Privacy Act of 1974; System of Records, 19560-19563 [2018-09333]

Download as PDF 19560 Federal Register / Vol. 83, No. 86 / Thursday, May 3, 2018 / Notices ASC denies the request for temporary waiver relief from the State certification requirements for certified general appraisers to perform commercial appraisals for FRTs in the Tennessee counties of Dickson, Maury, Williamson and Davidson. * * * * * Port of Los Angeles terminals to ensure compliance with the Port’s Clean Truck Program. The Agreement also governs the maintenance of, and access to, the Drayage Truck registry, which contains information on whether trucks meet the Port’s criteria for terminal access under its Clean Truck Program. By the Appraisal Subcommittee. Dated April 27, 2018. Arthur Lindo, Chairman. Dated: April 30, 2018. Rachel E. Dickon, Secretary. [FR Doc. 2018–09419 Filed 5–2–18; 8:45 am] Board of Governors of the Federal Reserve System, April 26, 2018. Ann Misback, Secretary of the Board. BILLING CODE 6731–AA–P [FR Doc. 2018–09364 Filed 5–2–18; 8:45 am] BILLING CODE FEDERAL TRADE COMMISSION [FR Doc. 2018–09365 Filed 5–2–18; 8:45 am] Privacy Act of 1974; System of Records AGENCY: BILLING CODE 6700–01–P Federal Trade Commission (FTC). FEDERAL RESERVE SYSTEM FEDERAL MARITIME COMMISSION sradovich on DSK3GMQ082PROD with NOTICES Notice of Agreements Filed Formations of, Acquisitions by, and Mergers of Bank Holding Companies The Commission hereby gives notice of the filing of the following agreements under the Shipping Act of 1984. Interested parties may submit comments on the agreements to the Secretary, Federal Maritime Commission, Washington, DC 20573, within twelve days of the date this notice appears in the Federal Register. Copies of the agreements are available through the Commission’s website (www.fmc.gov) or by contacting the Office of Agreements at (202)–523–5793 or tradeanalysis@ fmc.gov. Agreement No.: 201248. Title: COSCO SHIPPING/PIL/WHL/ CMA CGM Vessel Sharing and Slot Exchange Agreement. Parties: CMA CGM S.A.; COSCO Shipping Co., Ltd.; Pacific International Lines (PTE) Ltd.; Wan Hai Lines (Singapore) Pte. Ltd.; and Wan Hai Lines Ltd. Filing Party: Eric Jeffrey; Nixon Peabody LLP; 799 9th Street NW, Suite 500; Washington, DC 20001. Synopsis: The Agreement authorizes the Parties to operate a joint service and to exchange slots between that joint service and a service operated by CMA CGM in the trade between ports in China (including Hong Kong) and ports on the United States West Coast. Agreement No.: 201249. Title: Port of Los Angeles Data Delivery Agreement. Parties: City of Los Angeles; APM Terminals Pacific Ltd.; Eagle Marine Services, Ltd.; Everport Terminal Services Inc.; TraPac Inc., West Basin Container Terminal LLC; and Yusen Terminals LLC. Filing Party: David Smith & Jeff Vogel; Cozen O’Connor; 1200 19th Street NW, Washington, DC 20036. Synopsis: The Agreement authorizes the parties to collect and deliver data with respect to trucks moving through The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The applications will also be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than May 29, 2018. A. Federal Reserve Bank of St. Louis (David L. Hubbard, Senior Manager) P.O. Box 442, St. Louis, Missouri 63166–2034. Comments can also be sent electronically to Comments.applications@stls.frb.org: 1. BancStar, Inc., and Pacific BancStar, Inc., both of St. Louis, Missouri; to merge with Hillsboro Bancshares, Inc., Hillsboro, Missouri, and thereby indirectly acquire Bank of Hillsboro, Hillsboro, Missouri. VerDate Sep<11>2014 17:29 May 02, 2018 Jkt 244001 PO 00000 Frm 00040 Fmt 4703 Sfmt 4703 ACTION: Notice of modified systems of records. The FTC proposes to modify all FTC Privacy Act system of records notices (SORNs) by amending and bifurcating an existing routine use relating to assistance in data breach responses, to conform with Office of Management and Budget (OMB) guidance to federal agencies, OMB Memorandum 17–12. DATES: Comments must be submitted by June 4, 2018. This routine use, which is being published in proposed form, shall become final and effective July 2, 2018, without further notice unless otherwise amended or repealed by the Commission on the basis of any comments received. ADDRESSES: Interested parties are invited to submit written comments by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Comments should refer to ‘‘Privacy Act of 1974; System of Records: FTC File No. P072104’’ to facilitate the organization of comments. Please file your comment online at https://ftcpublic.commentworks.com/ ftc/privacyactroutineuse by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: G. Richard Gold and Alex Tang, Attorneys, Office of the General Counsel, FTC, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326–2424. SUPPLEMENTARY INFORMATION: SUMMARY: E:\FR\FM\03MYN1.SGM 03MYN1 19561 Federal Register / Vol. 83, No. 86 / Thursday, May 3, 2018 / Notices Request for Comments You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before June 4, 2018. Write ‘‘Privacy Act of 1974; System of Records: FTC File No. P072104’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission website, at https:// www.ftc.gov/policy/public-comments. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, the Commission encourages you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ privacyactroutineuse by following the instructions on the web-based form. If this Notice appears at www.regulations.gov, you also may file a comment through that website. If you file your comment on paper, write ‘‘Privacy Act of 1974; System of Records: FTC File No. P072104’’ on your comment and on the envelope, and mail it to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street, SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible FTC website at www.ftc.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Once your comment has been posted on the public FTC website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before June 4, 2018. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at www.ftc.gov/privacy. Analysis to Aid Public Comment In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, this document provides public notice that the FTC is proposing to modify and bifurcate an existing routine use relating to assistance in data breach responses, which is applicable to all FTC SORNs, to conform with OMB Memorandum M– 17–12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017). A list of the agency’s current Privacy Act records systems is set out below and can be viewed on the FTC’s website at: www.ftc.gov/about-ftc/foia/foia-readingrooms/privacy-act-systems. The modified and bifurcated routine use would be included in Appendix I, Authorized Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records, which describes routine uses that apply globally to all FTC Privacy Act records systems. Appendix I was previously published at 73 FR 33592 (June 12, 2008), the text of which is available on the FTC’s website at the above hyperlink and would be updated accordingly. Federal Register citations 1 System number and name sradovich on DSK3GMQ082PROD with NOTICES FTC–I–1—Nonpublic Investigational and Other Nonpublic Legal Program Records ......................................................... FTC–I–2—Disciplinary Action Investigatory Files ............................................................................................................... FTC–I–3—Informal Advisory Opinion Request and Response Files .................................................................................. FTC–I–4—Clearance Application and Response Files ....................................................................................................... FTC–I–5—Matter Management System .............................................................................................................................. FTC–I–6—Public Records ................................................................................................................................................... FTC–I–7—Office of Inspector General Investigative Files .................................................................................................. FTC–I–8—Stenographic Reporting Services Request System ........................................................................................... FTC–II–1—General Personnel Records .............................................................................................................................. FTC–II–2—Unofficial Personnel Records ............................................................................................................................ FTC–II–3—Worker’s Compensation .................................................................................................................................... VerDate Sep<11>2014 17:29 May 02, 2018 Jkt 244001 PO 00000 Frm 00041 Fmt 4703 Sfmt 4703 E:\FR\FM\03MYN1.SGM 03MYN1 76 FR 60125 75 FR 52749–52751 74 FR 17863–17866 * 73 FR 33591–33634 * 73 FR 33591–33634 * 73 FR 33591–33634 * 73 FR 33591–33634 * 82 FR 50872–50882 * 73 FR 33591–33634 * 82 FR 50872–50882 80 FR 9460–9465 * 73 FR 33591–33634 80 FR 9460–9465 74 FR 17863–17866 * 73 FR 33591–33634 80 FR 9460–9465 74 FR 17863–17866 * 73 FR 33591–33634 * 82 FR 50872–50882 19562 Federal Register / Vol. 83, No. 86 / Thursday, May 3, 2018 / Notices Federal Register citations 1 System number and name FTC–II–4—Employment Application-Related Records ....................................................................................................... FTC–II–5—Equal Employment Opportunity Statistical Reporting System .......................................................................... FTC–II–6—Discrimination Complaint System ..................................................................................................................... FTC–II–7—Ethics Program Records ................................................................................................................................... FTC–II–8—Employee Adverse Action and Disciplinary Records ....................................................................................... FTC–II–9—Claimants Under Federal Tort Claims Act and Military Personnel and Civilian Employees’ Claims Act ........ FTC–II–10—Employee Health Care Records ..................................................................................................................... FTC–II–11—Personnel Security, Identity Management, and Access Control Records System ........................................ FTC–II–12—e-Train Learning Management System .......................................................................................................... FTC–II–13—Staff Time and Activity Reporting (STAR) System ......................................................................................... FTC–III–1—Personnel Payroll System ................................................................................................................................ FTC–III–2—Travel Management System ............................................................................................................................ FTC–III–3—Financial Management System ........................................................................................................................ FTC–III–4—Automated Acquisitions System ...................................................................................................................... FTC–III–5—Employee Transportation Program Records ................................................................................................... FTC–IV–1—Consumer Information System ........................................................................................................................ FTC–IV–2—Miscellaneous Office Correspondence Tracking System Records ................................................................. FTC–IV–3—National Do Not Call Registry System ............................................................................................................ FTC–V–1—Freedom of Information Act Requests and Appeals ........................................................................................ FTC–V–2—Privacy Act Requests and Appeals .................................................................................................................. FTC–VI–1—Mailing and Contact Lists ................................................................................................................................ FTC–VII–1—Automated Library Management System ....................................................................................................... FTC–VII–2—Employee Locator (STAFFID) System ........................................................................................................... FTC–VII–3—Computer Systems User Identification and Access Records ........................................................................ FTC–VII–4—Call Detail Records ......................................................................................................................................... FTC–VII–5—Property Management System ....................................................................................................................... FTC–VII–6—Document Management and Retrieval System .............................................................................................. FTC–VII–7—Information Technology Service Ticket System ............................................................................................. FTC–VII–8—Administrative Service Call System ................................................................................................................ * 80 FR 9460–9465 73 FR 33591–33634 * 82 FR 50872–50882 75 FR 52749–52751 73 FR 33591–33634 80 FR 9460–9465 75 FR 52749–52751 74 FR 17863–17866 * 73 FR 33591–33634 80 FR 9460–9465 * 73 FR 33591–33634 80 FR 9460–9465 74 FR 17863–17866 * 73 FR 33591–33634 * 82 FR 50872–50882 80 FR 9460–9465 * 73 FR 33591–33634 80 FR 9460–9465 75 FR 52749–52751 73 FR 33591–33634 * 73 FR 33591–33634 80 FR 9460–9465 74 FR 17863–17866 * 73 FR 33591–33634 * 82 FR 50872–50882 80 FR 9460–9465 * 73 FR 33591–33634 * 73 FR 33591–33634 * 82 FR 50872–50882 80 FR 9460–9465 74 FR 17863–17866 * 73 FR 33591–33634 * 73 FR 33591–33634 74 FR 17863–17866 * 73 FR 33591–33634 * 82 FR 50872–50882 * 73 FR 33591–33634 * 73 FR 33591–33634 80 FR 9460–9465 * 73 FR 33591–33634 80 FR 9460–9465 74 FR 17863–17866 80 FR 9460–9465 74 FR 17863–17866 * 73 FR 33591–33634 * 73 FR 33591–33634 80 FR 9460–9465 * 73 FR 33591–33634 1 An asterisk (*) designates the last full Federal Register notice that includes all of the elements that are required to be in a System of Records Notice. Appendices Applicable to all FTC Systems sradovich on DSK3GMQ082PROD with NOTICES Appendix I—Authorized Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records ............ Appendix II—How To Make A Privacy Act Request. .......................................................................................................... Appendix III—Locations of FTC Buildings and Regional Offices. ....................................................................................... The Privacy Act authorizes the agency to adopt routine uses that are consistent with the purpose for which information is collected. 5 U.S.C. 552a(b)(3); see also 5 U.S.C. 552a(a)(7). On June 8, 2007, in response to a recommendation by The President’s VerDate Sep<11>2014 17:29 May 02, 2018 Jkt 244001 Identity Theft Task Force 2 and using model language issued by the Department of Justice, the FTC 2 See The President’s Identity Theft Task Force Report (September 2008) at https://www.ftc.gov/ sites/default/files/documents/reports/presidentsidentity-theft-task-force-report/081021taskforce report.pdf. PO 00000 Frm 00042 Fmt 4703 Sfmt 4703 73 FR 33591–33634 73 FR 33591–33634 80 FR 9460–9465 published a new routine use that allowed for disclosure of records to appropriate persons and entities for purposes of response and remedial efforts in the event of a breach of data contained in the protected systems. 