Privacy Act of 1974; System of Records, 31835-31836 [E7-11122]
Download as PDF
<![CDATA[
Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Notices
Staff now estimates, based on the
ongoing experience of the Commission’s
Consumer Response Center, that an
individual will spend 5 minutes finding
and reviewing filing instructions, 13
minutes filing the law enforcement
report with the law enforcement agency
(due to added entry fields), and 5
minutes submitting the law enforcement
report and any additional information or
documentation to the information
furnisher or consumer reporting agency,
resulting in an average of 23 minutes for
each identity theft report. Thus, the
annual information collection burden
for the estimated 1.423 million new
identity theft reports due to the Rule
will be 545,000 hours, rounded to the
nearest thousand (1.423 million x 23
minutes ÷ 60 minutes/hour).
Estimated labor costs: $10,802,000
(rounded to the nearest thousand)
Commission staff derived labor costs
by applying appropriate hourly cost
figures to the burden hours described
above. Based on Bureau of Labor
Statistics data, further adjusted for
inflation, the average national hourly
wage for individuals is $19.82.11
Applied to 545,000 total burden hours
yields an estimated $10,802,000 in
cumulative labor costs for all those who
will newly obtain identity theft reports
($19.82 x 545,000 hours) as a projected
result of the Rule.
Estimated annual non-labor cost
burden: $0 or minimal
Staff believes that the Rule’s
paperwork burden imposes negligible
capital or other non-labor costs, as an
identity theft victim is likely to have the
necessary supplies and/or equipment
already (telephone, computer, paper,
envelopes) for purposes of obtaining the
identity theft report and submitting it to
information furnishers or consumer
reporting agencies.
William Blumenthal
General Counsel
[FR Doc. E7–11049 Filed 6–7–07: 8:45 am]
[Billing code: 6750 – 01S]
FEDERAL TRADE COMMISSION
Privacy Act of 1974; System of
Records
AGENCY:
Federal Trade Commission
pwalker on PROD1PC71 with NOTICES
(FTC).
11 An hourly rate of $18.62 was drawn from
average annual Bureau of Labor Statistics National
Compensation Survey data, June 2005 (with 2005 as
the most recent whole year information available,
and June the focal median point), https://
www.bls.gov/ncs/ocs/sp/ncbl0832.pdf (Table 1.1).
Further adjusted by a multiplier of 1.06426 (a
compounding for approximate wage inflation for
2005 and 2006, based on the BLS Employment Cost
Index), the revised hourly wage is $19.82.
VerDate Aug<31>2005
18:14 Jun 07, 2007
Jkt 211001
ACTION:
Notice of routine use.
SUMMARY: The FTC is adopting in final
form a new routine use that permits
disclosure of FTC records protected by
the Privacy Act when reasonably
necessary to respond and prevent,
minimize, or remedy harm that may
result from an agency data breach or
compromise.
The routine use is effective June
8, 2007.
FOR FURTHER INFORMATION CONTACT: Alex
Tang, Attorney, FTC, Office of General
Counsel, 600 Pennsylvania Ave. NW,
Washington, DC 20580, 202-326-2447,
atang@ftc.gov.
DATES:
In a
document previously published in the
FEDERAL REGISTER, 72 FR 14814
(Mar. 29, 2007), the FTC, as required by
the Privacy Act of 1974, 5 U.S.C. 552a,
sought comments on a proposed new
‘‘routine use’’ of the FTC’s Privacy Act
records systems.1 As the FTC explained,
the new routine use, the text of which
is set forth at the end of this document,2
is necessary to allow for disclosures of
Privacy Act records by the FTC to
appropriate persons and entities for
purposes of response and remedial
efforts in the event of a breach of data
contained in the protected systems. The
routine use will facilitate an effective
response to a confirmed or suspected
breach by allowing for disclosure to
individuals affected by the breach, in
cases, if any, where such disclosure is
not otherwise authorized under the Act.
The routine use will also authorize
disclosures to others who are in a
position to assist in response efforts,
either by assisting in notification to
affected individuals or otherwise
playing a role in preventing,
minimizing, or remedying harms from
the breach. The FTC explained that this
new routine use would be added to
Appendix 1 of the FTC’s Privacy Act
system notice; that Appendix describes
the routine uses that apply globally to
all FTC Privacy Act records systems.3
The Privacy Act authorizes agencies,
after public notice and comment, to
adopt routine uses that are compatible
SUPPLEMENTARY INFORMATION:
1 The FTC simultaneously provided OMB and the
Congress with 40 days advance notice of the
proposed routine use, as required by the Privacy
Act, 5 U.S.C. 552a(r), and OMB Circular A-130,
Revised, Appendix I.
