Agency Information Collection Activities; Proposed Collection; Comment Request, 39096-39100 [2018-16936]

Download as PDF sradovich on DSK3GMQ082PROD with NOTICES 39096 Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices germane to the current public notice and comment process. We have referred M/M. Kerz’s comment to the FTC’s Consumer Response Center for entry into the Consumer Sentinel Network of complaints and related inquiries. The second commenter, Thomas Dickinson, also filed a comment that is non-germane to the current public notice and comment process. Mr. Dickinson asks the FTC to apply a ‘‘monitor’’ to individuals’ home phones that identifies violations of the Do-NotCall Rule and allows the FTC to take appropriate punitive actions. We have also referred Mr. Dickinson’s complaint to the FTC’s Consumer Response Center for entry into the Consumer Sentinel Network. The third commenter, Dave Root, commented that ‘‘due process and . . . [his] . . . privacy . . . [would] . . . be harmed by open access to sharing . . . [his] . . . personal info between all government agencies as outlined in this notice.’’ Mr. Root asked if there are ‘‘any safeguards against ‘political weaponization’ without any accountability, by any federal, state or local governmental agency having access to this information.’’ Mr. Root asked for ‘‘‘teeth’ in the rule for anyone . . . that purposefully uses this information incorrectly . . . [meaning] . . . seriously enforced jail time for anyone who fails to act in the investigation and prosecution process.’’ The revised routine use would not provide ‘‘open access’’ to ‘‘all government agencies’’ but would require that the FTC receive a request from another Federal agency or Federal entity that provides enough supporting information such that the FTC can determine that information from an FTC Privacy Act system or systems is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. The Privacy Act specifically provides civil remedies, 5 U.S.C. 552a(g), including damages, and criminal penalties, 5 U.S.C. 552a(i), for violations of the Act. In addition, an individual may be fined up to $5,000 for knowingly and willfully requesting or gaining access to a record about an individual under false pretenses. 5 U.S.C. 552a(i)(3). As stated in the Federal Register Notice dated May 3, 2018, the FTC VerDate Sep<11>2014 22:37 Aug 07, 2018 Jkt 244001 believes that the modified and bifurcated routine use on data breaches is compatible with the collection of information pertaining to individuals affected by a breach, and that the disclosure of such records will help prevent, minimize or remedy a data breach or compromise that may affect such individuals. By contrast, the FTC believes that failure to take reasonable steps to help prevent, minimize or remedy the harm that may result from such a breach or compromise would jeopardize, rather than promote, the privacy of such individuals. The FTC provided a public comment period and notice to OMB and Congress as required by the Privacy Act and implementing OMB guidelines.1 Accordingly, the FTC hereby amends Appendix I of its Privacy Act system notices, as published at 73 FR 33591, by revising item number (22), adding new item number (23), and re-designating the former item number (23) as (24) (without any other change) at the end of the existing routine uses set forth in that Appendix: * * * * * (22) To appropriate agencies, entities, and persons when (a) the FTC suspects or has confirmed that there has been a breach of the system of records; (b) the FTC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FTC (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FTC’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. (23) To another Federal agency or Federal entity, when the FTC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. (24) May be disclosed to FTC contractors, volunteers, interns or other authorized individuals who have a need for the record in order to perform their officially assigned or designated duties for or on behalf of the FTC. 1 See U.S.C. 552a(e)(11) and 552a(r); OMB Circular A–108 (2016). PO 00000 Frm 00056 Fmt 4703 Sfmt 4703 HISTORY 73 FR 33591–33634 (June 12, 2008). By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2018–16935 Filed 8–7–18; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION Agency Information Collection Activities; Proposed Collection; Comment Request Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’). ACTION: Notice. AGENCY: The FTC intends to ask the Office of Management and Budget (‘‘OMB’’) to extend for an additional three years the current Paperwork Reduction Act (‘‘PRA’’) clearance for the information collection requirements in the FTC Red Flags, Card Issuers, and Address Discrepancies Rules 1 (‘‘Rules’’). That clearance expires on November 30, 2018. DATES: Comments must be submitted by October 9, 2018. ADDRESSES: Interested parties may file a comment online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Red Flags Rule, PRA Comment, Project No. P095406’’ on your comment. File your comment online at https://ftcpublic.commentworks.com/ ftc/RedFlagsPRA by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Requests for additional information should be addressed to Mark Eichorn, Assistant Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, (202) 326–3053, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUMMARY: 1 16 CFR 681.1 (Duties regarding the detection, prevention, and mitigation of identity theft); 16 CFR 681.2 (Duties of card issuers regarding changes of address); 16 CFR 641.1 (Duties of users of consumer reports regarding address discrepancies). E:\FR\FM\08AUN1.SGM 08AUN1 Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices SUPPLEMENTARY INFORMATION: I. Overview of the Rules The Red Flags Rule requires financial institutions and certain creditors to develop and implement written Identity Theft Prevention Programs (‘‘Program’’). The Card Issuers Rule requires credit and debit card issuers (‘‘card issuers’’) to assess the validity of notifications of address changes under certain circumstances. The Address Discrepancy Rule provides guidance on what users of consumer reports must do when they receive a notice of address discrepancy from a nationwide consumer reporting agency (‘‘CRA’’). Collectively, these three anti-identity theft provisions are intended to prevent impostors from misusing another person’s personal information for a fraudulent purpose. The Rules implement sections 114 and 315 of the FACT Act, Public Law 108–159, which amended the Fair Credit Reporting Act (‘‘FCRA’’), 15 U.S.C. 1681 et seq., to require businesses to undertake measures to prevent identity theft and increase the accuracy of consumer reports. Since promulgation of the original Rule, President Obama signed the Red Flag Program Clarification Act of 2010 (‘‘Clarification Act’’), which narrowed the definition of ‘‘creditor’’ for purposes of the Red Flags Rule. Specifically, the Clarification Act limits application of the Red Flags Rule to creditors that regularly and in the ordinary course of business: (1) Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or to make repayment from specific property pledged by or on behalf of the person. This third prong does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. II. Description of Collection of Information sradovich on DSK3GMQ082PROD with NOTICES A. FACT Act Section 114 The FTC Red Flags and Card Issuers Rules implement requirements under Section 114 of the FACT Act. The Red Flags Rule requires financial institutions and covered creditors to develop and implement a written Program to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts. Under the Rule, financial institutions and certain VerDate Sep<11>2014 22:37 Aug 07, 2018 Jkt 244001 creditors must conduct a periodic risk assessment to determine if they maintain ‘‘covered accounts.’’ The Rule defines the term ‘‘covered account’’ as either: (1) A consumer account that is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk of identity theft. Each financial institution and covered creditor that has covered accounts must create a written Program that contains reasonable policies and procedures to identify relevant indicators of the possible existence of identity theft (‘‘red flags’’); detect red flags that have been incorporated into the Program; respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and update the Program periodically to ensure it reflects change in risks to customers. The Red Flags Rule also requires financial institutions and covered creditors to: (1) Obtain approval of the initial written Program by the board of directors; a committee thereof; or, if there is no board, an appropriate senior employee; (2) ensure oversight of the development, implementation, and administration of the Program; and (3) exercise appropriate and effective oversight of service provider arrangements. In addition, the Card Issuers Rule requires that card issuers generally must assess the validity of change of address notifications. Specifically, if the card issuer receives a notice of change of address for an existing account and, within a short period of time (during at least the first 30 days), receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures to assess the validity of the change of address. B. FACT Act Section 315 In implementing section 315 of the FACT Act, the Address Discrepancies Rule requires each user of consumer reports to have reasonable policies and procedures in place to employ when the user receives a notice of address discrepancy from a CRA. Specifically, each user must develop reasonable policies and procedures to: (1) Enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report; and (2) in certain circumstances, provide to the CRA from which it received the notice an address for the consumer that the user has reasonably confirmed is accurate. PO 00000 Frm 00057 Fmt 4703 Sfmt 4703 39097 II. Burden Estimates Under the PRA, 44 U.S.C. 3501–3521, Federal agencies must get OMB approval for each collection of information they conduct or sponsor. ‘‘Collection of information’’ includes agency requests or requirements to submit reports, keep records, or provide information to a third party. 44 U.S.C. 3502(3); 5 CFR 1320.3(c). The figures below reflect FTC staff’s estimates of the hours burden and labor costs to complete the tasks described above that fall within reporting, disclosure, or recordkeeping requirements. FTC staff believes that the Rules impose negligible capital or other non-labor costs, as the affected entities are likely to have the necessary supplies and/or equipment already (e.g. offices and computers) for the information collection described herein. Overall estimated burden hours regarding sections 114 and 315, combined, total 2,296,863 hours and the associated estimated labor costs are $92,465,982. A. FACT Act Section 114 1. Estimated Hours Burden—Red Flags Rule As noted above, the Rule requires financial institutions and certain creditors with covered accounts to develop and implement a written Program. Under the FCRA, financial institutions over which the FTC has jurisdiction include state chartered credit unions and certain insurance companies, among other entities. Although narrowed by the Clarification Act, the definition of ‘‘creditor’’ still covers a broad array of entities, and application of the Rule depends upon an entity’s course of conduct, not its status as a particular type of business. For these reasons, it is difficult to determine precisely the number of creditors subject to the FTC’s jurisdiction. There are numerous small businesses under the FTC’s jurisdiction that may qualify as ‘‘creditors,’’ and there is no formal way to track them. Nonetheless, FTC staff estimates that the Rule’s requirement to have a written Program affects 6,278 financial institutions 2 and 157,585 creditors.3 2 The total number of financial institutions is derived from an analysis of state credit unions and insurers within the FTC’s jurisdiction using 2015 Census data (‘‘County Business Patterns,’’ U.S.) and other online industry data. 3 The total number of creditors (157,585) is derived mostly from an analysis of 2015 Census data and industry data for businesses or organizations that market goods and services to consumers or other businesses or organizations subject to the FTC’s jurisdiction, reduced by (1) E:\FR\FM\08AUN1.SGM Continued 08AUN1 39098 Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices To estimate burden hours for the Red Flags Rule under section 114, FTC staff divided affected entities into two categories, based on the nature of their business: (1) Entities that are subject to high risk of identity theft, and (2) entities that are subject to a low risk of identity theft, but have covered accounts that will require them to have a written Program. a. High-Risk Entities b. Low-Risk Entities Entities that have a minimal risk of identity theft,5 but that have covered accounts, must develop a Program; however, they likely will only need a streamlined Program. FTC staff estimates that such entities will require one hour to create such a Program, with an annual recurring burden of five minutes. Training staff of low-risk entities to be attentive to future risks of identity theft should require no more than 10 minutes in an initial year, with an annual recurring burden of five minutes. FTC staff further estimates that these entities will require, initially, 10 minutes to prepare an annual report, with an annual recurring burden of five minutes. Thus, the estimated hours burden for low-risk entities is as follows: • 63,533 low risk entities that have covered account subject to the FTC’s jurisdiction at an average annual burden of approximately 37 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of streamlined Program ((60 + 5 + 5) minutes/3), plus average annual burden over 3-year clearance period for staff training ((10 + 5 + 5) minutes/3), plus average annual burden over 3-year clearance period for preparing annual report ((10 + 5 + 5) minutes/3], for a total of 39,179 hours. sradovich on DSK3GMQ082PROD with NOTICES FTC staff estimates that high-risk entities 4 will each require 25 hours to create and implement a written Program, with an annual recurring burden of one hour. FTC staff anticipates that these entities will incorporate into their Program policies and procedures that they likely already have in place. Further, FTC staff estimates that preparation for an annual report will require each high-risk entity four hours initially, with an annual recurring burden of one hour. Finally, FTC staff believes that many of the highrisk entities, as part of their usual and customary business practice, already take steps to minimize losses due to fraud, including conducting employee training. Accordingly, only relevant staff need be trained to implement the Program: for example, staff already trained as part of a covered entity’s antifraud prevention efforts do not need to be re-trained. FTC staff estimates that training connected with the implementation of a Program of a highrisk entity will require four hours, and annual training thereafter will require one hour. Thus, estimated hours for high-risk entities are as follows: • 94,052 high-risk entities subject to the FTC’s jurisdiction at an average annual burden of 13 hours per entity [average annual burden over 3-year clearance period for creation and implementation of a Program ((25 + 1 + 1) hours/3), plus average annual burden over 3-year clearance period for staff training ((4 + 1 + 1) hours/3), plus average annual burden over 3-year clearance period for preparing an annual report ((4 + 1 + 1) hours/3)], for a total of 1,222,676 hours. 