Social Security Number Fraud Prevention Act Requirements, 25749-25750 [2024-07750]

Download as PDF 25749 Rules and Regulations Federal Register Vol. 89, No. 72 Friday, April 12, 2024 This section of the FEDERAL REGISTER contains regulatory documents having general applicability and legal effect, most of which are keyed to and codified in the Code of Federal Regulations, which is published under 50 titles pursuant to 44 U.S.C. 1510. The Code of Federal Regulations is sold by the Superintendent of Documents. OFFICE OF PERSONNEL MANAGEMENT 5 CFR Part 297 [Docket ID: OPM–2023–0035] RIN 3206–AO16 Social Security Number Fraud Prevention Act Requirements Office of Personnel Management. ACTION: Direct final rule. AGENCY: The Office of Personnel Management (OPM) is publishing this direct final rule to implement the requirements of the Social Security Number Fraud Prevention Act of 2017 (Act). In accordance with the Act, OPM is amending its privacy procedures to prohibit the inclusion of Social Security numbers (SSNs) on any document sent through the mail unless the Director of OPM deems it necessary. This rule also establishes requirements for safeguarding SSNs sent through the mail by partially redacting SSNs where feasible and prohibiting the display of SSNs on the outside of any package or envelope sent by mail. DATES: This rule is effective on June 26, 2024, without further action unless significant adverse comments are received by June 11, 2024. If significant adverse comments are received, OPM will withdraw this direct final rule and publish a proposed rule. ADDRESSES: You may submit comments for this direct final rule using the following method: • Federal Rulemaking Portal: https:// www.regulations.gov. Follow the instructions for sending comments. All submissions received must include the agency name and docket number for this direct final rule. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing at https:// www.regulations.gov as they are lotter on DSK11XQN23PROD with RULES1 SUMMARY: VerDate Sep<11>2014 15:52 Apr 11, 2024 Jkt 262001 received, without change, including any personal identifiers or contact information. FOR FURTHER INFORMATION CONTACT: Kirsten J. Moncada, Executive Director, Office of the Executive Secretariat, Privacy, and Information Management, 202–936–0251. SUPPLEMENTARY INFORMATION: The Social Security Number Fraud Prevention Act of 2017, Public Law 115–59, 42 U.S.C. 405 note, restricts the inclusion of SSNs on documents sent by mail unless the head of the agency determines that the inclusion of the SSNs on the documents is necessary. The Act also directs agencies to issue regulations that specify when inclusion of an SSN is necessary and include requirements for the safeguarding of SSNs by partially redacting SSNs where feasible and prohibiting the display of SSNs on the outside of any package or envelope sent by mail. To implement the Act, OPM is adding new subpart F, titled ‘‘Protecting Social Security Numbers in Mailed Documents,’’ to its privacy procedures at 5 CFR part 297. The new requirements in subpart F prohibit the inclusion of SSNs on any document OPM program offices send through the mail unless the Director of OPM, on the advice of the Senior Agency Official for Privacy, deems it necessary and precautions are taken to protect the SSNs. In addition, subpart F includes requirements for OPM program offices to partially redact SSNs where feasible and specifically prohibits the display of complete or partial SSNs on the outside of any package or envelope sent by mail or through the window of an envelope or package. Subpart F applies to all OPM office activities and written or printed documents OPM sends by mail that include a complete or partial SSN. OPM is also amending 5 CFR 297.102 to add the definitions of ‘‘document,’’ and ‘‘mail’’ to make explicit OPM’s meaning of the terms in this new subpart F. For the purposes of this rule, a document is a record of some information that can be used as an authority or for reference, further analyses, or study. This includes all records OPM maintains and uses to identify, track, and correspond with agencies, Federal employees, contractors, and annuitants, among others. Mail is defined as artifacts used to assemble letters and packages that are PO 00000 Frm 00001 Fmt 4700 Sfmt 4700 sent or delivered by the United States Postal Service or other commercial letter or parcel delivery services. Direct Final Rule Justification This rule of agency organization, procedure, or practice is exempt from the prior public notice and comment requirements of the Administrative Procedure Act. See 5 U.S.C. 553(b)(3)(A). This rule will not have any effect on the rights, obligations, or interests of any affected parties, as it is merely procedural and reflects a statutory requirement that is already in effect. The rule restricts and safeguards the inclusion of SSNs in documents that are mailed to prevent unauthorized disclosure of SSNs and protect individual privacy. Accordingly, OPM for good cause finds that the notice and comment requirements are unnecessary. See 5 U.S.C. 553(b)(3)(B). This rule is also suitable for direct final rulemaking because it is noncontroversial and consistent with Federal law and policy regarding the appropriate handling and protection of SSNs. The provisions of the rule will be beneficial to members of the public and Federal employees because it protects their personally identifiable information. Because this nonsubstantive rule makes no changes to the legal obligations or rights of any affected parties (i.e., reflects a statutory requirement that is already in effect) and because it is in the public interest to have this rule be effective as soon as possible, OPM does not expect to receive any significant adverse comments. This rule will be effective June 26, 2024, without further action unless significant adverse comments are received. A significant adverse comment is one that explains: (1) why the rule is inappropriate, including challenges to the rule’s underlying premise or approach; or (2) why the direct final rule will be ineffective or unacceptable without a change. If such comments are received, this direct final rule will be withdrawn and a proposed rule for comments will be published. If no such comments are received, this direct final rule will become effective 15 days after the comment period expires. In