2 The text of the routine use was taken from the
routine use that has already been published in final
form by the Department of Justice after public
comment. See 72 FR 3410 (Jan. 25, 2007).
3 See 57 FR 45678 (1992), https://www.ftc.gov/
foia/sysnot/appendix1.pdf. A list of the agency’s
current Privacy Act records systems can be viewed
on the FTC’s web site at: https://www.ftc.gov/foia/
listofpasystems.htm.
PO 00000
Frm 00041
Fmt 4703
Sfmt 4703
31835
with the purpose for which information
subject to the Act has been collected. 5
U.S.C. 552a(b)(3); see also 5 U.S.C.
552a(a)(7). The FTC believes that it is
consistent with the agency’s collection
of information pertaining to individuals
under the Privacy Act to disclose such
records when, in doing so, it will help
prevent, minimize or remedy a data
breach or compromise that may affect
such individuals. By contrast, the FTC
believes that failure to take reasonable
steps to help prevent, minimize or
remedy the harm that may result from
such a breach or compromise would
jeopardize, rather than promote, the
privacy of such individuals.
In seeking public comments on the
proposed routine use, the FTC
explained that it would take into
account any such comments and make
appropriate or necessary revisions, if
any, before publishing the proposed
routine use as final. In response, the
FTC received one comment, from the
Electronic Privacy Information Center
(EPIC).4
First, EPIC urges that the FTC narrow
the proposed routine use to the
minimum required to fulfill the agency’s
stated purpose. EPIC questions what
standards or requirements the agency
would follow in determining the
Privacy Act disclosures to be made in
the case of a data breach, and wonders
whether the agency would now be
routinely disclosing Social Security
numbers or other sensitive personal
information to other agencies, entities
and persons in every data breach
investigation. Recognizing that specific
disclosures may be necessary, EPIC
suggests, for example, that the FTC
could create tiers of access, allowing
specific categories of individuals
limited access to data, according to the
needs of the agency’s investigation.
The FTC agrees that any disclosure of
Privacy Act records in order to
investigate or remedy a breach must be
necessary and narrowly tailored to the
circumstances. The FTC believes that
the restriction on disclosures to those
that are ‘‘reasonably necessary’’
accurately and appropriately describes
the relevant limitation on disclosures
under this routine use. The scope of
potential disclosures authorized by that
routine use is not intended to suggest
that the FTC will always disclose all of
an individual’s records, if any, every
time there is a breach that the agency
needs to investigate or mitigate. Rather,
the purpose and intent of the routine
use is to give individuals full and fair
notice of the extent of potential
4 See https://www.ftc.gov/os/
publiccomments.shtm (#207).
E:\FR\FM\08JNN1.SGM
08JNN1
31836
Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Notices
pwalker on PROD1PC71 with NOTICES
disclosures, consistent with the Privacy
Act’s requirement that individuals be
made aware of how their records may be
disclosed, even if the FTC anticipates
that there may often be very limited or
no disclosure of an individual’s records
to third parties as part of the agency’s
investigatory or remedial efforts.
Developing fixed categories of access
for certain entities or individuals, as
EPIC suggests, would not appear to
confer significantly greater protection, if
any, for an individual’s records than
limiting disclosures to those that are
‘‘reasonably necessary.’’ The
determination of when disclosure is
‘‘reasonably necessary’’ will logically
depend on a case-by-case evaluation of
the specific circumstances of the breach,
including how much of an individual’s
information, if any, it is reasonably
necessary to disclose, and the specific
nature of the entities to whom such
information needs to be disclosed, in
order to investigate or respond to a
breach.5 Amending a routine use to
accommodate disclosures in response to
a breach is not a viable option when
there is a clear need to respond rapidly
and effectively in investigating and
mitigating the breach, in light of the
prior notice and comment requirements
of the Privacy Act for routine use
amendments.
Second, EPIC’s comment advocates
that consumers be notified as soon as
possible after a security breach results
in their personal information being
accessed by an unauthorized person,
and before notifying any other agency,
entity or individual. That issue,
however, is outside the scope of a
routine use notice under the Privacy
Act. The Act requires that agencies
notify individuals about the
establishment of a Privacy Act system of
records, the routine uses of such
systems of records, and additional
notice at the time that information in
such a system is collected from
individuals.
Nothing in the Act, however, governs
or provides criteria for determining
when notice of a data breach to affected
individuals would be appropriate or
not. Guidance on that issue has been
issued to all Federal agencies by the
Office of Management & Budget (OMB),
in conjunction with the President’s
Identity Theft Task Force, chaired by
the Attorney General and co-chaired by
the FTC Chairman.6 As stated in that
For example, under FTC rules, disclosures to
other law enforcement agencies may be made on a
confidential basis for law enforcement purposes.
