Privacy Act Regulation; Exemption for Insider Threat Program Records, 32618-32619 [2019-14604]

Download as PDF 32618 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Rules and Regulations submit to RUS three copies of each contract amendment (at least one copy of which must be an original signed in ink) which is subject to RUS approval under § 1726.24(b). Each contract amendment submittal to RUS must be accompanied by a bond extension, where necessary. (e) * * * (4) * * * (iii) * * * (E) * * * (1) The amendment was approved in accordance with the policy of the board of directors; * * * * * PENSION BENEFIT GUARANTY CORPORATION The Pension Benefit Guaranty Corporation is amending its Privacy Act regulation to exempt a system of records that supports a program of insider threat detection and data loss prevention. DATES: Effective date: This interim final rule is effective on July 9, 2019. Comment date: Comments must be received on or before August 8, 2019 to be assured of consideration. ADDRESSES: Comments may be submitted by any of the following methods: • Federal eRulemaking Portal: http:// www.regulations.gov. Follow the online instructions for submitting comments. • Email: reg.comments@pbgc.gov. • Mail or Hand Delivery: Regulatory Affairs Division, Office of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K Street NW, Washington, DC 20005–4026. All submissions must include the agency’s name (Pension Benefit Guaranty Corporation, or PBGC) and title for this rulemaking (Privacy Act Regulation; Exemption for Insider Threat Program Records). Comments received will be posted without change to PBGC’s website, http:// www.pbgc.gov, including any personal information provided. Copies of comments may also be obtained by writing to Disclosure Division, Office of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K Street NW, Washington, DC 20005–4026, or calling 202–326–4040 during normal business hours. TTY users may call the Federal relay service toll-free at 800– 877–8339 and ask to be connected to 202–326–4040. FOR FURTHER INFORMATION CONTACT: Melissa Rifkin (rifkin.melissa@ pbgc.gov), Attorney, Regulatory Affairs Division, Office of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K Street NW, Washington, DC 20005–4026; 202–326–4400, extension 6563; Margaret Drake (drake.margaret@ pbgc.gov), Chief Privacy Officer, Office of the General Counsel, 202–326–4400, extension 6435. (TTY users may call the Federal relay service toll-free at 800– 877–8339 and ask to be connected to 202–326–4400, extension 6563.) SUPPLEMENTARY INFORMATION: 29 CFR Part 4902 Executive Summary Subpart J—Contract Closeout 49. Amend § 1726.403 by revising paragraph (d)(2)(ii) to read as follows: ■ § 1726.403 closeout. Project construction contract * * * * * (d) * * * (2) * * * (ii) The certification in paragraph (d)(2)(i) of this section is to be executed for the contractor by: The sole owner, a partner, or an officer of the corporation. PART 1730—ELECTRIC SYSTEM OPERATIONS AND MAINTENANCE 50. The authority citation for part 1730 continues to read as follows: ■ Authority: 7 U.S.C. 901 et seq., 1921 et seq., 6941 et seq. 51. Amend appendix A to subpart B of part 1730 by revising item 15 in PART IV—Operations and Maintenance Budgets to read as follows: ■ Appendix A to Subpart B to Part 1730— Review Rating Summary, RUS Form 300 * * * * * 15. Date Budget Discussed with Board of Directors llll * * * * * Chad Rupe, Administrator, Rural Utilities Service. [FR Doc. 2019–14511 Filed 7–8–19; 8:45 am] khammond on DSKBBV9HB2PROD with RULES BILLING CODE 3410–15–P Privacy Act Regulation; Exemption for Insider Threat Program Records Pension Benefit Guaranty Corporation. ACTION: Interim final rule; request for comments. AGENCY: VerDate Sep<11>2014 16:30 Jul 08, 2019 Jkt 247001 SUMMARY: This rule amends PBGC’s regulation on Disclosure and Amendment of Records Pertaining to Individuals under the Privacy Act (29 CFR part 4902) to exempt from disclosure information contained in a new system of records for PBGC’s insider threat program. The exemption is needed because records in PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 this system include investigatory material compiled for law enforcement purposes. Authority for this rule is provided by section 4002(b)(3) of the Employee Retirement Income Security Act of 1974 (ERISA) and 5 U.S.C. 552a(k)(2). Background The Pension Benefit Guaranty Corporation (PBGC) administers the pension plan insurance programs under title IV of the Employee Retirement Income Security Act of 1974 (ERISA). As a Federal agency, PBGC is subject to the Privacy Act of 1974, 5 U.S.C. 552a (Privacy Act), in its collection, maintenance, use, and dissemination of any personally identifiable information that it maintains in a ‘‘system of records.’’ A system of records is defined under the Privacy Act as ‘‘a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.’’ 1 PBGC is proposing to establish a new system of records, ‘‘PBGC–26, PBGC Insider Threat and Data Loss Prevention—PBGC.’’ This system of records is published in the ‘‘Notice’’ section of this issue of the Federal Register. Executive Order 13587, issued October 7, 2011, requires Federal agencies to establish an insider threat detection and prevention program to ensure the security of classified networks and the responsible sharing and safeguarding of classified information consistent with appropriate protections for privacy and civil liberties. While PBGC does not have any classified networks, it does maintain a significant amount of Controlled Unclassified Information (CUI) that, under law, it is required to safeguard from unauthorized access or disclosure. One method utilized by PBGC to ensure that only those with a need-to-know have access to CUI is a set of tools to minimize data loss, whether inadvertent or intentional. This system will collect and maintain Personally Identifiable Information (PII) in the course of scanning traffic leaving PBGC’s network and blocking traffic that violates PBGC’s policies to safeguard PII. This system covers ‘‘PBGC insiders,’’ who are individuals with access to PBGC resources, including facilities, information, equipment, networks, and systems. This includes Federal employees and contractors. Records from this system will be used on a need1 See E:\FR\FM\09JYR1.SGM 5 U.S.C. 552a(a)(5). 