determining whether a significant adverse comment necessitates withdrawal of this direct final rule, OPM will consider whether the E:\FR\FM\12APR1.SGM 12APR1 25750 Federal Register / Vol. 89, No. 72 / Friday, April 12, 2024 / Rules and Regulations comment raises an issue serious enough to warrant a substantive response had it been submitted in a standard notice and comment process. A comment recommending an addition to the rule will not be considered significant and adverse unless the comment explains how this direct final rule would be ineffective without the addition. Expected Impact of This Direct Final Rule SSNs are used as unique identifiers by government agencies, businesses, and other entities. The theft and fraudulent use of SSNs can result in significant repercussions for the SSN holder, as well as the entities from which SSNs were stolen. This direct final rule formalizes in regulation OPM’s current practice of safeguarding SSNs in mailed documents and will support efforts to protect individual privacy. In accordance with the E-Government Act (2002), OPM currently applies encryption technology and other security controls, such as password protection, to minimize the risk of unauthorized disclosure of SSNs. OPM program offices are also required to conduct proper assessments to minimize the use of SSNs and the impact to individual privacy as a result of their inclusion in any document. This rule supplements these procedures and is beneficial because it protects individual privacy and standardizes OPM’s procedures for mailing documents with SSNs. There are no alternatives to this rule because it is required by statute. Regulatory Review Executive Orders 13563, 12866, and 14094 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). The Office of Information and Regulatory Affairs in the Office of Management and Budget has determined this rule is not a ‘‘significant regulatory action’’ under section 3(f) of Executive Order 12866, as amended by Executive Order 14094. lotter on DSK11XQN23PROD with RULES1 Regulatory Flexibility Act The Director of OPM certifies that this rule will not have a significant economic impact on a substantial number of small entities because it is a procedural rule that only applies only to OPM. VerDate Sep<11>2014 15:52 Apr 11, 2024 Jkt 262001 E.O. 13132, Federalism This rule will not have substantial direct effects on the States, on the relationship between the National Government and the States, or on distribution of power and responsibilities among the various levels of government. Therefore, in accordance with Executive Order 13132, OPM has determined that this direct rule does not have federalism implications that require preparation of a federalism summary impact statement. E.O. 12988, Civil Justice Reform OPM has determined that this rule meets the relevant standards of Executive Order 12988. Unfunded Mandates Reform Act of 1995 This rule will not result in the expenditure by State, local, or tribal governments, or the private sector of more than $100 million annually. Thus, no written assessment of unfunded mandates is required. Congressional Review Act Subtitle E of the Small Business Regulatory Enforcement Fairness Act of 1996 (known as the Congressional Review Act or CRA) (5 U.S.C. 801, et seq.) requires rules to be submitted to Congress before taking effect. OPM will submit to Congress and the Comptroller General of the United States a report regarding the issuance of this rule before its effective date, as required by 5 U.S.C. 801. The Office of Information and Regulatory Affairs in the Office of Management and Budget has determined that this rule is not a major rule as defined by the CRA (5 U.S.C. 804). Paperwork Reduction Act of 1995 This regulatory action will not impose any reporting or recordkeeping requirements under the Paperwork Reduction Act (44 U.S.C. Chapter 35). List of Subjects in 5 CFR Part 297 Privacy. Office of Personnel Management. Kayyonne Marston, Federal Register Liaison. For reasons stated in the preamble, OPM amends 5 CFR part 297 as follows: PART 297—PRIVACY PROCEDURES FOR PERSONNEL RECORDS 1. The authority citation for part 297 is revised to read as follows: ■ Authority: 5 U.S.C. 552a; Pub. L. 115–59, 113 Stat. 1152 (42 U.S.C. 405 note). 2. Amend § 297.102 by adding in alphabetical order the definitions for ■ PO 00000 Frm 00002 Fmt 4700 Sfmt 9990 ‘‘Document’’ and ‘‘Mail’’ to read as follows: § 297.102 Definitions. * * * * * Document means a piece of written or printed matter that provides information or evidence or that serves as official record. Mail means artifacts used to assemble letters and packages that are sent or delivered by the United States Postal Service or other commercial letter or parcel delivery services. * * * * * ■ 3. Add subpart F, consisting of §§ 297.601 and 297.602, to read as follows: Subpart F—Privacy and Social Security Number Fraud Prevention Sec. 297.601 Purpose and scope. 297.602 Protecting Social Security numbers in mailed documents. § 297.601 Purpose and scope. The purpose of this subpart is to implement the requirements of the Social Security Number Fraud Prevention Act of 2017 to limit the use of Social Security numbers on documents mailed by the Office of Personnel and Management (OPM). The subpart applies to all written or printed documents that OPM sends by mail that include a complete or partial Social Security number. § 297.602 Protecting Social Security numbers in mailed documents. (a) Social Security numbers must not be visible on the outside of any package OPM sends by mail or displayed on correspondence that is visible through the window of an envelope or package. (b) A document OPM sends by mail may only include a Social Security number if the Director of OPM determines, on the advice of the Senior Agency Official for Privacy, that the inclusion of a Social Security number on a document sent by mail is necessary and appropriate to meet legal and mission requirements. (c) The inclusion of a Social Security number on a document sent by mail is necessary when— (1) Required by law; or (2) Necessary to identify a specific person and no adequate substitute is available. (d) Social Security numbers must be partially redacted in documents sent by mail whenever feasible to mitigate any risks to privacy. [FR Doc. 2024–07750 Filed 4–11–24; 8:45 am] BILLING CODE 6325–67–P E:\FR\FM\12APR1.SGM 12APR1