See Commission Rule 4.11(c), 16 CFR 4.11(c).
6 See Memorandum for the Heads of Department
and Agencies, from Clay Johnson, Deputy Director
for Management, OMB, ‘‘Recommendations for
5
VerDate Aug<31>2005
19:26 Jun 07, 2007
Jkt 211001
guidance, agencies must consider
various factors in determining whether
notice is appropriate in a given case.
The routine use published by the FTC
neither addresses nor is it intended to
supersede or supplant such guidance, or
any other applicable guidance that may
later arise in applicable statute, rule or
policy regarding when notice to
individuals must or should be given.
Accordingly, after consideration of
the above, the FTC has determined to
adopt the routine use for data breach as
originally published, and hereby
amends Appendix 1 of its Privacy Act
system notices, as published at 57 FR
45678, by adding the following new
routine use at the end of the existing
routine uses set forth in that Appendix:
***
To appropriate agencies, entities, and
persons when (1) the FTC suspects or
has confirmed that the security or
confidentiality of information in the
system of records has been
compromised; (2) the FTC has
determined that as a result of the
suspected or confirmed compromise
there is a risk of harm to economic or
property interests, identity theft or
fraud, or harm to the security or
integrity of this system or other systems
or programs (whether maintained by the
FTC or another agency or entity) that
rely upon the compromised
information; and (3) the disclosure
made to such agencies, entities, and
persons is reasonably necessary to assist
in connection with the FTC’s efforts to
respond to the suspected or confirmed
compromise and prevent, minimize, or
remedy such harm.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E7–11122 Filed 6–7–07: 8:45 am]
[BILLING CODE 6750–01–S]
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
National Committee on Vital and Health
Statistics: Meeting
Time and Date: June 20, 2007: 9 a.m.–3:15
p.m.; June 21, 2007: 9 a.m.–3 p.m.
Place: Natcher Center, Building 45,
National Institutes of Health, Bethesda
Campus, Bethesda, MD.
Status: Open.
Purpose: At this meeting the Committee
will hear presentations and hold discussions
on several health data policy topics. On the
morning and afternoon of the first day the
Committee will hear updates and status
reports from its subcommittees as well as a
briefing on the 5010 transaction data set.
On the morning of the second day the
Committee will first hear updates from the
Department on activities of the Data Council
and the Office of the National Coordinator for
Health Information Technology (ONCHIT)
followed by Committee actions on selected
topics from the subcommittees. The next
item will be a briefing on the International
Health Terminology Standards Development
Organization (IHTSDO.) This briefly will be
followed by a discussion of secondary uses
of electronic medical record information
which will continue after the noon break.
There will be a short discussion of future
agendas before the meeting adjourns.
The times shown above are for the full
Committee meeting. Subcommittee breakout
sessions are scheduled for late in the
afternoon of the first day and in the morning
prior to the full Committee meeting on the
second day. Agendas for these breakout
sessions will be posted on the NCVHS Web
site (URL below) when available.
Contact Person for More Information:
Substantive program information as well as
summaries of meetings and a roster of
committee members may be obtained from
Marjorie S. Greenberg, Executive Secretary,
NCVHS, National Center for Health Statistics,
Centers for Disease Control and Prevention,
3311 Toledo Road, Room 2402, Hyattsville,
Maryland 20782, telephone (301) 458–4245.
Information also is available on the NCVHS
home page of the HHS Web site: https://
www.ncvhs.hhs.gov/, where further
information including an agenda will be
posted when available.
Should you require reasonable
accommodation, please contact the CDC
Office of Equal Employment Opportunity on
(301) 458–4EEO (4336) as soon as possible.
Dated: May 31, 2007.
James Scanlon,
Deputy Assistant Secretary for Planning and
Evaluation (SDP), Office of the Assistant
Secretary for Planning and Evaluation.
[FR Doc. 07–2861 Filed 6–7–07; 8:45 am]
Pursuant to the Federal Advisory
Committee Act, the Department of
Health and Human Services (HHS)
announces the following advisory
committee meeting.
BILLING CODE 4151–05–M
Name: National Committee on Vital and
Health Statistics (NCVHS).
Administration on Aging
Identity Theft Related Data Breach Notification’’
(Sept. 20, 2006) (attaching Memorandum from the
Identity Theft Task Force, ‘‘Identity Theft Related
Data Security Breach Notification Guidance’’ (Sept.