2. Estimated Hours Burden—Card Issuers Rule As noted above, section 114 also requires financial institutions and covered creditors that issue credit or debit cards to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address. • FTC staff estimates that the Rule affects as many as 16,742 6 card issuers within the FTC’s jurisdiction. FTC staff believes that most of these card issuers already have automated the process of notifying the cardholder or are using another means to assess the validity of the change of address, such that implementation will pose no further burden. Nevertheless, taking a conservative approach, FTC staff estimates that it will take each card entities not likely to obtain credit reports, report credit transactions, or advance loans; and (2) entities not likely to have covered accounts under the Rule. 4 High-risk entities include, for example, financial institutions within the FTC’s jurisdiction and utilities, motor vehicle dealerships, telecommunications firms, colleges and universities, and hospitals. 5 Low-risk entities include, for example, public warehouse and storage firms, nursing and residential care facilities, automotive equipment rental and leasing firms, office supplies and stationery stores, fuel dealers, and financial transaction processing firms. 6 Card issuers within the FTC’s jurisdiction include, for example, state credit unions, general retail merchandise stores, colleges and universities, and telecoms. VerDate Sep<11>2014 22:37 Aug 07, 2018 Jkt 244001 PO 00000 Frm 00058 Fmt 4703 Sfmt 4703 issuer 4 hours to develop and implement policy and procedures to assess the validity of a change of address request for a total burden of 66,968 hours. Thus, the total average annual estimated burden for Section 114 is 1,328,823 hours. 3. Estimated Cost Burden—Red Flags and Card Issuers Rules The FTC staff estimates labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with compliance with the Rule, as they entail varying compensation levels of management (e.g., administrative services, computer and information systems, training and development) and/or technical staff (e.g., computer support specialists, systems analysts, network and computer systems administrators) among companies of different sizes. FTC staff assumes that for all entities, professional technical personnel and/or management personnel will create and implement the Program, prepare the annual report, and train employees, at an hourly rate of $49.7 Based on the above estimates and assumptions, the total annual labor costs for all categories of covered entities under the Red Flags and Card Issuers Rules for Section 114 is $65,112,327 (1,328,823 hours × $49). B. FACT Act Section 315—The Address Discrepancy Rule As discussed above, the Rule’s implementation of Section 315 provides guidance on reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a CRA. Given the broad scope of users of consumer reports, it is difficult to determine with precision the number of users of consumer reports that are subject to the FTC’s jurisdiction. As noted above, there are numerous small businesses under the FTC’s jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC’s jurisdiction are so 7 This estimate is based on mean hourly wages found at http://www.bls.gov/news.release/ ocwage.t01.htm, ‘‘Occupational Employment and Wages Summary—May 2017,’’ U.S. Department of Labor, Table 1, released March 30, 2018 (‘‘National employment and wage data from the Occupational Employment Statistics survey by occupation, May 2017’’) for the various managerial and technical staff support exemplified above (administrative service managers, computer & information systems managers, training & development managers, computer systems analysts, network & computer systems administrators, and computer support specialists). E:\FR\FM\08AUN1.SGM 08AUN1 Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the Rule’s implementation of section 315 affects approximately 1,967,161 users of consumer reports subject to the FTC’s jurisdiction.8 Commission staff estimates that approximately 10,000 of these users will receive notice of a discrepancy, in the course of their usual and customary business practices, and thereby have to furnish to CRAs an address confirmation.9 For section 315, as detailed below, FTC staff estimates that the average annual burden during the three-year period for which OMB clearance is sought will be 919,678 hours with an associated labor cost of $17,473,882. 1. Estimated Hours Burden Prior to enactment of the Address Discrepancy Rule, users of consumer reports could compare the address on a consumer report to the address provided by the consumer and discern for themselves any discrepancy. As a result, FTC staff believes that many users of consumer reports have developed methods of reconciling address discrepancies, and the following estimates represent the incremental amount of time users of consumer reports may require to develop and comply with the policies and procedures for when they receive a notice of address discrepancy. sradovich on DSK3GMQ082PROD with NOTICES a. Customer Verification Given the varied nature of the entities under the FTC’s jurisdiction, it is difficult to determine precisely the appropriate burden estimates. Nonetheless, FTC staff estimates that it would require an infrequent user of consumer reports no more than 16 minutes to develop and comply with the policies and procedures that it will employ when it receives a notice of address discrepancy, while a frequent user might require one hour. Similarly, FTC staff estimates that, during the remaining two years of clearance, it may take an infrequent user no more than one minute to comply with the policies and procedures it will employ when it receives a notice of address discrepancy, while a frequent user might require 45 8 This estimate is derived from an analysis of Census databases of U.S. businesses based on NAICS codes for businesses in industries that typically use consumer reports from CRAs described in the Rule, which total 1,967,161 users of consumer reports subject to the FTC’s jurisdiction. 