The scope of potential disclosures authorized by that routine use is not intended to suggest that the FTC will always disclose all of an individual’s records, if any, every time there is a breach that the agency needs to investigate or mitigate. Rather, the purpose and intent of the routine use is to give individuals full and fair notice of the extent of potential 4 See http://www.ftc.gov/os/ publiccomments.shtm (#207). E:\FR\FM\08JNN1.SGM 08JNN1 31836 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Notices pwalker on PROD1PC71 with NOTICES disclosures, consistent with the Privacy Act’s requirement that individuals be made aware of how their records may be disclosed, even if the FTC anticipates that there may often be very limited or no disclosure of an individual’s records to third parties as part of the agency’s investigatory or remedial efforts. Developing fixed categories of access for certain entities or individuals, as EPIC suggests, would not appear to confer significantly greater protection, if any, for an individual’s records than limiting disclosures to those that are ‘‘reasonably necessary.’’ The determination of when disclosure is ‘‘reasonably necessary’’ will logically depend on a case-by-case evaluation of the specific circumstances of the breach, including how much of an individual’s information, if any, it is reasonably necessary to disclose, and the specific nature of the entities to whom such information needs to be disclosed, in order to investigate or respond to a breach.5 Amending a routine use to accommodate disclosures in response to a breach is not a viable option when there is a clear need to respond rapidly and effectively in investigating and mitigating the breach, in light of the prior notice and comment requirements of the Privacy Act for routine use amendments. Second, EPIC’s comment advocates that consumers be notified as soon as possible after a security breach results in their personal information being accessed by an unauthorized person, and before notifying any other agency, entity or individual. That issue, however, is outside the scope of a routine use notice under the Privacy Act. The Act requires that agencies notify individuals about the establishment of a Privacy Act system of records, the routine uses of such systems of records, and additional notice at the time that information in such a system is collected from individuals. Nothing in the Act, however, governs or provides criteria for determining when notice of a data breach to affected individuals would be appropriate or not. Guidance on that issue has been issued to all Federal agencies by the Office of Management & Budget (OMB), in conjunction with the President’s Identity Theft Task Force, chaired by the Attorney General and co-chaired by the FTC Chairman.6 As stated in that For example, under FTC rules, disclosures to other law enforcement agencies may be made on a confidential basis for law enforcement purposes. See Commission Rule 4.11(c), 16 CFR 4.11(c). 6 See Memorandum for the Heads of Department and Agencies, from Clay Johnson, Deputy Director for Management, OMB, ‘‘Recommendations for 5 VerDate Aug<31>2005 19:26 Jun 07, 2007 Jkt 211001 guidance, agencies must consider various factors in determining whether notice is appropriate in a given case. The routine use published by the FTC neither addresses nor is it intended to supersede or supplant such guidance, or any other applicable guidance that may later arise in applicable statute, rule or policy regarding when notice to individuals must or should be given. Accordingly, after consideration of the above, the FTC has determined to adopt the routine use for data breach as originally published, and hereby amends Appendix 1 of its Privacy Act system notices, as published at 57 