19, 2006), also reproduced in The President’s
Identity Theft Task Force, Combating Identity Theft:
A Strategic Plan (Apr. 2007) at 73-82 (App. A)).
PO 00000
Frm 00042
Fmt 4703
Sfmt 4703
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Agency Information Collection
Activities; Proposed Collection;
Comment Request; Fourth National
Study of Older Americans Act
Recipients
AGENCY:
E:\FR\FM\08JNN1.SGM
Administration on Aging, HHS.
08JNN1
]]>Agencies
[Federal Register Volume 72, Number 110 (Friday, June 8, 2007)]
[Notices]
[Pages 31835-31836]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-11122]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
Privacy Act of 1974; System of Records
AGENCY: Federal Trade Commission (FTC).
ACTION: Notice of routine use.
-----------------------------------------------------------------------
SUMMARY: The FTC is adopting in final form a new routine use that
permits disclosure of FTC records protected by the Privacy Act when
reasonably necessary to respond and prevent, minimize, or remedy harm
that may result from an agency data breach or compromise.
DATES: The routine use is effective June 8, 2007.
FOR FURTHER INFORMATION CONTACT: Alex Tang, Attorney, FTC, Office of
General Counsel, 600 Pennsylvania Ave. NW, Washington, DC 20580, 202-
326-2447, atang@ftc.gov.
SUPPLEMENTARY INFORMATION: In a document previously published in the
FEDERAL REGISTER, 72 FR 14814 (Mar. 29, 2007), the FTC, as required by
the Privacy Act of 1974, 5 U.S.C. 552a, sought comments on a proposed
new ``routine use'' of the FTC's Privacy Act records systems.\1\ As the
FTC explained, the new routine use, the text of which is set forth at
the end of this document,\2\ is necessary to allow for disclosures of
Privacy Act records by the FTC to appropriate persons and entities for
purposes of response and remedial efforts in the event of a breach of
data contained in the protected systems. The routine use will
facilitate an effective response to a confirmed or suspected breach by
allowing for disclosure to individuals affected by the breach, in
cases, if any, where such disclosure is not otherwise authorized under
the Act. The routine use will also authorize disclosures to others who
are in a position to assist in response efforts, either by assisting in
notification to affected individuals or otherwise playing a role in
preventing, minimizing, or remedying harms from the breach. The FTC
explained that this new routine use would be added to Appendix 1 of the
FTC's Privacy Act system notice; that Appendix describes the routine
uses that apply globally to all FTC Privacy Act records systems.\3\
---------------------------------------------------------------------------
\1\ The FTC simultaneously provided OMB and the Congress with 40
days advance notice of the proposed routine use, as required by the
Privacy Act, 5 U.S.C. 552a(r), and OMB Circular A-130, Revised,
Appendix I.
\2\ The text of the routine use was taken from the routine use
that has already been published in final form by the Department of
Justice after public comment. See 72 FR 3410 (Jan. 25, 2007).
\3\ See 57 FR 45678 (1992), https://www.ftc.gov/foia/sysnot/
appendix1.pdf. A list of the agency's current Privacy Act records
systems can be viewed on the FTC's web site at: https://www.ftc.gov/
foia/listofpasystems.htm.
---------------------------------------------------------------------------
The Privacy Act authorizes agencies, after public notice and
comment, to adopt routine uses that are compatible with the purpose for
which information subject to the Act has been collected. 5 U.S.C.
552a(b)(3); see also 5 U.S.C. 552a(a)(7). The FTC believes that it is
consistent with the agency's collection of information pertaining to
individuals under the Privacy Act to disclose such records when, in
doing so, it will help prevent, minimize or remedy a data breach or
compromise that may affect such individuals. By contrast, the FTC
believes that failure to take reasonable steps to help prevent,
minimize or remedy the harm that may result from such a breach or
compromise would jeopardize, rather than promote, the privacy of such
individuals.
In seeking public comments on the proposed routine use, the FTC
explained that it would take into account any such comments and make
appropriate or necessary revisions, if any, before publishing the
proposed routine use as final. In response, the FTC received one
comment, from the Electronic Privacy Information Center (EPIC).\4\
---------------------------------------------------------------------------
\4\ See https://www.ftc.gov/os/publiccomments.shtm
(207).
---------------------------------------------------------------------------
First, EPIC urges that the FTC narrow the proposed routine use to
the minimum required to fulfill the agency's stated purpose. EPIC
questions what standards or requirements the agency would follow in
determining the Privacy Act disclosures to be made in the case of a
data breach, and wonders whether the agency would now be routinely
disclosing Social Security numbers or other sensitive personal
information to other agencies, entities and persons in every data
breach investigation. Recognizing that specific disclosures may be
necessary, EPIC suggests, for example, that the FTC could create tiers
of access, allowing specific categories of individuals limited access
to data, according to the needs of the agency's investigation.