72 FR 31835. This routine use, currently included in Appendix I, Authorized E:\FR\FM\03MYN1.SGM 03MYN1 Federal Register / Vol. 83, No. 86 / Thursday, May 3, 2018 / Notices resulting from a suspected or confirmed breach.4 Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records, states as follows: (22) May be disclosed to appropriate agencies, entities, and persons when: (a) The FTC suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (b) the FTC has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the FTC or another agency or entity) that rely upon the compromised information; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. Since 2007, OMB has determined that agencies needed authority to make disclosures that go beyond those contemplated by the original routine use. Thus, in January 2017, OMB issued in M–17–12, directing the Senior Agency Official for Privacy (SAOP) of each agency to include the following routine use in each of the agency’s SORNs to facilitate the agency’s response to a breach of its own records: To appropriate agencies, entities, and persons when (1) [the agency] suspects or has confirmed that there has been a breach of the system of records, (2) [the agency] has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, [the agency] (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with [the agency’s] efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.3 sradovich on DSK3GMQ082PROD with NOTICES In M–17–12, OMB also directed the SAOP to ensure that agencies are able to disclose records in their systems of records that may reasonably be needed by another agency in responding to a breach by incorporating the following additional routine use into each of the agency’s SORNs: To another Federal agency or Federal entity, when [the agency] determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, Although the first proposed routine use required by M–17–12 is very similar to the language of the FTC’s original routine use as finalized in 2007, OMB’s 2017 version more specifically addresses harm to individuals and expands the concept to make clear that it is not limited to identity theft or financial/property damage. With regard to the second proposed routine use, breaches affecting Federal personnel data have shown the need for an additional routine use that expressly allows an agency to disclose information from a system of records (e.g., current contact information for the agency’s employees or other individuals) to another Federal agency when reasonably needed by that agency to respond to a breach (e.g., providing notice to the affected individuals), to take any other steps to prevent, minimize, or remedy the risk of harm to affected individuals or that agency’s information systems, programs, or operations, and, if necessary, to address the broader risk of harm, if any, to the Federal Government or national security that may arise from the breach. The FTC’s existing routine use, while allowing disclosure to other agencies, does so in the limited context of a breach of the FTC’s own system(s) of records. For the reasons stated above, the FTC believes that it is compatible with the collection of information pertaining to individuals affected by a breach to disclose Privacy Act records about them when, in doing so, it will help prevent, minimize or remedy a data breach or compromise that may affect such individuals. By contrast, the FTC believes that failure to take reasonable steps to help prevent, minimize or remedy the harm that may result from such a breach or compromise would jeopardize, rather than promote, the privacy of such individuals. Accordingly, the Commission concludes that it is authorized under the Privacy Act to adopt the proposed and updated routine uses permitting disclosure of Privacy Act records for the purposes described above. In accordance with the Privacy Act, see 5 U.S.C. 552a(e)(4) and (11), the FTC is publishing notice of these routine uses and giving the public a 30-day period to comment before adopting them as final. The FTC has provided advance notice of this proposed system notice amendment to OMB and the Congress, as required by the Act, 5 19563 U.S.C. 552a(r), and OMB Circular A–108 (2016). As set forth below, the Commission proposes that the new routine uses become effective on the date noted earlier, unless the Commission amends or revokes the routine uses on the basis of any comments received. Accordingly, the FTC hereby proposes to amend Appendix I of its Privacy Act system notices, as published at 73 FR 33591, by revising item number (22), adding new item number (23), and redesignating the former item number (23) as (24) (without any other change) at the end of the existing routine uses set forth in that Appendix: * * * * * (22) To appropriate agencies, entities, and persons when (a) the FTC suspects or has confirmed that there has been a breach of the system of records, (b) the FTC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FTC (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. (23) To another Federal agency or Federal entity, when the FTC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. (24) May be disclosed to FTC contractors, volunteers, interns or other authorized individuals who have a need for the record in order to perform their officially assigned or designated duties for or on behalf of the FTC. History 73 FR 33591–33634 (June 12, 2008). By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2018–09333 Filed 5–2–18; 8:45 am] 3 Hereafter, this is referred to as the ‘‘first proposed routine use.’’ VerDate Sep<11>2014 17:29 May 02, 2018 Jkt 244001 4 Hereafter, this is referred to as the ‘‘second proposed routine use.’’ PO 00000 Frm 00043 Fmt 4703 Sfmt 9990 BILLING CODE 6750–01–P E:\FR\FM\03MYN1.SGM 03MYN1