9 Report to Congress Under Sections 318 and 319 of the Fair and Accurate Credit Transactions of 2003, Federal Trade Commission, 80 (Dec. 2004) available at http://www.ftc.gov/reports/facta/ 041209factarpt.pdf. VerDate Sep<11>2014 22:37 Aug 07, 2018 Jkt 244001 minutes. Taking into account these extremes, FTC staff estimates that, during the first year, it will take users of consumer reports under the FTC’s jurisdiction an average of 38 minutes [the midrange between 16 minutes and 60 minutes] to develop and comply with the policies and procedures that they will employ when they receive a notice of address discrepancy. FTC staff also estimates that the average recurring burden for users of consumer reports to comply with the Rule will be 23 minutes [the midrange between one minute and 45 minutes]. Thus, for these 1,967,167 entities, the average annual burden for each of them to perform these collective tasks will be 28 minutes [(38 + 23 +23) ÷ 3]; cumulatively, 918,011 hours. b. Address Verification For the estimated 10,000 users of consumer reports that will additionally have to furnish to CRAs an address confirmation upon notice of a discrepancy, staff estimates that these entities will require, initially, 30 minutes to develop related policies and procedures. But, these 10,000 affected entities likely will have automated the process of furnishing the correct address in the first year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes in the first year, with no annual recurring burden in the second and third years of clearance, yields an average annual burden of 10 minutes per entity to furnish a correct address to a CRA, for a total of 1,667 hours. 2. Estimated Cost Burden FTC staff assumes that the policies and procedures for compliance with the address discrepancy part of the Rule will be set up by administrative support personnel at an hourly rate of $19.10 Based on the above estimates and assumptions, the total annual labor cost for the two categories of burden under section 315 is $17,473,882. C. Burden Totals for FACT Act Sections 114 and 315 Cumulatively, then, estimated burden is 2,246,834 hours (1,328,823 hours for section 114 and 918,011 hours for section 315) and $82,586,209 ($65,112,327 and $17,473,882) in associated labor costs. 10 This estimate—rounded to the nearest dollar— is based on mean hourly wages for all management occupations found within the ‘‘Bureau of Labor Statistics, Economic News Release,’’ March 30, 2018, Table 1, ‘‘National employment and wage data from the Occupational Employment Statistics survey by occupation, May 2017.’’ http:// www.bls.gov/news.release/ocwage.t01.htm. PO 00000 Frm 00059 Fmt 4703 Sfmt 4703 39099 IV. Request for Comment Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invites comments on: (1) Whether the disclosure requirements are necessary, including whether the information will be practically useful; (2) the accuracy of our burden estimates, including whether the methodology and assumptions used are useful; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of providing the required information to consumers. You can file a comment online or on paper. For the FTC to consider your comment, we must receive it on or before October 9, 2018. Write: ‘‘Red Flags Rule, PRA Comment, Project No. P095406’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission website, at http:// www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission website. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online, or to send them to the Commission by courier or overnight service. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ RedFlagsPRA by following the instructions on the web-based form. When this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that website. If you file your comment on paper, write ‘‘Red Flags Rule PRA, Project No. P095406’’ on your comment and on the envelope, and mail it to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC– 5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible FTC website at https://www.ftc.gov/, you are solely responsible for making sure that your E:\FR\FM\08AUN1.SGM 08AUN1 sradovich on DSK3GMQ082PROD with NOTICES 39100 Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before October 9, 2018. For information on the Commission’s privacy policy, including routine uses permitted by the VerDate Sep<11>2014 22:37 Aug 07, 2018 Jkt 244001 Privacy Act, see https://www.ftc.gov/ site-information/privacy-policy. Heather Hippsley, Acting Principal Deputy General Counsel. [FR Doc. 2018–16936 Filed 8–7–18; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention [30Day–18–1072] Agency Forms Undergoing Paperwork Reduction Act Review In accordance with the Paperwork Reduction Act of 1995, the Centers for Disease Control and Prevention (CDC) has submitted the information collection request titled Enhanced STD surveillance Network (SSuN) to the Office of Management and Budget (OMB) for review and approval. CDC previously published a ‘‘Proposed Data Collection Submitted for Public Comment and Recommendations’’ notice on March, 15, 2018 to obtain comments from the public and affected agencies. CDC received 37 comments related to the previous notice. This notice serves to allow an additional 30 days for public and affected agency comments. CDC will accept all comments for this proposed information collection project. The Office of Management and Budget is particularly interested in comments that: (a) Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (b) Evaluate the accuracy of the agencies estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (c) Enhance the quality, utility, and clarity of the information to be collected; (d) Minimize the burden of the collection of information on those who are to respond, including, through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses; and (e) Assess information collection costs. To request additional information on the proposed project or to obtain a copy PO 00000 Frm 00060 Fmt 4703 Sfmt 4703 of the information collection plan and instruments, call (404) 639–7570 or send an email to omb@cdc.gov. Direct written comments and/or suggestions regarding the items contained in this notice to the Attention: CDC Desk Officer, Office of Management and Budget, 725 17th Street NW, Washington, DC 20503 or by fax to (202) 395–5806. Provide written comments within 30 days of notice publication. Proposed Project Enhanced STD surveillance Network (SSuN)—Reinstatement with Change— Division of STD Prevention (DSTDP), National Center for HIV/AIDS, Viral Hepatitis, STD, and TB prevention (NCHHSTP), Centers for Disease Control and Prevention (CDC). Background and Brief Description The Enhanced STD surveillance network project was created to provide enhanced behavioral, demographic, and clinical information on gonorrhea cases reported to state and local health departments, to provide information on patients presenting for care in STD clinical settings, and to provide an infrastructure for identifying emerging sequelae of STDs. Enhanced SSuN continues to be a collaboration between different branches of the CDC Division of STD Prevention and selected state/local public health departments and their associated STD specialty care clinics in the US. Data from enhanced SSuN data is used to (1) provide a dataset of supplemental information on gonorrhea case reports; (2) provide geographic information on case reports of STDs of interest for investigating social determinants of STDs, (3) monitor STD screening, incidence, prevalence, epidemiologic and health care access trends in populations of interest, (4) monitor STD treatment and prevention service practices, and (5) monitor selected adverse health outcomes of STDs, including neuro/ocular syphilis, This project will continue to utilize two distinct surveillance strategies to collect information. The first strategy employs facility-based sentinel surveillance, which will abstract routine standardized data from existing electronic medical records for all patient visits to participating STD clinics during the project period. For the facility-based component of enhanced SSuN, participating sites have developed common protocols stipulating data elements to be collected, including patient demographics, clinical, risk and sexual behaviors. The specified data elements are abstracted by clinic staff from E:\FR\FM\08AUN1.SGM 08AUN1

