Privacy Act Regulation; Exemption for Insider Threat Program Records, 32618-32619 [2019-14604]
Download as PDF
32618
Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Rules and Regulations
submit to RUS three copies of each
contract amendment (at least one copy
of which must be an original signed in
ink) which is subject to RUS approval
under § 1726.24(b). Each contract
amendment submittal to RUS must be
accompanied by a bond extension,
where necessary.
(e) * * *
(4) * * *
(iii) * * *
(E) * * *
(1) The amendment was approved in
accordance with the policy of the board
of directors;
*
*
*
*
*
PENSION BENEFIT GUARANTY
CORPORATION
The Pension Benefit Guaranty
Corporation is amending its Privacy Act
regulation to exempt a system of records
that supports a program of insider threat
detection and data loss prevention.
DATES:
Effective date: This interim final rule
is effective on July 9, 2019.
Comment date: Comments must be
received on or before August 8, 2019 to
be assured of consideration.
ADDRESSES: Comments may be
submitted by any of the following
methods:
• Federal eRulemaking Portal: https://
www.regulations.gov. Follow the online
instructions for submitting comments.
• Email: reg.comments@pbgc.gov.
• Mail or Hand Delivery: Regulatory
Affairs Division, Office of the General
Counsel, Pension Benefit Guaranty
Corporation, 1200 K Street NW,
Washington, DC 20005–4026.
All submissions must include the
agency’s name (Pension Benefit
Guaranty Corporation, or PBGC) and
title for this rulemaking (Privacy Act
Regulation; Exemption for Insider
Threat Program Records). Comments
received will be posted without change
to PBGC’s website, https://
www.pbgc.gov, including any personal
information provided. Copies of
comments may also be obtained by
writing to Disclosure Division, Office of
the General Counsel, Pension Benefit
Guaranty Corporation, 1200 K Street
NW, Washington, DC 20005–4026, or
calling 202–326–4040 during normal
business hours. TTY users may call the
Federal relay service toll-free at 800–
877–8339 and ask to be connected to
202–326–4040.
FOR FURTHER INFORMATION CONTACT:
Melissa Rifkin (rifkin.melissa@
pbgc.gov), Attorney, Regulatory Affairs
Division, Office of the General Counsel,
Pension Benefit Guaranty Corporation,
1200 K Street NW, Washington, DC
20005–4026; 202–326–4400, extension
6563; Margaret Drake (drake.margaret@
pbgc.gov), Chief Privacy Officer, Office
of the General Counsel, 202–326–4400,
extension 6435. (TTY users may call the
Federal relay service toll-free at 800–
877–8339 and ask to be connected to
202–326–4400, extension 6563.)
SUPPLEMENTARY INFORMATION:
29 CFR Part 4902
Executive Summary
Subpart J—Contract Closeout
49. Amend § 1726.403 by revising
paragraph (d)(2)(ii) to read as follows:
■
§ 1726.403
closeout.
Project construction contract
*
*
*
*
*
(d) * * *
(2) * * *
(ii) The certification in paragraph
(d)(2)(i) of this section is to be executed
for the contractor by: The sole owner, a
partner, or an officer of the corporation.
PART 1730—ELECTRIC SYSTEM
OPERATIONS AND MAINTENANCE
50. The authority citation for part
1730 continues to read as follows:
■
Authority: 7 U.S.C. 901 et seq., 1921 et
seq., 6941 et seq.
51. Amend appendix A to subpart B
of part 1730 by revising item 15 in
PART IV—Operations and Maintenance
Budgets to read as follows:
■
Appendix A to Subpart B to Part 1730—
Review Rating Summary, RUS Form
300
*
*
*
*
*
15. Date Budget Discussed with Board
of Directors llll
*
*
*
*
*
Chad Rupe,
Administrator, Rural Utilities Service.
