[Federal Register Volume 78, Number 46 (Friday, March 8, 2013)]
[Notices]
[Pages 15120-15121]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-05358]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities; Proposed Information 
Collection; Comment Request

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION:  Notice and Request for comment.

-----------------------------------------------------------------------

SUMMARY:  The OCC, as part of its continuing effort to reduce paperwork 
and respondent burden, invites the general public and other Federal 
agencies to comment on a continuing information collection, as required 
by the Paperwork Reduction Act of 1995.
    Under the Paperwork Reduction Act of 1995 (PRA), Federal agencies 
are required to publish notice in the Federal Register concerning each 
proposed collection of information, including each proposed extension 
of an existing collection of information and to allow 60 days for 
public comment in response to the notice.
    In accordance with the requirements of the PRA, the OCC may not 
conduct or sponsor, and the respondent is not required to respond to, 
an information collection unless it displays a currently valid Office 
of Management and Budget (OMB) control number.
    The OCC is soliciting comment concerning its information collection 
titled, ``Notice Regarding Unauthorized Access to Customer 
Information.''

DATES: Comments must be submitted on or before May 7, 2013.

ADDRESSES:  Because paper mail in the Washington, DC area and at the 
OCC is subject to delay, commenters are encouraged to submit comments 
by email if possible. Comments may be sent to: Legislative and 
Regulatory Activities Division, Office of the Comptroller of the 
Currency, Attention: 1557-0227, 400 7th Street SW., Suite 3E-218, Mail 
Stop 9W-11, Washington, DC 20219. In addition, comments may be sent by 
fax to (571) 465-4326 or by electronic mail to 
[email protected]. You may personally inspect and photocopy 
comments at the OCC, 400 7th Street SW., Washington, DC 20219. For 
security reasons, the OCC requires that visitors make an appointment to 
inspect comments. You may do so by calling (202) 649-6700. Upon 
arrival, visitors will be required to present valid government-issued 
photo identification and to submit to security screening in order to 
inspect and photocopy comments.
    All comments received, including attachments and other supporting 
materials, are part of the public record and subject to public 
disclosure. Do not enclose any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.

FOR FURTHER INFORMATION CONTACT: You may request additional information 
or a copy of the collection from Johnny Vilela or Mary H. Gottlieb, OCC 
Clearance Officers, (202) 649-5490, Legislative and Regulatory 
Activities Division, Office of the Comptroller of the Currency, 400 7th 
Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501-3520), Federal 
agencies must obtain approval from the Office of Management and Budget 
(OMB) for each collection of information they conduct or sponsor. 
``Collection of information'' is defined in 44 U.S.C. 3502(3) and 5 CFR 
1320.3(c) to include agency requests or requirements that members of 
the public submit reports, keep records, or provide information to a 
third party. Section 3506(c)(2)(A) of the PRA (44 U.S.C. 3506(c)(2)(A)) 
requires Federal agencies to provide a 60-day notice in the Federal 
Register concerning each proposed collection of information, including 
each proposed extension of an existing collection of information, 
before submitting the collection to OMB for approval. To comply with 
this requirement, the OCC is publishing notice of the proposed 
collection of information set forth in this document.

SUPPLEMENTARY INFORMATION: The OCC is proposing to extend, with 
revision, the approval of the following information collection:
    Title: Notice Regarding Unauthorized Access to Customer 
Information.
    OMB Control No.: 1557-0227.
    Description: Section 501(b) of the Gramm-Leach-Bliley Act (15 
U.S.C. 6801) requires the OCC to establish appropriate standards for 
national banks relating to administrative, technical, and physical 
safeguards: (1) To insure the security and confidentiality of customer 
records and information; (2) to protect against any anticipated threats 
or hazards to the security or integrity of such records; and (3) to 
protect against unauthorized access to, or use of, such records or 
information that could result in substantial harm or inconvenience to 
any customer.
    The Interagency Guidelines Establishing Information Security 
Standards, 12 CFR Part 30, Appendix B and Part 170, Appendix B 
(collectively,

[[Page 15121]]

Security Guidelines), implementing section 501(b), require each entity 
supervised by the OCC (supervised institution) to consider and adopt a 
response program, if appropriate, that specifies actions to be taken 
when the supervised institution suspects or detects that unauthorized 
individuals have gained access to customer information.
    The Interagency Guidance on Response Programs for Unauthorized 
Customer Information and Customer Notice (Breach Notice Guidance \1\), 
which interprets the Security Guidelines, states that, at a minimum, a 
supervised institution's response program should contain procedures for 
the following:
---------------------------------------------------------------------------

    \1\ 12 CFR part 30, Appendix B, Supplement A.
---------------------------------------------------------------------------

    (1) Assessing the nature and scope of an incident, and identifying 
what customer information systems and types of customer information 
have been accessed or misused;
    (2) Notifying its primary Federal regulator as soon as possible 
when the supervised institution becomes aware of an incident involving 
unauthorized access to, or use of, sensitive customer information;
    (3) Consistent with the OCC's Suspicious Activity Report 
regulations, notifying appropriate law enforcement authorities, as well 
as filing a timely SAR in situations in which Federal criminal 
violations require immediate attention, such as when a reportable 
violation is ongoing;
    (4) Taking appropriate steps to contain and control the incident in 
an effort to prevent further unauthorized access to, or use of, 
customer information, for example, by monitoring, freezing, or closing 
affected accounts, while preserving records and other evidence; and
    (5) Notifying customers when warranted.
    This collection of information covers the notice provisions in the 
Breach Notice Guidance.
    Type of Review: Extension of a currently approved collection.
    Affected Public: Individuals; Businesses or other for-profit.
    Estimated Number of Respondents: 344.

Developing notices: 16 hrs. x 344 respondents = 5504 hours
Notifying customers: 20 hrs. x 344 respondents = 6880 hours

    Estimated average burden per respondent: 36 hours.
    Total Estimated Annual Burden: 12,384 hours.
    Frequency of Response: On occasion.
    Comments submitted in response to this notice will be summarized 
and included in the request for OMB approval. All comments will become 
a matter of public record. Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the OCC, including whether the 
information has practical utility;
    (b) The accuracy of the OCC's estimate of the information 
collection;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology;
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information; and
    (f) Whether the estimates need to be adjusted based upon banks' 
experiences regarding the number of actual security breaches that 
occur.

    Dated: March 4, 2013.
Michele Meyer,
Assistant Director, Legislative and Regulatory Activities Division.
[FR Doc. 2013-05358 Filed 3-7-13; 8:45 am]
BILLING CODE P