Agencies

[Federal Register Volume 83, Number 86 (Thursday, May 3, 2018)]
[Notices]
[Pages 19560-19563]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-09333]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of modified systems of records.

-----------------------------------------------------------------------

SUMMARY: The FTC proposes to modify all FTC Privacy Act system of 
records notices (SORNs) by amending and bifurcating an existing routine 
use relating to assistance in data breach responses, to conform with 
Office of Management and Budget (OMB) guidance to federal agencies, OMB 
Memorandum 17-12.

DATES: Comments must be submitted by June 4, 2018. This routine use, 
which is being published in proposed form, shall become final and 
effective July 2, 2018, without further notice unless otherwise amended 
or repealed by the Commission on the basis of any comments received.

ADDRESSES: Interested parties are invited to submit written comments by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Comments should refer to 
``Privacy Act of 1974; System of Records: FTC File No. P072104'' to 
facilitate the organization of comments. Please file your comment 
online at https://ftcpublic.commentworks.com/ftc/privacyactroutineuse 
by following the instructions on the web-based form. If you prefer to 
file your comment on paper, mail or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), Washington, DC 
20580, or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Constitution Center, 400 7th 
Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: G. Richard Gold and Alex Tang, 
Attorneys, Office of the General Counsel, FTC, 600 Pennsylvania Avenue 
NW, Washington, DC 20580, (202) 326-2424.

SUPPLEMENTARY INFORMATION:

[[Page 19561]]

Request for Comments

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before June 4, 2018. 
Write ``Privacy Act of 1974; System of Records: FTC File No. P072104'' 
on your comment. Your comment--including your name and your state--will 
be placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission website, at https://www.ftc.gov/policy/public-comments.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, the Commission encourages 
you to submit your comments online. To make sure that the Commission 
considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/privacyactroutineuse by following the 
instructions on the web-based form. If this Notice appears at 
www.regulations.gov, you also may file a comment through that website.
    If you file your comment on paper, write ``Privacy Act of 1974; 
System of Records: FTC File No. P072104'' on your comment and on the 
envelope, and mail it to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street, SW, 5th Floor, Suite 5610 (Annex 
J), Washington, DC 20024. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
website at www.ftc.gov, you are solely responsible for making sure that 
your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Once your comment has been posted on the public FTC website--as 
legally required by FTC Rule 4.9(b)--we cannot redact or remove your 
comment from the FTC website, unless you submit a confidentiality 
request that meets the requirements for such treatment under FTC Rule 
4.9(c), and the General Counsel grants that request. Comments 
containing material for which confidential treatment is requested must 
be filed in paper form, must be clearly labeled ``Confidential,'' and 
must comply with FTC Rule 4.9(c). In particular, the written request 
for confidential treatment that accompanies the comment must include 
the factual and legal basis for the request, and must identify the 
specific portions of the comment to be withheld from the public record. 
See FTC Rule 4.9(c).
    The FTC Act and other laws that the Commission administers permit 
the collection of public comments to consider and use in this 
proceeding as appropriate. The Commission will consider all timely and 
responsive public comments that it receives on or before June 4, 2018. 
You can find more information, including routine uses permitted by the 
Privacy Act, in the Commission's privacy policy, at www.ftc.gov/privacy.