The FTC agrees that any disclosure of Privacy Act records in order
to investigate or remedy a breach must be necessary and narrowly
tailored to the circumstances. The FTC believes that the restriction on
disclosures to those that are ``reasonably necessary'' accurately and
appropriately describes the relevant limitation on disclosures under
this routine use. The scope of potential disclosures authorized by that
routine use is not intended to suggest that the FTC will always
disclose all of an individual's records, if any, every time there is a
breach that the agency needs to investigate or mitigate. Rather, the
purpose and intent of the routine use is to give individuals full and
fair notice of the extent of potential
[[Page 31836]]
disclosures, consistent with the Privacy Act's requirement that
individuals be made aware of how their records may be disclosed, even
if the FTC anticipates that there may often be very limited or no
disclosure of an individual's records to third parties as part of the
agency's investigatory or remedial efforts.
Developing fixed categories of access for certain entities or
individuals, as EPIC suggests, would not appear to confer significantly
greater protection, if any, for an individual's records than limiting
disclosures to those that are ``reasonably necessary.'' The
determination of when disclosure is ``reasonably necessary'' will
logically depend on a case-by-case evaluation of the specific
circumstances of the breach, including how much of an individual's
information, if any, it is reasonably necessary to disclose, and the
specific nature of the entities to whom such information needs to be
disclosed, in order to investigate or respond to a breach.\5\ Amending
a routine use to accommodate disclosures in response to a breach is not
a viable option when there is a clear need to respond rapidly and
effectively in investigating and mitigating the breach, in light of the
prior notice and comment requirements of the Privacy Act for routine
use amendments.
---------------------------------------------------------------------------
\5\ For example, under FTC rules, disclosures to other law
enforcement agencies may be made on a confidential basis for law
enforcement purposes. See Commission Rule 4.11(c), 16 CFR 4.11(c).
---------------------------------------------------------------------------
Second, EPIC's comment advocates that consumers be notified as soon
as possible after a security breach results in their personal
information being accessed by an unauthorized person, and before
notifying any other agency, entity or individual. That issue, however,
is outside the scope of a routine use notice under the Privacy Act. The
Act requires that agencies notify individuals about the establishment
of a Privacy Act system of records, the routine uses of such systems of
records, and additional notice at the time that information in such a
system is collected from individuals.
Nothing in the Act, however, governs or provides criteria for
determining when notice of a data breach to affected individuals would
be appropriate or not. Guidance on that issue has been issued to all
Federal agencies by the Office of Management & Budget (OMB), in
conjunction with the President's Identity Theft Task Force, chaired by
the Attorney General and co-chaired by the FTC Chairman.\6\ As stated
in that guidance, agencies must consider various factors in determining
whether notice is appropriate in a given case. The routine use
published by the FTC neither addresses nor is it intended to supersede
or supplant such guidance, or any other applicable guidance that may
later arise in applicable statute, rule or policy regarding when notice
to individuals must or should be given.
---------------------------------------------------------------------------
\6\ See Memorandum for the Heads of Department and Agencies,
from Clay Johnson, Deputy Director for Management, OMB,
``Recommendations for Identity Theft Related Data Breach
Notification'' (Sept. 20, 2006) (attaching Memorandum from the
Identity Theft Task Force, ``Identity Theft Related Data Security
Breach Notification Guidance'' (Sept. 19, 2006), also reproduced in
The President's Identity Theft Task Force, Combating Identity Theft:
A Strategic Plan (Apr. 2007) at 73-82 (App. A)).
---------------------------------------------------------------------------
Accordingly, after consideration of the above, the FTC has
determined to adopt the routine use for data breach as originally
published, and hereby amends Appendix 1 of its Privacy Act system
notices, as published at 57 FR 45678, by adding the following new
routine use at the end of the existing routine uses set forth in that
Appendix:
* * *
To appropriate agencies, entities, and persons when (1) the FTC
suspects or has confirmed that the security or confidentiality of
information in the system of records has been compromised; (2) the FTC
has determined that as a result of the suspected or confirmed
compromise there is a risk of harm to economic or property interests,
identity theft or fraud, or harm to the security or integrity of this
system or other systems or programs (whether maintained by the FTC or
another agency or entity) that rely upon the compromised information;
and (3) the disclosure made to such agencies, entities, and persons is
reasonably necessary to assist in connection with the FTC's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E7-11122 Filed 6-7-07: 8:45 am]
[BILLING CODE 6750-01-S]