FR 45678, by adding the following new routine use at the end of the existing routine uses set forth in that Appendix: *** To appropriate agencies, entities, and persons when (1) the FTC suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the FTC has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the FTC or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. By direction of the Commission. Donald S. Clark Secretary [FR Doc. E7–11122 Filed 6–7–07: 8:45 am] [BILLING CODE 6750–01–S] DEPARTMENT OF HEALTH AND HUMAN SERVICES National Committee on Vital and Health Statistics: Meeting Time and Date: June 20, 2007: 9 a.m.–3:15 p.m.; June 21, 2007: 9 a.m.–3 p.m. Place: Natcher Center, Building 45, National Institutes of Health, Bethesda Campus, Bethesda, MD. Status: Open. Purpose: At this meeting the Committee will hear presentations and hold discussions on several health data policy topics. On the morning and afternoon of the first day the Committee will hear updates and status reports from its subcommittees as well as a briefing on the 5010 transaction data set. On the morning of the second day the Committee will first hear updates from the Department on activities of the Data Council and the Office of the National Coordinator for Health Information Technology (ONCHIT) followed by Committee actions on selected topics from the subcommittees. The next item will be a briefing on the International Health Terminology Standards Development Organization (IHTSDO.) This briefly will be followed by a discussion of secondary uses of electronic medical record information which will continue after the noon break. There will be a short discussion of future agendas before the meeting adjourns. The times shown above are for the full Committee meeting. Subcommittee breakout sessions are scheduled for late in the afternoon of the first day and in the morning prior to the full Committee meeting on the second day. Agendas for these breakout sessions will be posted on the NCVHS Web site (URL below) when available. Contact Person for More Information: Substantive program information as well as summaries of meetings and a roster of committee members may be obtained from Marjorie S. Greenberg, Executive Secretary, NCVHS, National Center for Health Statistics, Centers for Disease Control and Prevention, 3311 Toledo Road, Room 2402, Hyattsville, Maryland 20782, telephone (301) 458–4245. Information also is available on the NCVHS home page of the HHS Web site: http:// www.ncvhs.hhs.gov/, where further information including an agenda will be posted when available. Should you require reasonable accommodation, please contact the CDC Office of Equal Employment Opportunity on (301) 458–4EEO (4336) as soon as possible. Dated: May 31, 2007. James Scanlon, Deputy Assistant Secretary for Planning and Evaluation (SDP), Office of the Assistant Secretary for Planning and Evaluation. [FR Doc. 07–2861 Filed 6–7–07; 8:45 am] Pursuant to the Federal Advisory Committee Act, the Department of Health and Human Services (HHS) announces the following advisory committee meeting. BILLING CODE 4151–05–M Name: National Committee on Vital and Health Statistics (NCVHS). Administration on Aging Identity Theft Related Data Breach Notification’’ (Sept. 20, 2006) (attaching Memorandum from the Identity Theft Task Force, ‘‘Identity Theft Related Data Security Breach Notification Guidance’’ (Sept. 19, 2006), also reproduced in The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan (Apr. 2007) at 73-82 (App. A)). PO 00000 Frm 00042 Fmt 4703 Sfmt 4703 DEPARTMENT OF HEALTH AND HUMAN SERVICES Agency Information Collection Activities; Proposed Collection; Comment Request; Fourth National Study of Older Americans Act Recipients AGENCY: E:\FR\FM\08JNN1.SGM Administration on Aging, HHS. 08JNN1