Analysis to Aid Public Comment

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, this 
document provides public notice that the FTC is proposing to modify and 
bifurcate an existing routine use relating to assistance in data breach 
responses, which is applicable to all FTC SORNs, to conform with OMB 
Memorandum M-17-12, Preparing for and Responding to a Breach of 
Personally Identifiable Information (January 3, 2017). A list of the 
agency's current Privacy Act records systems is set out below and can 
be viewed on the FTC's website at: www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems. The modified and bifurcated routine 
use would be included in Appendix I, Authorized Disclosures and Routine 
Uses Applicable to All FTC Privacy Act Systems of Records, which 
describes routine uses that apply globally to all FTC Privacy Act 
records systems. Appendix I was previously published at 73 FR 33592 
(June 12, 2008), the text of which is available on the FTC's website at 
the above hyperlink and would be updated accordingly.

------------------------------------------------------------------------
                                                     Federal Register
             System number and name                   citations \1\
------------------------------------------------------------------------
FTC-I-1--Nonpublic Investigational and Other                 76 FR 60125
 Nonpublic Legal Program Records...............        75 FR 52749-52751
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-I-2--Disciplinary Action Investigatory           * 73 FR 33591-33634
 Files.........................................
FTC-I-3--Informal Advisory Opinion Request and       * 73 FR 33591-33634
 Response Files................................
FTC-I-4--Clearance Application and Response          * 73 FR 33591-33634
 Files.........................................
FTC-I-5--Matter Management System..............      * 82 FR 50872-50882
FTC-I-6--Public Records........................      * 73 FR 33591-33634
FTC-I-7--Office of Inspector General                 * 82 FR 50872-50882
 Investigative Files...........................
FTC-I-8--Stenographic Reporting Services                 80 FR 9460-9465
 Request System................................      * 73 FR 33591-33634
FTC-II-1--General Personnel Records............          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-II-2--Unofficial Personnel Records.........          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-II-3--Worker's Compensation................      * 82 FR 50872-50882

[[Page 19562]]

 
FTC-II-4--Employment Application-Related               * 80 FR 9460-9465
 Records.......................................        73 FR 33591-33634
FTC-II-5--Equal Employment Opportunity               * 82 FR 50872-50882
 Statistical Reporting System..................
FTC-II-6--Discrimination Complaint System......        75 FR 52749-52751
                                                       73 FR 33591-33634
FTC-II-7--Ethics Program Records...............          80 FR 9460-9465
                                                       75 FR 52749-52751
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-II-8--Employee Adverse Action and                    80 FR 9460-9465
 Disciplinary Records..........................      * 73 FR 33591-33634
FTC-II-9--Claimants Under Federal Tort Claims            80 FR 9460-9465
 Act and Military Personnel and Civilian               74 FR 17863-17866
 Employees' Claims Act.........................      * 73 FR 33591-33634
FTC-II-10--Employee Health Care Records........      * 82 FR 50872-50882
FTC-II-11--Personnel Security, Identity                  80 FR 9460-9465
 Management, and Access Control Records System.      * 73 FR 33591-33634
FTC-II-12--e-Train Learning Management System..          80 FR 9460-9465
                                                       75 FR 52749-52751
                                                       73 FR 33591-33634
FTC-II-13--Staff Time and Activity Reporting         * 73 FR 33591-33634
 (STAR) System.................................
FTC-III-1--Personnel Payroll System............          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-III-2--Travel Management System............      * 82 FR 50872-50882
FTC-III-3--Financial Management System.........          80 FR 9460-9465
                                                     * 73 FR 33591-33634
FTC-III-4--Automated Acquisitions System.......      * 73 FR 33591-33634
FTC-III-5--Employee Transportation Program           * 82 FR 50872-50882
 Records.......................................
FTC-IV-1--Consumer Information System..........          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-IV-2--Miscellaneous Office Correspondence        * 73 FR 33591-33634
 Tracking System Records.......................
FTC-IV-3--National Do Not Call Registry System.        74 FR 17863-17866
FTC-V-1--Freedom of Information Act Requests         * 73 FR 33591-33634
 and Appeals...................................
FTC-V-2--Privacy Act Requests and Appeals......      * 82 FR 50872-50882
FTC-VI-1--Mailing and Contact Lists............      * 73 FR 33591-33634
FTC-VII-1--Automated Library Management System.      * 73 FR 33591-33634
FTC-VII-2--Employee Locator (STAFFID) System...          80 FR 9460-9465
                                                     * 73 FR 33591-33634
FTC-VII-3--Computer Systems User Identification          80 FR 9460-9465
 and Access Records............................        74 FR 17863-17866
FTC-VII-4--Call Detail Records.................          80 FR 9460-9465
                                                       74 FR 17863-17866
FTC-VII-5--Property Management System..........      * 73 FR 33591-33634
FTC-VII-6--Document Management and Retrieval         * 73 FR 33591-33634
 System........................................
FTC-VII-7--Information Technology Service                80 FR 9460-9465
 Ticket System.................................
FTC-VII-8--Administrative Service Call System..      * 73 FR 33591-33634
------------------------------------------------------------------------
\1\ An asterisk (*) designates the last full Federal Register notice
  that includes all of the elements that are required to be in a System
  of Records Notice.