Agencies

Office of Personnel Management

[Federal Register Volume 89, Number 72 (Friday, April 12, 2024)]
[Rules and Regulations]
[Pages 25749-25750]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-07750]



========================================================================
Rules and Regulations
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains regulatory documents 
having general applicability and legal effect, most of which are keyed 
to and codified in the Code of Federal Regulations, which is published 
under 50 titles pursuant to 44 U.S.C. 1510.

The Code of Federal Regulations is sold by the Superintendent of Documents. 

========================================================================


Federal Register / Vol. 89, No. 72 / Friday, April 12, 2024 / Rules 
and Regulations

[[Page 25749]]



OFFICE OF PERSONNEL MANAGEMENT

5 CFR Part 297

[Docket ID: OPM-2023-0035]
RIN 3206-AO16


Social Security Number Fraud Prevention Act Requirements

AGENCY: Office of Personnel Management.

ACTION: Direct final rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Personnel Management (OPM) is publishing this 
direct final rule to implement the requirements of the Social Security 
Number Fraud Prevention Act of 2017 (Act). In accordance with the Act, 
OPM is amending its privacy procedures to prohibit the inclusion of 
Social Security numbers (SSNs) on any document sent through the mail 
unless the Director of OPM deems it necessary. This rule also 
establishes requirements for safeguarding SSNs sent through the mail by 
partially redacting SSNs where feasible and prohibiting the display of 
SSNs on the outside of any package or envelope sent by mail.

DATES: This rule is effective on June 26, 2024, without further action 
unless significant adverse comments are received by June 11, 2024. If 
significant adverse comments are received, OPM will withdraw this 
direct final rule and publish a proposed rule.

ADDRESSES: You may submit comments for this direct final rule using the 
following method:
     Federal Rulemaking Portal: https://www.regulations.gov. 
Follow the instructions for sending comments.
    All submissions received must include the agency name and docket 
number for this direct final rule. The general policy for comments and 
other submissions from members of the public is to make these 
submissions available for public viewing at https://www.regulations.gov 
as they are received, without change, including any personal 
identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Kirsten J. Moncada, Executive 
Director, Office of the Executive Secretariat, Privacy, and Information 
Management, 202-936-0251.