Agencies

[Federal Register Volume 83, Number 153 (Wednesday, August 8, 2018)]
[Notices]
[Pages 39096-39100]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-16936]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Proposed Collection; 
Comment Request

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The FTC intends to ask the Office of Management and Budget 
(``OMB'') to extend for an additional three years the current Paperwork 
Reduction Act (``PRA'') clearance for the information collection 
requirements in the FTC Red Flags, Card Issuers, and Address 
Discrepancies Rules \1\ (``Rules''). That clearance expires on November 
30, 2018.
---------------------------------------------------------------------------

    \1\ 16 CFR 681.1 (Duties regarding the detection, prevention, 
and mitigation of identity theft); 16 CFR 681.2 (Duties of card 
issuers regarding changes of address); 16 CFR 641.1 (Duties of users 
of consumer reports regarding address discrepancies).

---------------------------------------------------------------------------
DATES: Comments must be submitted by October 9, 2018.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Red Flags Rule, PRA 
Comment, Project No. P095406'' on your comment. File your comment 
online at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA by 
following the instructions on the web-based form. If you prefer to file 
your comment on paper, mail your comment to the following address: 
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania 
Avenue NW, Suite CC-5610 (Annex J), Washington, DC 20580, or deliver 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, 
Suite 5610 (Annex J), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
should be addressed to Mark Eichorn, Assistant Director, Division of 
Privacy and Identity Protection, Bureau of Consumer Protection, (202) 
326-3053, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580.

[[Page 39097]]


SUPPLEMENTARY INFORMATION: 

I. Overview of the Rules

    The Red Flags Rule requires financial institutions and certain 
creditors to develop and implement written Identity Theft Prevention 
Programs (``Program''). The Card Issuers Rule requires credit and debit 
card issuers (``card issuers'') to assess the validity of notifications 
of address changes under certain circumstances. The Address Discrepancy 
Rule provides guidance on what users of consumer reports must do when 
they receive a notice of address discrepancy from a nationwide consumer 
reporting agency (``CRA''). Collectively, these three anti-identity 
theft provisions are intended to prevent impostors from misusing 
another person's personal information for a fraudulent purpose.
    The Rules implement sections 114 and 315 of the FACT Act, Public 
Law 108-159, which amended the Fair Credit Reporting Act (``FCRA''), 15 
U.S.C. 1681 et seq., to require businesses to undertake measures to 
prevent identity theft and increase the accuracy of consumer reports.
    Since promulgation of the original Rule, President Obama signed the 
Red Flag Program Clarification Act of 2010 (``Clarification Act''), 
which narrowed the definition of ``creditor'' for purposes of the Red 
Flags Rule. Specifically, the Clarification Act limits application of 
the Red Flags Rule to creditors that regularly and in the ordinary 
course of business: (1) Obtain or use consumer reports, directly or 
indirectly, in connection with a credit transaction; (2) furnish 
information to consumer reporting agencies in connection with a credit 
transaction; or (3) advance funds to or on behalf of a person, based on 
an obligation of the person to repay the funds or to make repayment 
from specific property pledged by or on behalf of the person. This 
third prong does not include a creditor that advances funds on behalf 
of a person for expenses incidental to a service provided by the 
creditor to that person.

II. Description of Collection of Information

A. FACT Act Section 114

    The FTC Red Flags and Card Issuers Rules implement requirements 
under Section 114 of the FACT Act. The Red Flags Rule requires 
financial institutions and covered creditors to develop and implement a 
written Program to detect, prevent, and mitigate identity theft in 
connection with existing accounts or the opening of new accounts. Under 
the Rule, financial institutions and certain creditors must conduct a 
periodic risk assessment to determine if they maintain ``covered 
accounts.'' The Rule defines the term ``covered account'' as either: 
(1) A consumer account that is designed to permit multiple payments or 
transactions, or (2) any other account for which there is a reasonably 
foreseeable risk of identity theft. Each financial institution and 
covered creditor that has covered accounts must create a written 
Program that contains reasonable policies and procedures to identify 
relevant indicators of the possible existence of identity theft (``red 
flags''); detect red flags that have been incorporated into the 
Program; respond appropriately to any red flags that are detected to 
prevent and mitigate identity theft; and update the Program 
periodically to ensure it reflects change in risks to customers.
    The Red Flags Rule also requires financial institutions and covered 
creditors to: (1) Obtain approval of the initial written Program by the 
board of directors; a committee thereof; or, if there is no board, an 
appropriate senior employee; (2) ensure oversight of the development, 
implementation, and administration of the Program; and (3) exercise 
appropriate and effective oversight of service provider arrangements.
    In addition, the Card Issuers Rule requires that card issuers 
generally must assess the validity of change of address notifications. 
Specifically, if the card issuer receives a notice of change of address 
for an existing account and, within a short period of time (during at 
least the first 30 days), receives a request for an additional or 
replacement card for the same account, the issuer must follow 
reasonable policies and procedures to assess the validity of the change 
of address.