Appendices Applicable to all FTC Systems

 
------------------------------------------------------------------------
 
------------------------------------------------------------------------
Appendix I--Authorized Disclosures and Routine         73 FR 33591-33634
 Uses Applicable to All FTC Privacy Act Systems
 of Records....................................
Appendix II--How To Make A Privacy Act Request.        73 FR 33591-33634
Appendix III--Locations of FTC Buildings and             80 FR 9460-9465
 Regional Offices..............................
------------------------------------------------------------------------

    The Privacy Act authorizes the agency to adopt routine uses that 
are consistent with the purpose for which information is collected. 5 
U.S.C. 552a(b)(3); see also 5 U.S.C. 552a(a)(7).
    On June 8, 2007, in response to a recommendation by The President's 
Identity Theft Task Force \2\ and using model language issued by the 
Department of Justice, the FTC published a new routine use that allowed 
for disclosure of records to appropriate persons and entities for 
purposes of response and remedial efforts in the event of a breach of 
data contained in the protected systems. 72 FR 31835. This routine use, 
currently included in Appendix I, Authorized

[[Page 19563]]

Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems 
of Records, states as follows:

    \2\ See The President's Identity Theft Task Force Report 
(September 2008) at https://www.ftc.gov/sites/default/files/documents/reports/presidents-identity-theft-task-force-report/081021taskforcereport.pdf.
---------------------------------------------------------------------------

    (22) May be disclosed to appropriate agencies, entities, and 
persons when: (a) The FTC suspects or has confirmed that the 
security or confidentiality of information in the system of records 
has been compromised; (b) the FTC has determined that as a result of 
the suspected or confirmed compromise there is a risk of harm to 
economic or property interests, identity theft or fraud, or harm to 
the security or integrity of this system or other systems or 
programs (whether maintained by the FTC or another agency or entity) 
that rely upon the compromised information; and (c) the disclosure 
made to such agencies, entities, and persons is reasonably necessary 
to assist in connection with the FTC's efforts to respond to the 
suspected or confirmed compromise and prevent, minimize, or remedy 
such harm.