SUPPLEMENTARY INFORMATION: The Social Security Number Fraud Prevention 
Act of 2017, Public Law 115-59, 42 U.S.C. 405 note, restricts the 
inclusion of SSNs on documents sent by mail unless the head of the 
agency determines that the inclusion of the SSNs on the documents is 
necessary. The Act also directs agencies to issue regulations that 
specify when inclusion of an SSN is necessary and include requirements 
for the safeguarding of SSNs by partially redacting SSNs where feasible 
and prohibiting the display of SSNs on the outside of any package or 
envelope sent by mail.
    To implement the Act, OPM is adding new subpart F, titled 
``Protecting Social Security Numbers in Mailed Documents,'' to its 
privacy procedures at 5 CFR part 297. The new requirements in subpart F 
prohibit the inclusion of SSNs on any document OPM program offices send 
through the mail unless the Director of OPM, on the advice of the 
Senior Agency Official for Privacy, deems it necessary and precautions 
are taken to protect the SSNs. In addition, subpart F includes 
requirements for OPM program offices to partially redact SSNs where 
feasible and specifically prohibits the display of complete or partial 
SSNs on the outside of any package or envelope sent by mail or through 
the window of an envelope or package. Subpart F applies to all OPM 
office activities and written or printed documents OPM sends by mail 
that include a complete or partial SSN.
    OPM is also amending 5 CFR 297.102 to add the definitions of 
``document,'' and ``mail'' to make explicit OPM's meaning of the terms 
in this new subpart F. For the purposes of this rule, a document is a 
record of some information that can be used as an authority or for 
reference, further analyses, or study. This includes all records OPM 
maintains and uses to identify, track, and correspond with agencies, 
Federal employees, contractors, and annuitants, among others. Mail is 
defined as artifacts used to assemble letters and packages that are 
sent or delivered by the United States Postal Service or other 
commercial letter or parcel delivery services.

Direct Final Rule Justification

    This rule of agency organization, procedure, or practice is exempt 
from the prior public notice and comment requirements of the 
Administrative Procedure Act. See 5 U.S.C. 553(b)(3)(A). This rule will 
not have any effect on the rights, obligations, or interests of any 
affected parties, as it is merely procedural and reflects a statutory 
requirement that is already in effect. The rule restricts and 
safeguards the inclusion of SSNs in documents that are mailed to 
prevent unauthorized disclosure of SSNs and protect individual privacy. 
Accordingly, OPM for good cause finds that the notice and comment 
requirements are unnecessary. See 5 U.S.C. 553(b)(3)(B).
    This rule is also suitable for direct final rulemaking because it 
is non-controversial and consistent with Federal law and policy 
regarding the appropriate handling and protection of SSNs. The 
provisions of the rule will be beneficial to members of the public and 
Federal employees because it protects their personally identifiable 
information. Because this non-substantive rule makes no changes to the 
legal obligations or rights of any affected parties (i.e., reflects a 
statutory requirement that is already in effect) and because it is in 
the public interest to have this rule be effective as soon as possible, 
OPM does not expect to receive any significant adverse comments.
    This rule will be effective June 26, 2024, without further action 
unless significant adverse comments are received. A significant adverse 
comment is one that explains: (1) why the rule is inappropriate, 
including challenges to the rule's underlying premise or approach; or 
(2) why the direct final rule will be ineffective or unacceptable 
without a change. If such comments are received, this direct final rule 
will be withdrawn and a proposed rule for comments will be published. 
If no such comments are received, this direct final rule will become 
effective 15 days after the comment period expires. In determining 
whether a significant adverse comment necessitates withdrawal of this 
direct final rule, OPM will consider whether the

[[Page 25750]]

comment raises an issue serious enough to warrant a substantive 
response had it been submitted in a standard notice and comment 
process. A comment recommending an addition to the rule will not be 
considered significant and adverse unless the comment explains how this 
direct final rule would be ineffective without the addition.

Expected Impact of This Direct Final Rule

    SSNs are used as unique identifiers by government agencies, 
businesses, and other entities. The theft and fraudulent use of SSNs 
can result in significant repercussions for the SSN holder, as well as 
the entities from which SSNs were stolen. This direct final rule 
formalizes in regulation OPM's current practice of safeguarding SSNs in 
mailed documents and will support efforts to protect individual 
privacy. In accordance with the E-Government Act (2002), OPM currently 
applies encryption technology and other security controls, such as 
password protection, to minimize the risk of unauthorized disclosure of 
SSNs. OPM program offices are also required to conduct proper 
assessments to minimize the use of SSNs and the impact to individual 
privacy as a result of their inclusion in any document. This rule 
supplements these procedures and is beneficial because it protects 
individual privacy and standardizes OPM's procedures for mailing 
documents with SSNs. There are no alternatives to this rule because it 
is required by statute.