[FR Doc. 2019–14511 Filed 7–8–19; 8:45 am]
khammond on DSKBBV9HB2PROD with RULES
BILLING CODE 3410–15–P
Privacy Act Regulation; Exemption for
Insider Threat Program Records
Pension Benefit Guaranty
Corporation.
ACTION: Interim final rule; request for
comments.
AGENCY:
VerDate Sep<11>2014
16:30 Jul 08, 2019
Jkt 247001
SUMMARY:
This rule amends PBGC’s regulation
on Disclosure and Amendment of
Records Pertaining to Individuals under
the Privacy Act (29 CFR part 4902) to
exempt from disclosure information
contained in a new system of records for
PBGC’s insider threat program. The
exemption is needed because records in
PO 00000
Frm 00012
Fmt 4700
Sfmt 4700
this system include investigatory
material compiled for law enforcement
purposes.
Authority for this rule is provided by
section 4002(b)(3) of the Employee
Retirement Income Security Act of 1974
(ERISA) and 5 U.S.C. 552a(k)(2).
Background
The Pension Benefit Guaranty
Corporation (PBGC) administers the
pension plan insurance programs under
title IV of the Employee Retirement
Income Security Act of 1974 (ERISA).
As a Federal agency, PBGC is subject to
the Privacy Act of 1974, 5 U.S.C. 552a
(Privacy Act), in its collection,
maintenance, use, and dissemination of
any personally identifiable information
that it maintains in a ‘‘system of
records.’’ A system of records is defined
under the Privacy Act as ‘‘a group of any
records under the control of any agency
from which information is retrieved by
the name of the individual or by some
identifying number, symbol, or other
identifying particular assigned to the
individual.’’ 1
PBGC is proposing to establish a new
system of records, ‘‘PBGC–26, PBGC
Insider Threat and Data Loss
Prevention—PBGC.’’ This system of
records is published in the ‘‘Notice’’
section of this issue of the Federal
Register.
Executive Order 13587, issued
October 7, 2011, requires Federal
agencies to establish an insider threat
detection and prevention program to
ensure the security of classified
networks and the responsible sharing
and safeguarding of classified
information consistent with appropriate
protections for privacy and civil
liberties. While PBGC does not have any
classified networks, it does maintain a
significant amount of Controlled
Unclassified Information (CUI) that,
under law, it is required to safeguard
from unauthorized access or disclosure.
One method utilized by PBGC to ensure
that only those with a need-to-know
have access to CUI is a set of tools to
minimize data loss, whether inadvertent
or intentional. This system will collect
and maintain Personally Identifiable
Information (PII) in the course of
scanning traffic leaving PBGC’s network
and blocking traffic that violates PBGC’s
policies to safeguard PII.
This system covers ‘‘PBGC insiders,’’
who are individuals with access to
PBGC resources, including facilities,
information, equipment, networks, and
systems. This includes Federal
employees and contractors. Records
from this system will be used on a need1 See
E:\FR\FM\09JYR1.SGM
5 U.S.C. 552a(a)(5).
09JYR1
Federal Register / Vol. 84, No. 131 / Tuesday, July 9, 2019 / Rules and Regulations
khammond on DSKBBV9HB2PROD with RULES
to-know basis to manage insider threat
matters; facilitate insider threat
investigations and activities; identify
threats to PBGC resources, including
threats to PBGC’s personnel, facilities,
and information assets; track tips and
referrals of potential insider threats to
internal and external partners; meet
other insider threat program
requirements; and investigate/manage
the unauthorized or attempted
unauthorized disclosure of PII.
Exemption
Under section 552a(k) of the Privacy
Act, PBGC may promulgate regulations
exempting information contained in
certain systems of records from
specified sections of the Privacy Act
including the section mandating
disclosure of information to an
individual who has requested it. Among
other systems, PBGC may exempt a
system that is ‘‘investigatory material
compiled for law enforcement
purposes.’’ 2 Under this provision, PBGC
has exempted, in § 4209.11 of its
Privacy Act regulation, records of the
investigations conducted by its
Inspector General and contained in a
system of records entitled ‘‘PBGC–17,
Office of Inspector General Investigative
File System—PBGC.’’