    Since 2007, OMB has determined that agencies needed authority to 
make disclosures that go beyond those contemplated by the original 
routine use. Thus, in January 2017, OMB issued in M-17-12, directing 
the Senior Agency Official for Privacy (SAOP) of each agency to include 
the following routine use in each of the agency's SORNs to facilitate 
the agency's response to a breach of its own records:

    To appropriate agencies, entities, and persons when (1) [the 
agency] suspects or has confirmed that there has been a breach of 
the system of records, (2) [the agency] has determined that as a 
result of the suspected or confirmed breach there is a risk of harm 
to individuals, [the agency] (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, 
and persons is reasonably necessary to assist in connection with 
[the agency's] efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.\3\

    \3\ Hereafter, this is referred to as the ``first proposed 
routine use.''
---------------------------------------------------------------------------

In M-17-12, OMB also directed the SAOP to ensure that agencies are able 
to disclose records in their systems of records that may reasonably be 
needed by another agency in responding to a breach by incorporating the 
following additional routine use into each of the agency's SORNs:

    To another Federal agency or Federal entity, when [the agency] 
determines that information from this system of records is 
reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the 
recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.\4\

    \4\ Hereafter, this is referred to as the ``second proposed 
routine use.''
---------------------------------------------------------------------------

    Although the first proposed routine use required by M-17-12 is very 
similar to the language of the FTC's original routine use as finalized 
in 2007, OMB's 2017 version more specifically addresses harm to 
individuals and expands the concept to make clear that it is not 
limited to identity theft or financial/property damage.
    With regard to the second proposed routine use, breaches affecting 
Federal personnel data have shown the need for an additional routine 
use that expressly allows an agency to disclose information from a 
system of records (e.g., current contact information for the agency's 
employees or other individuals) to another Federal agency when 
reasonably needed by that agency to respond to a breach (e.g., 
providing notice to the affected individuals), to take any other steps 
to prevent, minimize, or remedy the risk of harm to affected 
individuals or that agency's information systems, programs, or 
operations, and, if necessary, to address the broader risk of harm, if 
any, to the Federal Government or national security that may arise from 
the breach. The FTC's existing routine use, while allowing disclosure 
to other agencies, does so in the limited context of a breach of the 
FTC's own system(s) of records.
    For the reasons stated above, the FTC believes that it is 
compatible with the collection of information pertaining to individuals 
affected by a breach to disclose Privacy Act records about them when, 
in doing so, it will help prevent, minimize or remedy a data breach or 
compromise that may affect such individuals. By contrast, the FTC 
believes that failure to take reasonable steps to help prevent, 
minimize or remedy the harm that may result from such a breach or 
compromise would jeopardize, rather than promote, the privacy of such 
individuals. Accordingly, the Commission concludes that it is 
authorized under the Privacy Act to adopt the proposed and updated 
routine uses permitting disclosure of Privacy Act records for the 
purposes described above.
    In accordance with the Privacy Act, see 5 U.S.C. 552a(e)(4) and 
(11), the FTC is publishing notice of these routine uses and giving the 
public a 30-day period to comment before adopting them as final. The 
FTC has provided advance notice of this proposed system notice 
amendment to OMB and the Congress, as required by the Act, 5 U.S.C. 
552a(r), and OMB Circular A-108 (2016). As set forth below, the 
Commission proposes that the new routine uses become effective on the 
date noted earlier, unless the Commission amends or revokes the routine 
uses on the basis of any comments received.
    Accordingly, the FTC hereby proposes to amend Appendix I of its 
Privacy Act system notices, as published at 73 FR 33591, by revising 
item number (22), adding new item number (23), and re-designating the 
former item number (23) as (24) (without any other change) at the end 
of the existing routine uses set forth in that Appendix:
* * * * *
    (22) To appropriate agencies, entities, and persons when (a) the 
FTC suspects or has confirmed that there has been a breach of the 
system of records, (b) the FTC has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the FTC (including its information systems, programs, and operations), 
the Federal Government, or national security; and (c) the disclosure 
made to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the FTC's efforts to respond to the suspected 
or confirmed breach or to prevent, minimize, or remedy such harm.
    (23) To another Federal agency or Federal entity, when the FTC 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (a) responding to 
a suspected or confirmed breach or (b) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    (24) May be disclosed to FTC contractors, volunteers, interns or 
other authorized individuals who have a need for the record in order to 
perform their officially assigned or designated duties for or on behalf 
of the FTC.

History

    73 FR 33591-33634 (June 12, 2008).

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018-09333 Filed 5-2-18; 8:45 am]
BILLING CODE 6750-01-P