B. FACT Act Section 315

    In implementing section 315 of the FACT Act, the Address 
Discrepancies Rule requires each user of consumer reports to have 
reasonable policies and procedures in place to employ when the user 
receives a notice of address discrepancy from a CRA. Specifically, each 
user must develop reasonable policies and procedures to: (1) Enable the 
user to form a reasonable belief that a consumer report relates to the 
consumer about whom it has requested the report; and (2) in certain 
circumstances, provide to the CRA from which it received the notice an 
address for the consumer that the user has reasonably confirmed is 
accurate.

II. Burden Estimates

    Under the PRA, 44 U.S.C. 3501-3521, Federal agencies must get OMB 
approval for each collection of information they conduct or sponsor. 
``Collection of information'' includes agency requests or requirements 
to submit reports, keep records, or provide information to a third 
party. 44 U.S.C. 3502(3); 5 CFR 1320.3(c). The figures below reflect 
FTC staff's estimates of the hours burden and labor costs to complete 
the tasks described above that fall within reporting, disclosure, or 
recordkeeping requirements. FTC staff believes that the Rules impose 
negligible capital or other non-labor costs, as the affected entities 
are likely to have the necessary supplies and/or equipment already 
(e.g. offices and computers) for the information collection described 
herein.
    Overall estimated burden hours regarding sections 114 and 315, 
combined, total 2,296,863 hours and the associated estimated labor 
costs are $92,465,982.

A. FACT Act Section 114

1. Estimated Hours Burden--Red Flags Rule
    As noted above, the Rule requires financial institutions and 
certain creditors with covered accounts to develop and implement a 
written Program. Under the FCRA, financial institutions over which the 
FTC has jurisdiction include state chartered credit unions and certain 
insurance companies, among other entities.
    Although narrowed by the Clarification Act, the definition of 
``creditor'' still covers a broad array of entities, and application of 
the Rule depends upon an entity's course of conduct, not its status as 
a particular type of business. For these reasons, it is difficult to 
determine precisely the number of creditors subject to the FTC's 
jurisdiction. There are numerous small businesses under the FTC's 
jurisdiction that may qualify as ``creditors,'' and there is no formal 
way to track them. Nonetheless, FTC staff estimates that the Rule's 
requirement to have a written Program affects 6,278 financial 
institutions \2\ and 157,585 creditors.\3\
---------------------------------------------------------------------------

    \2\ The total number of financial institutions is derived from 
an analysis of state credit unions and insurers within the FTC's 
jurisdiction using 2015 Census data (``County Business Patterns,'' 
U.S.) and other online industry data.
    \3\ The total number of creditors (157,585) is derived mostly 
from an analysis of 2015 Census data and industry data for 
businesses or organizations that market goods and services to 
consumers or other businesses or organizations subject to the FTC's 
jurisdiction, reduced by (1) entities not likely to obtain credit 
reports, report credit transactions, or advance loans; and (2) 
entities not likely to have covered accounts under the Rule.

---------------------------------------------------------------------------

[[Page 39098]]

    To estimate burden hours for the Red Flags Rule under section 114, 
FTC staff divided affected entities into two categories, based on the 
nature of their business: (1) Entities that are subject to high risk of 
identity theft, and (2) entities that are subject to a low risk of 
identity theft, but have covered accounts that will require them to 
have a written Program.
a. High-Risk Entities
    FTC staff estimates that high-risk entities \4\ will each require 
25 hours to create and implement a written Program, with an annual 
recurring burden of one hour. FTC staff anticipates that these entities 
will incorporate into their Program policies and procedures that they 
likely already have in place. Further, FTC staff estimates that 
preparation for an annual report will require each high-risk entity 
four hours initially, with an annual recurring burden of one hour. 
Finally, FTC staff believes that many of the high-risk entities, as 
part of their usual and customary business practice, already take steps 
to minimize losses due to fraud, including conducting employee 
training. Accordingly, only relevant staff need be trained to implement 
the Program: for example, staff already trained as part of a covered 
entity's anti-fraud prevention efforts do not need to be re-trained. 
FTC staff estimates that training connected with the implementation of 
a Program of a high-risk entity will require four hours, and annual 
training thereafter will require one hour.
---------------------------------------------------------------------------

    \4\ High-risk entities include, for example, financial 
institutions within the FTC's jurisdiction and utilities, motor 
vehicle dealerships, telecommunications firms, colleges and 
universities, and hospitals.
---------------------------------------------------------------------------