The PBGC–26, PBGC Insider Threat
and Data Loss Prevention—PBGC
system contains: (1) Records derived
from PBGC security investigations, (2)
summaries or reports containing
information about potential insider
threats or the data loss prevention
program, (3) information related to
investigative or analytical efforts by
PBGC insider threat program personnel,
(4) reports about potential insider
threats obtained through the
management and operation of the PBGC
insider threat program, and (5) reports
about potential insider threats obtained
from other Federal Government sources.
The records contained in this new
system include investigative material of
actual, potential, or alleged criminal,
civil, or administrative violations and
law enforcement actions. These records
are within the material permitted to be
exempted under section 552a(k)(2) of
the Privacy Act.
PBGC is amending its Privacy Act
regulation to add a new § 4902.12 that
exempts PBGC–26, PBGC Insider Threat
and Data Loss Prevention—PBGC, from
5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G),
(H), and (I) and (f). Exemption from
these sections of the Privacy Act means
that, with respect to records in the
system, PBGC will not be required to:
(1) Disclose records to an individual
2 See
16:30 Jul 08, 2019
Compliance With Rulemaking
Guidelines
This is a rule of ‘‘agency organization,
procedure, or practice’’ and is limited to
‘‘agency organization, management, or
personnel matters.’’ The exemption
from provisions of the Privacy Act
provided by the interim final rule affects
only PBGC insiders described above.
Accordingly, this rule is exempt from
notice and public comment
requirements under 5 U.S.C. 553(b) and
the requirements of Executive Order
12866 and Executive Order 13771.3
Because no general notice of proposed
rulemaking is required, the Regulatory
Flexibility Act does not apply to this
rule. See 5 U.S.C. 601(2), 603, 604.
PBGC finds good cause exists for
making the amendments set forth in this
interim final rule effective less than 30
days after publication because the
amendments support PBGC’s new
system of records for insider threat
detection and data loss prevention,
which is effective July 9, 2019.
List of Subjects in 29 CFR Part 4902
Jkt 247001
‘‘PBGC–26, PBGC Insider Threat and
Data Loss Prevention—PBGC’’ from the
provisions of 5 U.S.C. 552a(c)(3), (d),
(e)(1), (e)(4)(G), (H), and (I) and (f).
(2) Reasons for exemption. The
reasons for asserting the exemption in
this section are because the disclosure
and other requirements of the Privacy
Act could substantially compromise the
efficacy and integrity of PBGC’s ability
to investigate insider threat activities
and the improper exfiltration of
personally identifiable information.
Disclosure could invade the privacy of
other individuals and disclose their
identity when they were expressly
promised confidentiality. Disclosure
could interfere with the integrity of
information which would otherwise be
subject to privileges, see, e.g., 5 U.S.C.
552(b)(5), and which could interfere
with other important law enforcement
concerns, see, e.g., 5 U.S.C. 552(b)(7).
(b) [Reserved]
Issued in Washington, DC.
Gordon Hartogensis,
Director, Pension Benefit Guaranty
Corporation.
[FR Doc. 2019–14604 Filed 7–8–19; 8:45 am]
BILLING CODE 7709–02–P
DEPARTMENT OF HOMELAND
SECURITY
Privacy.
In consideration of the foregoing,
PBGC is amending 29 CFR part 4902 as
follows:
Coast Guard
PART 4902—DISCLOSURE AND
AMENDMENT OF RECORDS
PERTAINING TO INDIVIDUALS UNDER
THE PRIVACY ACT
RIN 1625–AA09
1. The authority citation for part 4902
is revised to read as follows:
■
Authority: 5 U.S.C. 552a, 29 U.S.C.
1302(b)(3).
§ 4902.1
2. Amend § 4902.1(d) by removing
‘‘4902.11’’ and adding in its place
‘‘4902.12’’.