Agencies

[Federal Register Volume 72, Number 110 (Friday, June 8, 2007)]
[Notices]
[Pages 31835-31836]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-11122]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of routine use.

-----------------------------------------------------------------------

SUMMARY: The FTC is adopting in final form a new routine use that 
permits disclosure of FTC records protected by the Privacy Act when 
reasonably necessary to respond and prevent, minimize, or remedy harm 
that may result from an agency data breach or compromise.

DATES: The routine use is effective June 8, 2007.

FOR FURTHER INFORMATION CONTACT: Alex Tang, Attorney, FTC, Office of 
General Counsel, 600 Pennsylvania Ave. NW, Washington, DC 20580, 202-
326-2447, atang@ftc.gov.

SUPPLEMENTARY INFORMATION: In a document previously published in the 
FEDERAL REGISTER, 72 FR 14814 (Mar. 29, 2007), the FTC, as required by 
the Privacy Act of 1974, 5 U.S.C. 552a, sought comments on a proposed 
new ``routine use'' of the FTC's Privacy Act records systems.\1\ As the 
FTC explained, the new routine use, the text of which is set forth at 
the end of this document,\2\ is necessary to allow for disclosures of 
Privacy Act records by the FTC to appropriate persons and entities for 
purposes of response and remedial efforts in the event of a breach of 
data contained in the protected systems. The routine use will 
facilitate an effective response to a confirmed or suspected breach by 
allowing for disclosure to individuals affected by the breach, in 
cases, if any, where such disclosure is not otherwise authorized under 
the Act. The routine use will also authorize disclosures to others who 
are in a position to assist in response efforts, either by assisting in 
notification to affected individuals or otherwise playing a role in 
preventing, minimizing, or remedying harms from the breach. The FTC 
explained that this new routine use would be added to Appendix 1 of the 
FTC's Privacy Act system notice; that Appendix describes the routine 
uses that apply globally to all FTC Privacy Act records systems.\3\
---------------------------------------------------------------------------

    \1\ The FTC simultaneously provided OMB and the Congress with 40 
days advance notice of the proposed routine use, as required by the 
Privacy Act, 5 U.S.C. 552a(r), and OMB Circular A-130, Revised, 
Appendix I.
    \2\ The text of the routine use was taken from the routine use 
that has already been published in final form by the Department of 
Justice after public comment. See 72 FR 3410 (Jan. 25, 2007).
    \3\ See 57 FR 45678 (1992), http://www.ftc.gov/foia/sysnot/
appendix1.pdf. A list of the agency's current Privacy Act records 
systems can be viewed on the FTC's web site at: http://www.ftc.gov/
foia/listofpasystems.htm.
---------------------------------------------------------------------------

    The Privacy Act authorizes agencies, after public notice and 
comment, to adopt routine uses that are compatible with the purpose for 
which information subject to the Act has been collected. 5 U.S.C. 
552a(b)(3); see also 5 U.S.C. 552a(a)(7). The FTC believes that it is 
consistent with the agency's collection of information pertaining to 
individuals under the Privacy Act to disclose such records when, in 
doing so, it will help prevent, minimize or remedy a data breach or 
compromise that may affect such individuals. By contrast, the FTC 
believes that failure to take reasonable steps to help prevent, 
minimize or remedy the harm that may result from such a breach or 
compromise would jeopardize, rather than promote, the privacy of such 
individuals.
    In seeking public comments on the proposed routine use, the FTC 
explained that it would take into account any such comments and make 
appropriate or necessary revisions, if any, before publishing the 
proposed routine use as final. In response, the FTC received one 
comment, from the Electronic Privacy Information Center (EPIC).\4\
---------------------------------------------------------------------------

    \4\ See http://www.ftc.gov/os/publiccomments.shtm 
(207).
---------------------------------------------------------------------------

    First, EPIC urges that the FTC narrow the proposed routine use to 
the minimum required to fulfill the agency's stated purpose. EPIC 
questions what standards or requirements the agency would follow in 
determining the Privacy Act disclosures to be made in the case of a 
data breach, and wonders whether the agency would now be routinely 
disclosing Social Security numbers or other sensitive personal 
information to other agencies, entities and persons in every data 
breach investigation. Recognizing that specific disclosures may be 
necessary, EPIC suggests, for example, that the FTC could create tiers 
of access, allowing specific categories of individuals limited access 
to data, according to the needs of the agency's investigation.
    The FTC agrees that any disclosure of Privacy Act records in order 
to investigate or remedy a breach must be necessary and narrowly 
tailored to the circumstances. The FTC believes that the restriction on 
disclosures to those that are ``reasonably necessary'' accurately and 
appropriately describes the relevant limitation on disclosures under 
this routine use. The scope of potential disclosures authorized by that 
routine use is not intended to suggest that the FTC will always 
disclose all of an individual's records, if any, every time there is a 
breach that the agency needs to investigate or mitigate. Rather, the 
purpose and intent of the routine use is to give individuals full and 
fair notice of the extent of potential