09JYR1 Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Rules and Regulations khammond on DSKBBV9HB2PROD with RULES to-know basis to manage insider threat matters; facilitate insider threat investigations and activities; identify threats to PBGC resources, including threats to PBGC’s personnel, facilities, and information assets; track tips and referrals of potential insider threats to internal and external partners; meet other insider threat program requirements; and investigate/manage the unauthorized or attempted unauthorized disclosure of PII. Exemption Under section 552a(k) of the Privacy Act, PBGC may promulgate regulations exempting information contained in certain systems of records from specified sections of the Privacy Act including the section mandating disclosure of information to an individual who has requested it. Among other systems, PBGC may exempt a system that is ‘‘investigatory material compiled for law enforcement purposes.’’ 2 Under this provision, PBGC has exempted, in § 4209.11 of its Privacy Act regulation, records of the investigations conducted by its Inspector General and contained in a system of records entitled ‘‘PBGC–17, Office of Inspector General Investigative File System—PBGC.’’ The PBGC–26, PBGC Insider Threat and Data Loss Prevention—PBGC system contains: (1) Records derived from PBGC security investigations, (2) summaries or reports containing information about potential insider threats or the data loss prevention program, (3) information related to investigative or analytical efforts by PBGC insider threat program personnel, (4) reports about potential insider threats obtained through the management and operation of the PBGC insider threat program, and (5) reports about potential insider threats obtained from other Federal Government sources. The records contained in this new system include investigative material of actual, potential, or alleged criminal, civil, or administrative violations and law enforcement actions. These records are within the material permitted to be exempted under section 552a(k)(2) of the Privacy Act. PBGC is amending its Privacy Act regulation to add a new § 4902.12 that exempts PBGC–26, PBGC Insider Threat and Data Loss Prevention—PBGC, from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). Exemption from these sections of the Privacy Act means that, with respect to records in the system, PBGC will not be required to: (1) Disclose records to an individual 2 See 16:30 Jul 08, 2019 Compliance With Rulemaking Guidelines This is a rule of ‘‘agency organization, procedure, or practice’’ and is limited to ‘‘agency organization, management, or personnel matters.’’ The exemption from provisions of the Privacy Act provided by the interim final rule affects only PBGC insiders described above. Accordingly, this rule is exempt from notice and public comment requirements under 5 U.S.C. 553(b) and the requirements of Executive Order 12866 and Executive Order 13771.3 Because no general notice of proposed rulemaking is required, the Regulatory Flexibility Act does not apply to this rule. See 5 U.S.C. 601(2), 603, 604. PBGC finds good cause exists for making the amendments set forth in this interim final rule effective less than 30 days after publication because the amendments support PBGC’s new system of records for insider threat detection and data loss prevention, which is effective July 9, 2019. List of Subjects in 29 CFR Part 4902 Jkt 247001 ‘‘PBGC–26, PBGC Insider Threat and Data Loss Prevention—PBGC’’ from the provisions of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). (2) Reasons for exemption. The reasons for asserting the exemption in this section are because the disclosure and other requirements of the Privacy Act could substantially compromise the efficacy and integrity of PBGC’s ability to investigate insider threat activities and the improper exfiltration of personally identifiable information. Disclosure could invade the privacy of other individuals and disclose their identity when they were expressly promised confidentiality. Disclosure could interfere with the integrity of information which would otherwise be subject to privileges, see, e.g., 5 U.S.C. 552(b)(5), and which could interfere with other important law enforcement concerns, see, e.g., 5 U.S.C. 552(b)(7). (b) [Reserved] Issued in Washington, DC. Gordon Hartogensis, Director, Pension Benefit Guaranty Corporation. [FR Doc. 2019–14604 Filed 7–8–19; 8:45 am] BILLING CODE 7709–02–P DEPARTMENT OF HOMELAND SECURITY Privacy. In consideration of the foregoing, PBGC is amending 29 CFR part 4902 as follows: Coast Guard PART 4902—DISCLOSURE AND AMENDMENT OF RECORDS PERTAINING TO INDIVIDUALS UNDER THE PRIVACY ACT RIN 1625–AA09 1. The authority citation for part 4902 is revised to read as follows: ■ Authority: 5 U.S.C. 552a, 29 U.S.C. 1302(b)(3). § 4902.1 2. Amend § 4902.1(d) by removing ‘‘4902.11’’ and adding in its place ‘‘4902.12’’. ■ § 4902.12 [Redesignated as § 4902.13] 3. Redesignate § 4902.12 as § 4902.13. ■ 4. Add new § 4902.12 to read as follows: ■ § 4902.12 Specific exemptions: Insider Threat and Data Loss Prevention. (a) Other law enforcement—(1) Exemption. Under the authority granted by 5 U.S.C. 552a(k)(2), PBGC hereby exempts the system of records entitled PO 00000 Frm 00013 Fmt 4700 33 CFR Part 117 [Docket No. USCG–2017–0460] Drawbridge Operation Regulation; Shrewsbury River, Monmouth County Highway Bridge, Sea Bright, New Jersey Coast Guard, DHS. Final rule. AGENCY: ACTION: The Coast Guard is modifying the operating schedule that governs the Monmouth County Highway Bridge (alternatively referred to as the ‘‘Sea Bright Bridge’’ or the ‘‘S–32 Bridge’’) across the Shrewsbury River, mile 4.0 at Sea Bright, New Jersey. The owner of the bridge, the Monmouth County Board of Chosen Freeholders (Monmouth County), submitted a request to reduce the number of bridge openings during the summer months to better serve the needs of the community while continuing to meet the reasonable needs of navigation. DATES: This rule is effective July 23, 2019. ADDRESSES: To view documents mentioned in this preamble as being SUMMARY: [Amended] 3 See section 3(d)(3) of Executive Order 12866 and section 4(b) of Executive Order 13771. 5 U.S.C. 552a(k)(2). VerDate Sep<11>2014 upon request, (2) keep an accounting of individuals who request records, (3) maintain only records as necessary to accomplish an agency purpose, or (4) publish notice of certain revisions of the system of records. Sfmt 4700 32619 E:\FR\FM\09JYR1.SGM 09JYR1