Regulatory Review

    Executive Orders 13563, 12866, and 14094 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). The 
Office of Information and Regulatory Affairs in the Office of 
Management and Budget has determined this rule is not a ``significant 
regulatory action'' under section 3(f) of Executive Order 12866, as 
amended by Executive Order 14094.

Regulatory Flexibility Act

    The Director of OPM certifies that this rule will not have a 
significant economic impact on a substantial number of small entities 
because it is a procedural rule that only applies only to OPM.

E.O. 13132, Federalism

    This rule will not have substantial direct effects on the States, 
on the relationship between the National Government and the States, or 
on distribution of power and responsibilities among the various levels 
of government. Therefore, in accordance with Executive Order 13132, OPM 
has determined that this direct rule does not have federalism 
implications that require preparation of a federalism summary impact 
statement.

E.O. 12988, Civil Justice Reform

    OPM has determined that this rule meets the relevant standards of 
Executive Order 12988.

Unfunded Mandates Reform Act of 1995

    This rule will not result in the expenditure by State, local, or 
tribal governments, or the private sector of more than $100 million 
annually. Thus, no written assessment of unfunded mandates is required.

Congressional Review Act

    Subtitle E of the Small Business Regulatory Enforcement Fairness 
Act of 1996 (known as the Congressional Review Act or CRA) (5 U.S.C. 
801, et seq.) requires rules to be submitted to Congress before taking 
effect. OPM will submit to Congress and the Comptroller General of the 
United States a report regarding the issuance of this rule before its 
effective date, as required by 5 U.S.C. 801. The Office of Information 
and Regulatory Affairs in the Office of Management and Budget has 
determined that this rule is not a major rule as defined by the CRA (5 
U.S.C. 804).

Paperwork Reduction Act of 1995

    This regulatory action will not impose any reporting or 
recordkeeping requirements under the Paperwork Reduction Act (44 U.S.C. 
Chapter 35).

List of Subjects in 5 CFR Part 297

    Privacy.

Office of Personnel Management.
Kayyonne Marston,
Federal Register Liaison.

    For reasons stated in the preamble, OPM amends 5 CFR part 297 as 
follows:

PART 297--PRIVACY PROCEDURES FOR PERSONNEL RECORDS

0
1. The authority citation for part 297 is revised to read as follows:

    Authority:  5 U.S.C. 552a; Pub. L. 115-59, 113 Stat. 1152 (42 
U.S.C. 405 note).


0
2. Amend Sec.  297.102 by adding in alphabetical order the definitions 
for ``Document'' and ``Mail'' to read as follows:


Sec.  297.102  Definitions.

* * * * *
    Document means a piece of written or printed matter that provides 
information or evidence or that serves as official record.
    Mail means artifacts used to assemble letters and packages that are 
sent or delivered by the United States Postal Service or other 
commercial letter or parcel delivery services.
* * * * *

0
3. Add subpart F, consisting of Sec. Sec.  297.601 and 297.602, to read 
as follows:

Subpart F--Privacy and Social Security Number Fraud Prevention

Sec.
297.601 Purpose and scope.
297.602 Protecting Social Security numbers in mailed documents.


Sec.  297.601  Purpose and scope.

    The purpose of this subpart is to implement the requirements of the 
Social Security Number Fraud Prevention Act of 2017 to limit the use of 
Social Security numbers on documents mailed by the Office of Personnel 
and Management (OPM). The subpart applies to all written or printed 
documents that OPM sends by mail that include a complete or partial 
Social Security number.


Sec.  297.602  Protecting Social Security numbers in mailed documents.

    (a) Social Security numbers must not be visible on the outside of 
any package OPM sends by mail or displayed on correspondence that is 
visible through the window of an envelope or package.
    (b) A document OPM sends by mail may only include a Social Security 
number if the Director of OPM determines, on the advice of the Senior 
Agency Official for Privacy, that the inclusion of a Social Security 
number on a document sent by mail is necessary and appropriate to meet 
legal and mission requirements.
    (c) The inclusion of a Social Security number on a document sent by 
mail is necessary when--
    (1) Required by law; or
    (2) Necessary to identify a specific person and no adequate 
substitute is available.
    (d) Social Security numbers must be partially redacted in documents 
sent by mail whenever feasible to mitigate any risks to privacy.

[FR Doc. 2024-07750 Filed 4-11-24; 8:45 am]
BILLING CODE 6325-67-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.