    Thus, estimated hours for high-risk entities are as follows:
     94,052 high-risk entities subject to the FTC's 
jurisdiction at an average annual burden of 13 hours per entity 
[average annual burden over 3-year clearance period for creation and 
implementation of a Program ((25 + 1 + 1) hours/3), plus average annual 
burden over 3-year clearance period for staff training ((4 + 1 + 1) 
hours/3), plus average annual burden over 3-year clearance period for 
preparing an annual report ((4 + 1 + 1) hours/3)], for a total of 
1,222,676 hours.
b. Low-Risk Entities
    Entities that have a minimal risk of identity theft,\5\ but that 
have covered accounts, must develop a Program; however, they likely 
will only need a streamlined Program. FTC staff estimates that such 
entities will require one hour to create such a Program, with an annual 
recurring burden of five minutes. Training staff of low-risk entities 
to be attentive to future risks of identity theft should require no 
more than 10 minutes in an initial year, with an annual recurring 
burden of five minutes. FTC staff further estimates that these entities 
will require, initially, 10 minutes to prepare an annual report, with 
an annual recurring burden of five minutes.
---------------------------------------------------------------------------

    \5\ Low-risk entities include, for example, public warehouse and 
storage firms, nursing and residential care facilities, automotive 
equipment rental and leasing firms, office supplies and stationery 
stores, fuel dealers, and financial transaction processing firms.
---------------------------------------------------------------------------

    Thus, the estimated hours burden for low-risk entities is as 
follows:
     63,533 low risk entities that have covered account subject 
to the FTC's jurisdiction at an average annual burden of approximately 
37 minutes per entity [average annual burden over 3-year clearance 
period for creation and implementation of streamlined Program ((60 + 5 
+ 5) minutes/3), plus average annual burden over 3-year clearance 
period for staff training ((10 + 5 + 5) minutes/3), plus average annual 
burden over 3-year clearance period for preparing annual report ((10 + 
5 + 5) minutes/3], for a total of 39,179 hours.
2. Estimated Hours Burden--Card Issuers Rule
    As noted above, section 114 also requires financial institutions 
and covered creditors that issue credit or debit cards to establish 
policies and procedures to assess the validity of a change of address 
request, including notifying the cardholder or using another means of 
assessing the validity of the change of address.
     FTC staff estimates that the Rule affects as many as 
16,742 \6\ card issuers within the FTC's jurisdiction. FTC staff 
believes that most of these card issuers already have automated the 
process of notifying the cardholder or are using another means to 
assess the validity of the change of address, such that implementation 
will pose no further burden. Nevertheless, taking a conservative 
approach, FTC staff estimates that it will take each card issuer 4 
hours to develop and implement policy and procedures to assess the 
validity of a change of address request for a total burden of 66,968 
hours.
---------------------------------------------------------------------------

    \6\ Card issuers within the FTC's jurisdiction include, for 
example, state credit unions, general retail merchandise stores, 
colleges and universities, and telecoms.
---------------------------------------------------------------------------

    Thus, the total average annual estimated burden for Section 114 is 
1,328,823 hours.
3. Estimated Cost Burden--Red Flags and Card Issuers Rules
    The FTC staff estimates labor costs by applying appropriate 
estimated hourly cost figures to the burden hours described above. It 
is difficult to calculate with precision the labor costs associated 
with compliance with the Rule, as they entail varying compensation 
levels of management (e.g., administrative services, computer and 
information systems, training and development) and/or technical staff 
(e.g., computer support specialists, systems analysts, network and 
computer systems administrators) among companies of different sizes. 
FTC staff assumes that for all entities, professional technical 
personnel and/or management personnel will create and implement the 
Program, prepare the annual report, and train employees, at an hourly 
rate of $49.\7\
---------------------------------------------------------------------------

    \7\ This estimate is based on mean hourly wages found at http://www.bls.gov/news.release/ocwage.t01.htm, ``Occupational Employment 
and Wages Summary--May 2017,'' U.S. Department of Labor, Table 1, 
released March 30, 2018 (``National employment and wage data from 
the Occupational Employment Statistics survey by occupation, May 
2017'') for the various managerial and technical staff support 
exemplified above (administrative service managers, computer & 
information systems managers, training & development managers, 
computer systems analysts, network & computer systems 
administrators, and computer support specialists).
---------------------------------------------------------------------------

    Based on the above estimates and assumptions, the total annual 
labor costs for all categories of covered entities under the Red Flags 
and Card Issuers Rules for Section 114 is $65,112,327 (1,328,823 hours 
x $49).

B. FACT Act Section 315--The Address Discrepancy Rule

    As discussed above, the Rule's implementation of Section 315 
provides guidance on reasonable policies and procedures that a user of 
consumer reports must employ when a user receives a notice of address 
discrepancy from a CRA. Given the broad scope of users of consumer 
reports, it is difficult to determine with precision the number of 
users of consumer reports that are subject to the FTC's jurisdiction. 
As noted above, there are numerous small businesses under the FTC's 
jurisdiction, and there is no formal way to track them; moreover, as a 
whole, the entities under the FTC's jurisdiction are so

[[Page 39099]]

varied that there are no general sources that provide a record of their 
existence. Nonetheless, FTC staff estimates that the Rule's 
implementation of section 315 affects approximately 1,967,161 users of 
consumer reports subject to the FTC's jurisdiction.\8\ Commission staff 
estimates that approximately 10,000 of these users will receive notice 
of a discrepancy, in the course of their usual and customary business 
practices, and thereby have to furnish to CRAs an address 
confirmation.\9\
---------------------------------------------------------------------------

    \8\ This estimate is derived from an analysis of Census 
databases of U.S. businesses based on NAICS codes for businesses in 
industries that typically use consumer reports from CRAs described 
in the Rule, which total 1,967,161 users of consumer reports subject 
to the FTC's jurisdiction.
    \9\ Report to Congress Under Sections 318 and 319 of the Fair 
and Accurate Credit Transactions of 2003, Federal Trade Commission, 
80 (Dec. 2004) available at http://www.ftc.gov/reports/facta/041209factarpt.pdf.
---------------------------------------------------------------------------