Agencies

[Federal Register Volume 84, Number 131 (Tuesday, July 9, 2019)]
[Rules and Regulations]
[Pages 32618-32619]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-14604]


=======================================================================
-----------------------------------------------------------------------

PENSION BENEFIT GUARANTY CORPORATION

29 CFR Part 4902


Privacy Act Regulation; Exemption for Insider Threat Program 
Records

AGENCY: Pension Benefit Guaranty Corporation.

ACTION: Interim final rule; request for comments.

-----------------------------------------------------------------------

SUMMARY: The Pension Benefit Guaranty Corporation is amending its 
Privacy Act regulation to exempt a system of records that supports a 
program of insider threat detection and data loss prevention.

DATES: 
    Effective date: This interim final rule is effective on July 9, 
2019.
    Comment date: Comments must be received on or before August 8, 2019 
to be assured of consideration.

ADDRESSES: Comments may be submitted by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the online instructions for submitting comments.
     Email: [email protected].
     Mail or Hand Delivery: Regulatory Affairs Division, Office 
of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K 
Street NW, Washington, DC 20005-4026.
    All submissions must include the agency's name (Pension Benefit 
Guaranty Corporation, or PBGC) and title for this rulemaking (Privacy 
Act Regulation; Exemption for Insider Threat Program Records). Comments 
received will be posted without change to PBGC's website, http://www.pbgc.gov, including any personal information provided. Copies of 
comments may also be obtained by writing to Disclosure Division, Office 
of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K 
Street NW, Washington, DC 20005-4026, or calling 202-326-4040 during 
normal business hours. TTY users may call the Federal relay service 
toll-free at 800-877-8339 and ask to be connected to 202-326-4040.