■
§ 4902.12
[Redesignated as § 4902.13]
3. Redesignate § 4902.12 as § 4902.13.
■ 4. Add new § 4902.12 to read as
follows:
■
§ 4902.12 Specific exemptions: Insider
Threat and Data Loss Prevention.
(a) Other law enforcement—(1)
Exemption. Under the authority granted
by 5 U.S.C. 552a(k)(2), PBGC hereby
exempts the system of records entitled
PO 00000
Frm 00013
Fmt 4700
33 CFR Part 117
[Docket No. USCG–2017–0460]
Drawbridge Operation Regulation;
Shrewsbury River, Monmouth County
Highway Bridge, Sea Bright, New
Jersey
Coast Guard, DHS.
Final rule.
AGENCY:
ACTION:
The Coast Guard is modifying
the operating schedule that governs the
Monmouth County Highway Bridge
(alternatively referred to as the ‘‘Sea
Bright Bridge’’ or the ‘‘S–32 Bridge’’)
across the Shrewsbury River, mile 4.0 at
Sea Bright, New Jersey. The owner of
the bridge, the Monmouth County Board
of Chosen Freeholders (Monmouth
County), submitted a request to reduce
the number of bridge openings during
the summer months to better serve the
needs of the community while
continuing to meet the reasonable needs
of navigation.
DATES: This rule is effective July 23,
2019.
ADDRESSES: To view documents
mentioned in this preamble as being
SUMMARY:
[Amended]
3 See section 3(d)(3) of Executive Order 12866
and section 4(b) of Executive Order 13771.
5 U.S.C. 552a(k)(2).
VerDate Sep<11>2014
upon request, (2) keep an accounting of
individuals who request records, (3)
maintain only records as necessary to
accomplish an agency purpose, or (4)
publish notice of certain revisions of the
system of records.
Sfmt 4700
32619
E:\FR\FM\09JYR1.SGM
09JYR1
Agencies
[Federal Register Volume 84, Number 131 (Tuesday, July 9, 2019)]
[Rules and Regulations]
[Pages 32618-32619]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-14604]
=======================================================================
-----------------------------------------------------------------------
PENSION BENEFIT GUARANTY CORPORATION
29 CFR Part 4902
Privacy Act Regulation; Exemption for Insider Threat Program
Records
AGENCY: Pension Benefit Guaranty Corporation.
ACTION: Interim final rule; request for comments.
-----------------------------------------------------------------------
SUMMARY: The Pension Benefit Guaranty Corporation is amending its
Privacy Act regulation to exempt a system of records that supports a
program of insider threat detection and data loss prevention.
DATES:
Effective date: This interim final rule is effective on July 9,
2019.
Comment date: Comments must be received on or before August 8, 2019
to be assured of consideration.
ADDRESSES: Comments may be submitted by any of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the online instructions for submitting comments.
Email: [email protected].
Mail or Hand Delivery: Regulatory Affairs Division, Office
of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K
Street NW, Washington, DC 20005-4026.
All submissions must include the agency's name (Pension Benefit
Guaranty Corporation, or PBGC) and title for this rulemaking (Privacy
Act Regulation; Exemption for Insider Threat Program Records). Comments
received will be posted without change to PBGC's website, https://www.pbgc.gov, including any personal information provided. Copies of
comments may also be obtained by writing to Disclosure Division, Office
of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K
Street NW, Washington, DC 20005-4026, or calling 202-326-4040 during
normal business hours. TTY users may call the Federal relay service
toll-free at 800-877-8339 and ask to be connected to 202-326-4040.
FOR FURTHER INFORMATION CONTACT: Melissa Rifkin
([email protected]), Attorney, Regulatory Affairs Division,
Office of the General Counsel, Pension Benefit Guaranty Corporation,
1200 K Street NW, Washington, DC 20005-4026; 202-326-4400, extension
6563; Margaret Drake ([email protected]), Chief Privacy Officer,
Office of the General Counsel, 202-326-4400, extension 6435. (TTY users
may call the Federal relay service toll-free at 800-877-8339 and ask to
be connected to 202-326-4400, extension 6563.)