[[Page 31836]]

disclosures, consistent with the Privacy Act's requirement that 
individuals be made aware of how their records may be disclosed, even 
if the FTC anticipates that there may often be very limited or no 
disclosure of an individual's records to third parties as part of the 
agency's investigatory or remedial efforts.
    Developing fixed categories of access for certain entities or 
individuals, as EPIC suggests, would not appear to confer significantly 
greater protection, if any, for an individual's records than limiting 
disclosures to those that are ``reasonably necessary.'' The 
determination of when disclosure is ``reasonably necessary'' will 
logically depend on a case-by-case evaluation of the specific 
circumstances of the breach, including how much of an individual's 
information, if any, it is reasonably necessary to disclose, and the 
specific nature of the entities to whom such information needs to be 
disclosed, in order to investigate or respond to a breach.\5\ Amending 
a routine use to accommodate disclosures in response to a breach is not 
a viable option when there is a clear need to respond rapidly and 
effectively in investigating and mitigating the breach, in light of the 
prior notice and comment requirements of the Privacy Act for routine 
use amendments.
---------------------------------------------------------------------------

    \5\ For example, under FTC rules, disclosures to other law 
enforcement agencies may be made on a confidential basis for law 
enforcement purposes. See Commission Rule 4.11(c), 16 CFR 4.11(c).
---------------------------------------------------------------------------

    Second, EPIC's comment advocates that consumers be notified as soon 
as possible after a security breach results in their personal 
information being accessed by an unauthorized person, and before 
notifying any other agency, entity or individual. That issue, however, 
is outside the scope of a routine use notice under the Privacy Act. The 
Act requires that agencies notify individuals about the establishment 
of a Privacy Act system of records, the routine uses of such systems of 
records, and additional notice at the time that information in such a 
system is collected from individuals.
    Nothing in the Act, however, governs or provides criteria for 
determining when notice of a data breach to affected individuals would 
be appropriate or not. Guidance on that issue has been issued to all 
Federal agencies by the Office of Management & Budget (OMB), in 
conjunction with the President's Identity Theft Task Force, chaired by 
the Attorney General and co-chaired by the FTC Chairman.\6\ As stated 
in that guidance, agencies must consider various factors in determining 
whether notice is appropriate in a given case. The routine use 
published by the FTC neither addresses nor is it intended to supersede 
or supplant such guidance, or any other applicable guidance that may 
later arise in applicable statute, rule or policy regarding when notice 
to individuals must or should be given.
---------------------------------------------------------------------------

    \6\ See Memorandum for the Heads of Department and Agencies, 
from Clay Johnson, Deputy Director for Management, OMB, 
``Recommendations for Identity Theft Related Data Breach 
Notification'' (Sept. 20, 2006) (attaching Memorandum from the 
Identity Theft Task Force, ``Identity Theft Related Data Security 
Breach Notification Guidance'' (Sept. 19, 2006), also reproduced in 
The President's Identity Theft Task Force, Combating Identity Theft: 
A Strategic Plan (Apr. 2007) at 73-82 (App. A)).
---------------------------------------------------------------------------

    Accordingly, after consideration of the above, the FTC has 
determined to adopt the routine use for data breach as originally 
published, and hereby amends Appendix 1 of its Privacy Act system 
notices, as published at 57 FR 45678, by adding the following new 
routine use at the end of the existing routine uses set forth in that 
Appendix:
    * * *
    To appropriate agencies, entities, and persons when (1) the FTC 
suspects or has confirmed that the security or confidentiality of 
information in the system of records has been compromised; (2) the FTC 
has determined that as a result of the suspected or confirmed 
compromise there is a risk of harm to economic or property interests, 
identity theft or fraud, or harm to the security or integrity of this 
system or other systems or programs (whether maintained by the FTC or 
another agency or entity) that rely upon the compromised information; 
and (3) the disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with the FTC's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm.
    By direction of the Commission.
    Donald S. Clark
    Secretary
[FR Doc. E7-11122 Filed 6-7-07: 8:45 am]
[BILLING CODE 6750-01-S]