FOR FURTHER INFORMATION CONTACT: Melissa Rifkin 
([email protected]), Attorney, Regulatory Affairs Division, 
Office of the General Counsel, Pension Benefit Guaranty Corporation, 
1200 K Street NW, Washington, DC 20005-4026; 202-326-4400, extension 
6563; Margaret Drake ([email protected]), Chief Privacy Officer, 
Office of the General Counsel, 202-326-4400, extension 6435. (TTY users 
may call the Federal relay service toll-free at 800-877-8339 and ask to 
be connected to 202-326-4400, extension 6563.)

SUPPLEMENTARY INFORMATION:

Executive Summary

    This rule amends PBGC's regulation on Disclosure and Amendment of 
Records Pertaining to Individuals under the Privacy Act (29 CFR part 
4902) to exempt from disclosure information contained in a new system 
of records for PBGC's insider threat program. The exemption is needed 
because records in this system include investigatory material compiled 
for law enforcement purposes.
    Authority for this rule is provided by section 4002(b)(3) of the 
Employee Retirement Income Security Act of 1974 (ERISA) and 5 U.S.C. 
552a(k)(2).

Background

    The Pension Benefit Guaranty Corporation (PBGC) administers the 
pension plan insurance programs under title IV of the Employee 
Retirement Income Security Act of 1974 (ERISA). As a Federal agency, 
PBGC is subject to the Privacy Act of 1974, 5 U.S.C. 552a (Privacy 
Act), in its collection, maintenance, use, and dissemination of any 
personally identifiable information that it maintains in a ``system of 
records.'' A system of records is defined under the Privacy Act as ``a 
group of any records under the control of any agency from which 
information is retrieved by the name of the individual or by some 
identifying number, symbol, or other identifying particular assigned to 
the individual.'' \1\
---------------------------------------------------------------------------

    \1\ See 5 U.S.C. 552a(a)(5).
---------------------------------------------------------------------------

    PBGC is proposing to establish a new system of records, ``PBGC-26, 
PBGC Insider Threat and Data Loss Prevention--PBGC.'' This system of 
records is published in the ``Notice'' section of this issue of the 
Federal Register.
    Executive Order 13587, issued October 7, 2011, requires Federal 
agencies to establish an insider threat detection and prevention 
program to ensure the security of classified networks and the 
responsible sharing and safeguarding of classified information 
consistent with appropriate protections for privacy and civil 
liberties. While PBGC does not have any classified networks, it does 
maintain a significant amount of Controlled Unclassified Information 
(CUI) that, under law, it is required to safeguard from unauthorized 
access or disclosure. One method utilized by PBGC to ensure that only 
those with a need-to-know have access to CUI is a set of tools to 
minimize data loss, whether inadvertent or intentional. This system 
will collect and maintain Personally Identifiable Information (PII) in 
the course of scanning traffic leaving PBGC's network and blocking 
traffic that violates PBGC's policies to safeguard PII.
    This system covers ``PBGC insiders,'' who are individuals with 
access to PBGC resources, including facilities, information, equipment, 
networks, and systems. This includes Federal employees and contractors. 
Records from this system will be used on a need-

[[Page 32619]]

to-know basis to manage insider threat matters; facilitate insider 
threat investigations and activities; identify threats to PBGC 
resources, including threats to PBGC's personnel, facilities, and 
information assets; track tips and referrals of potential insider 
threats to internal and external partners; meet other insider threat 
program requirements; and investigate/manage the unauthorized or 
attempted unauthorized disclosure of PII.

Exemption

    Under section 552a(k) of the Privacy Act, PBGC may promulgate 
regulations exempting information contained in certain systems of 
records from specified sections of the Privacy Act including the 
section mandating disclosure of information to an individual who has 
requested it. Among other systems, PBGC may exempt a system that is 
``investigatory material compiled for law enforcement purposes.'' \2\ 
Under this provision, PBGC has exempted, in Sec.  4209.11 of its 
Privacy Act regulation, records of the investigations conducted by its 
Inspector General and contained in a system of records entitled ``PBGC-
17, Office of Inspector General Investigative File System--PBGC.''
---------------------------------------------------------------------------

    \2\ See 5 U.S.C. 552a(k)(2).
---------------------------------------------------------------------------