    For section 315, as detailed below, FTC staff estimates that the 
average annual burden during the three-year period for which OMB 
clearance is sought will be 919,678 hours with an associated labor cost 
of $17,473,882.
1. Estimated Hours Burden
    Prior to enactment of the Address Discrepancy Rule, users of 
consumer reports could compare the address on a consumer report to the 
address provided by the consumer and discern for themselves any 
discrepancy. As a result, FTC staff believes that many users of 
consumer reports have developed methods of reconciling address 
discrepancies, and the following estimates represent the incremental 
amount of time users of consumer reports may require to develop and 
comply with the policies and procedures for when they receive a notice 
of address discrepancy.
a. Customer Verification
    Given the varied nature of the entities under the FTC's 
jurisdiction, it is difficult to determine precisely the appropriate 
burden estimates. Nonetheless, FTC staff estimates that it would 
require an infrequent user of consumer reports no more than 16 minutes 
to develop and comply with the policies and procedures that it will 
employ when it receives a notice of address discrepancy, while a 
frequent user might require one hour. Similarly, FTC staff estimates 
that, during the remaining two years of clearance, it may take an 
infrequent user no more than one minute to comply with the policies and 
procedures it will employ when it receives a notice of address 
discrepancy, while a frequent user might require 45 minutes. Taking 
into account these extremes, FTC staff estimates that, during the first 
year, it will take users of consumer reports under the FTC's 
jurisdiction an average of 38 minutes [the midrange between 16 minutes 
and 60 minutes] to develop and comply with the policies and procedures 
that they will employ when they receive a notice of address 
discrepancy. FTC staff also estimates that the average recurring burden 
for users of consumer reports to comply with the Rule will be 23 
minutes [the midrange between one minute and 45 minutes].
    Thus, for these 1,967,167 entities, the average annual burden for 
each of them to perform these collective tasks will be 28 minutes [(38 
+ 23 +23) / 3]; cumulatively, 918,011 hours.
b. Address Verification
    For the estimated 10,000 users of consumer reports that will 
additionally have to furnish to CRAs an address confirmation upon 
notice of a discrepancy, staff estimates that these entities will 
require, initially, 30 minutes to develop related policies and 
procedures. But, these 10,000 affected entities likely will have 
automated the process of furnishing the correct address in the first 
year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes 
in the first year, with no annual recurring burden in the second and 
third years of clearance, yields an average annual burden of 10 minutes 
per entity to furnish a correct address to a CRA, for a total of 1,667 
hours.
2. Estimated Cost Burden
    FTC staff assumes that the policies and procedures for compliance 
with the address discrepancy part of the Rule will be set up by 
administrative support personnel at an hourly rate of $19.\10\ Based on 
the above estimates and assumptions, the total annual labor cost for 
the two categories of burden under section 315 is $17,473,882.
---------------------------------------------------------------------------

    \10\ This estimate--rounded to the nearest dollar--is based on 
mean hourly wages for all management occupations found within the 
``Bureau of Labor Statistics, Economic News Release,'' March 30, 
2018, Table 1, ``National employment and wage data from the 
Occupational Employment Statistics survey by occupation, May 2017.'' 
http://www.bls.gov/news.release/ocwage.t01.htm.
---------------------------------------------------------------------------

C. Burden Totals for FACT Act Sections 114 and 315

    Cumulatively, then, estimated burden is 2,246,834 hours (1,328,823 
hours for section 114 and 918,011 hours for section 315) and 
$82,586,209 ($65,112,327 and $17,473,882) in associated labor costs.

IV. Request for Comment

    Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invites 
comments on: (1) Whether the disclosure requirements are necessary, 
including whether the information will be practically useful; (2) the 
accuracy of our burden estimates, including whether the methodology and 
assumptions used are useful; (3) ways to enhance the quality, utility, 
and clarity of the information to be collected; and (4) ways to 
minimize the burden of providing the required information to consumers.
    You can file a comment online or on paper. For the FTC to consider 
your comment, we must receive it on or before October 9, 2018. Write: 
``Red Flags Rule, PRA Comment, Project No. P095406'' on your comment. 
Your comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the public Commission website, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to 
remove individuals' home contact information from comments before 
placing them on the Commission website.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online, or to send them to the Commission by courier or 
overnight service. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA by following the instructions on the web-based form. 
When this Notice appears at http://www.regulations.gov/#!home, you also 
may file a comment through that website.
    If you file your comment on paper, write ``Red Flags Rule PRA, 
Project No. P095406'' on your comment and on the envelope, and mail it 
to the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 
20024. If possible, submit your paper comment to the Commission by 
courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
website at https://www.ftc.gov/, you are solely responsible for making 
sure that your

[[Page 39100]]

comment does not include any sensitive or confidential information. In 
particular, your comment should not include any sensitive personal 
information, such as your or anyone else's Social Security number; date 
of birth; driver's license number or other state identification number, 
or foreign country equivalent; passport number; financial account 
number; or credit or debit card number. You are also solely responsible 
for making sure that your comment does not include any sensitive health 
information, such as medical records or other individually identifiable 
health information. In addition, your comment should not include any 
``trade secret or any commercial or financial information which . . . 
is privileged or confidential''--as provided by Section 6(f) of the FTC 
Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--
including in particular competitively sensitive information such as 
costs, sales statistics, inventories, formulas, patterns, devices, 
manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC website--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC website, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    The FTC Act and other laws that the Commission administers permit 
the collection of public comments to consider and use in this 
proceeding as appropriate. The Commission will consider all timely and 
responsive public comments that it receives on or before October 9, 
2018. For information on the Commission's privacy policy, including 
routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Heather Hippsley,
Acting Principal Deputy General Counsel.
[FR Doc. 2018-16936 Filed 8-7-18; 8:45 am]
 BILLING CODE 6750-01-P