SUPPLEMENTARY INFORMATION:
Executive Summary
This rule amends PBGC's regulation on Disclosure and Amendment of
Records Pertaining to Individuals under the Privacy Act (29 CFR part
4902) to exempt from disclosure information contained in a new system
of records for PBGC's insider threat program. The exemption is needed
because records in this system include investigatory material compiled
for law enforcement purposes.
Authority for this rule is provided by section 4002(b)(3) of the
Employee Retirement Income Security Act of 1974 (ERISA) and 5 U.S.C.
552a(k)(2).
Background
The Pension Benefit Guaranty Corporation (PBGC) administers the
pension plan insurance programs under title IV of the Employee
Retirement Income Security Act of 1974 (ERISA). As a Federal agency,
PBGC is subject to the Privacy Act of 1974, 5 U.S.C. 552a (Privacy
Act), in its collection, maintenance, use, and dissemination of any
personally identifiable information that it maintains in a ``system of
records.'' A system of records is defined under the Privacy Act as ``a
group of any records under the control of any agency from which
information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to
the individual.'' \1\
---------------------------------------------------------------------------
\1\ See 5 U.S.C. 552a(a)(5).
---------------------------------------------------------------------------
PBGC is proposing to establish a new system of records, ``PBGC-26,
PBGC Insider Threat and Data Loss Prevention--PBGC.'' This system of
records is published in the ``Notice'' section of this issue of the
Federal Register.
Executive Order 13587, issued October 7, 2011, requires Federal
agencies to establish an insider threat detection and prevention
program to ensure the security of classified networks and the
responsible sharing and safeguarding of classified information
consistent with appropriate protections for privacy and civil
liberties. While PBGC does not have any classified networks, it does
maintain a significant amount of Controlled Unclassified Information
(CUI) that, under law, it is required to safeguard from unauthorized
access or disclosure. One method utilized by PBGC to ensure that only
those with a need-to-know have access to CUI is a set of tools to
minimize data loss, whether inadvertent or intentional. This system
will collect and maintain Personally Identifiable Information (PII) in
the course of scanning traffic leaving PBGC's network and blocking
traffic that violates PBGC's policies to safeguard PII.
This system covers ``PBGC insiders,'' who are individuals with
access to PBGC resources, including facilities, information, equipment,
networks, and systems. This includes Federal employees and contractors.
Records from this system will be used on a need-
[[Page 32619]]
to-know basis to manage insider threat matters; facilitate insider
threat investigations and activities; identify threats to PBGC
resources, including threats to PBGC's personnel, facilities, and
information assets; track tips and referrals of potential insider
threats to internal and external partners; meet other insider threat
program requirements; and investigate/manage the unauthorized or
attempted unauthorized disclosure of PII.
Exemption
Under section 552a(k) of the Privacy Act, PBGC may promulgate
regulations exempting information contained in certain systems of
records from specified sections of the Privacy Act including the
section mandating disclosure of information to an individual who has
requested it. Among other systems, PBGC may exempt a system that is
``investigatory material compiled for law enforcement purposes.'' \2\
Under this provision, PBGC has exempted, in Sec. 4209.11 of its
Privacy Act regulation, records of the investigations conducted by its
Inspector General and contained in a system of records entitled ``PBGC-
17, Office of Inspector General Investigative File System--PBGC.''
---------------------------------------------------------------------------
\2\ See 5 U.S.C. 552a(k)(2).
---------------------------------------------------------------------------
The PBGC-26, PBGC Insider Threat and Data Loss Prevention--PBGC
system contains: (1) Records derived from PBGC security investigations,
(2) summaries or reports containing information about potential insider
threats or the data loss prevention program, (3) information related to
investigative or analytical efforts by PBGC insider threat program
personnel, (4) reports about potential insider threats obtained through
the management and operation of the PBGC insider threat program, and
(5) reports about potential insider threats obtained from other Federal
Government sources. The records contained in this new system include
investigative material of actual, potential, or alleged criminal,
civil, or administrative violations and law enforcement actions. These
records are within the material permitted to be exempted under section
552a(k)(2) of the Privacy Act.