    The PBGC-26, PBGC Insider Threat and Data Loss Prevention--PBGC 
system contains: (1) Records derived from PBGC security investigations, 
(2) summaries or reports containing information about potential insider 
threats or the data loss prevention program, (3) information related to 
investigative or analytical efforts by PBGC insider threat program 
personnel, (4) reports about potential insider threats obtained through 
the management and operation of the PBGC insider threat program, and 
(5) reports about potential insider threats obtained from other Federal 
Government sources. The records contained in this new system include 
investigative material of actual, potential, or alleged criminal, 
civil, or administrative violations and law enforcement actions. These 
records are within the material permitted to be exempted under section 
552a(k)(2) of the Privacy Act.
    PBGC is amending its Privacy Act regulation to add a new Sec.  
4902.12 that exempts PBGC-26, PBGC Insider Threat and Data Loss 
Prevention--PBGC, from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), 
(H), and (I) and (f). Exemption from these sections of the Privacy Act 
means that, with respect to records in the system, PBGC will not be 
required to: (1) Disclose records to an individual upon request, (2) 
keep an accounting of individuals who request records, (3) maintain 
only records as necessary to accomplish an agency purpose, or (4) 
publish notice of certain revisions of the system of records.

Compliance With Rulemaking Guidelines

    This is a rule of ``agency organization, procedure, or practice'' 
and is limited to ``agency organization, management, or personnel 
matters.'' The exemption from provisions of the Privacy Act provided by 
the interim final rule affects only PBGC insiders described above. 
Accordingly, this rule is exempt from notice and public comment 
requirements under 5 U.S.C. 553(b) and the requirements of Executive 
Order 12866 and Executive Order 13771.\3\ Because no general notice of 
proposed rulemaking is required, the Regulatory Flexibility Act does 
not apply to this rule. See 5 U.S.C. 601(2), 603, 604.
---------------------------------------------------------------------------

    \3\ See section 3(d)(3) of Executive Order 12866 and section 
4(b) of Executive Order 13771.
---------------------------------------------------------------------------

    PBGC finds good cause exists for making the amendments set forth in 
this interim final rule effective less than 30 days after publication 
because the amendments support PBGC's new system of records for insider 
threat detection and data loss prevention, which is effective July 9, 
2019.

List of Subjects in 29 CFR Part 4902

    Privacy.

    In consideration of the foregoing, PBGC is amending 29 CFR part 
4902 as follows:

PART 4902--DISCLOSURE AND AMENDMENT OF RECORDS PERTAINING TO 
INDIVIDUALS UNDER THE PRIVACY ACT

0
1. The authority citation for part 4902 is revised to read as follows:

    Authority: 5 U.S.C. 552a, 29 U.S.C. 1302(b)(3).


Sec.  4902.1   [Amended]

0
2. Amend Sec.  4902.1(d) by removing ``4902.11'' and adding in its 
place ``4902.12''.


Sec.  4902.12  [Redesignated as Sec.  4902.13]

0
3. Redesignate Sec.  4902.12 as Sec.  4902.13.

0
4. Add new Sec.  4902.12 to read as follows:


Sec.  4902.12   Specific exemptions: Insider Threat and Data Loss 
Prevention.

    (a) Other law enforcement--(1) Exemption. Under the authority 
granted by 5 U.S.C. 552a(k)(2), PBGC hereby exempts the system of 
records entitled ``PBGC-26, PBGC Insider Threat and Data Loss 
Prevention--PBGC'' from the provisions of 5 U.S.C. 552a(c)(3), (d), 
(e)(1), (e)(4)(G), (H), and (I) and (f).
    (2) Reasons for exemption. The reasons for asserting the exemption 
in this section are because the disclosure and other requirements of 
the Privacy Act could substantially compromise the efficacy and 
integrity of PBGC's ability to investigate insider threat activities 
and the improper exfiltration of personally identifiable information. 
Disclosure could invade the privacy of other individuals and disclose 
their identity when they were expressly promised confidentiality. 
Disclosure could interfere with the integrity of information which 
would otherwise be subject to privileges, see, e.g., 5 U.S.C. 
552(b)(5), and which could interfere with other important law 
enforcement concerns, see, e.g., 5 U.S.C. 552(b)(7).
    (b) [Reserved]

    Issued in Washington, DC.
Gordon Hartogensis,
Director, Pension Benefit Guaranty Corporation.
[FR Doc. 2019-14604 Filed 7-8-19; 8:45 am]
BILLING CODE 7709-02-P