PBGC is amending its Privacy Act regulation to add a new Sec.
4902.12 that exempts PBGC-26, PBGC Insider Threat and Data Loss
Prevention--PBGC, from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G),
(H), and (I) and (f). Exemption from these sections of the Privacy Act
means that, with respect to records in the system, PBGC will not be
required to: (1) Disclose records to an individual upon request, (2)
keep an accounting of individuals who request records, (3) maintain
only records as necessary to accomplish an agency purpose, or (4)
publish notice of certain revisions of the system of records.
Compliance With Rulemaking Guidelines
This is a rule of ``agency organization, procedure, or practice''
and is limited to ``agency organization, management, or personnel
matters.'' The exemption from provisions of the Privacy Act provided by
the interim final rule affects only PBGC insiders described above.
Accordingly, this rule is exempt from notice and public comment
requirements under 5 U.S.C. 553(b) and the requirements of Executive
Order 12866 and Executive Order 13771.\3\ Because no general notice of
proposed rulemaking is required, the Regulatory Flexibility Act does
not apply to this rule. See 5 U.S.C. 601(2), 603, 604.
---------------------------------------------------------------------------
\3\ See section 3(d)(3) of Executive Order 12866 and section
4(b) of Executive Order 13771.
---------------------------------------------------------------------------
PBGC finds good cause exists for making the amendments set forth in
this interim final rule effective less than 30 days after publication
because the amendments support PBGC's new system of records for insider
threat detection and data loss prevention, which is effective July 9,
2019.
List of Subjects in 29 CFR Part 4902
Privacy.
In consideration of the foregoing, PBGC is amending 29 CFR part
4902 as follows:
PART 4902--DISCLOSURE AND AMENDMENT OF RECORDS PERTAINING TO
INDIVIDUALS UNDER THE PRIVACY ACT
0
1. The authority citation for part 4902 is revised to read as follows:
Authority: 5 U.S.C. 552a, 29 U.S.C. 1302(b)(3).
Sec. 4902.1 [Amended]
0
2. Amend Sec. 4902.1(d) by removing ``4902.11'' and adding in its
place ``4902.12''.
Sec. 4902.12 [Redesignated as Sec. 4902.13]
0
3. Redesignate Sec. 4902.12 as Sec. 4902.13.
0
4. Add new Sec. 4902.12 to read as follows:
Sec. 4902.12 Specific exemptions: Insider Threat and Data Loss
Prevention.
(a) Other law enforcement--(1) Exemption. Under the authority
granted by 5 U.S.C. 552a(k)(2), PBGC hereby exempts the system of
records entitled ``PBGC-26, PBGC Insider Threat and Data Loss
Prevention--PBGC'' from the provisions of 5 U.S.C. 552a(c)(3), (d),
(e)(1), (e)(4)(G), (H), and (I) and (f).
(2) Reasons for exemption. The reasons for asserting the exemption
in this section are because the disclosure and other requirements of
the Privacy Act could substantially compromise the efficacy and
integrity of PBGC's ability to investigate insider threat activities
and the improper exfiltration of personally identifiable information.
Disclosure could invade the privacy of other individuals and disclose
their identity when they were expressly promised confidentiality.
Disclosure could interfere with the integrity of information which
would otherwise be subject to privileges, see, e.g., 5 U.S.C.
552(b)(5), and which could interfere with other important law
enforcement concerns, see, e.g., 5 U.S.C. 552(b)(7).
(b) [Reserved]
Issued in Washington, DC.
Gordon Hartogensis,
Director, Pension Benefit Guaranty Corporation.
[FR Doc. 2019-14604 Filed 7-8-19; 8:45 am]
BILLING CODE 7709-02-P