[Federal Register Volume 82, Number 106 (Monday, June 5, 2017)]
[Proposed Rules]
[Pages 25751-25753]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-10788]



[[Page 25751]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

28 CFR Part 16

[CPCLO Order No. 002-2017]


Privacy Act of 1974; Implementation

AGENCY: United States Department of Justice.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: Elsewhere in this Federal Register, the United States 
Department of Justice (Department or DOJ) has published a new Privacy 
Act System of Records Notice, JUSTICE/DOJ-018, ``DOJ Insider Threat 
Program Records.'' Further, the Department issued a rescindment notice 
for the Federal Bureau of Investigation (FBI) System of Records Notice 
titled, ``FBI Insider Threat Program Records,'' JUSTICE/FBI-023. In 
this document, the DOJ withdraws the notice of proposed rulemaking for 
the ``FBI Insider Threat Program Records'' issued in CPCLO Order No. 
008-2016, published on September 19, 2016, and proposes to exempt 
JUSTICE/DOJ-018 from certain provisions of the Privacy Act, in order to 
avoid interference with efforts to detect, deter, and/or mitigate 
insider threats. Public comment is invited.

DATES: As of June 5, 2017, the notice of proposed rulemaking published 
at 81 FR 64092 (Sept. 19, 2016), is withdrawn. Comments on this notice 
of proposed rulemaking must be received by July 5, 2017.

ADDRESSES: Address all comments to the Privacy Analyst, Privacy and 
Civil Liberties Office, National Place Building, 1331 Pennsylvania Ave. 
NW., Suite 1000, Washington, DC 20530-0001, facsimile 202-307-0693, or 
email at [email protected]. To ensure proper handling, please reference 
the CPCLO Order No. of this notice of proposed rulemaking in your 
correspondence. You may review an electronic version of the proposed 
rule at http://www.regulations.gov, and you may also comment by using 
that Web site's comment form for this regulation. When submitting 
comments electronically, you must include the CPCLO Order No. in the 
subject box.
    Please note that the Department is requesting that electronic 
comments be submitted before midnight Eastern Daylight Time on the day 
the comment period closes because http://www.regulations.gov terminates 
the public's ability to submit comments at that time. Commenters in 
time zones other than Eastern Time may want to consider this so that 
their electronic comments are received. All comments sent via regular 
or express mail will be considered timely if postmarked on or before 
the day the comment period closes.
    Posting of Public Comments: Please note that all comments received 
are considered part of the public record and made available for public 
inspection online at http://www.regulations.gov and in the Department's 
public docket. Such information includes personal identifying 
information (such as your name, address, etc.) voluntarily submitted by 
the commenter.
    If you want to submit personal identifying information (such as 
your name, address, etc.) as part of your comment, but do not want it 
to be posted online or made available in the public docket, you must 
include the phrase ``PERSONALLY IDENTIFYING INFORMATION'' in the first 
paragraph of your comment. You must also place all personal identifying 
information you do not want posted online or made available in the 
public docket in the first paragraph of your comment and identify what 
information you want redacted.
    If you want to submit confidential business information as part of 
your comment, but do not want it to be posted online or made available 
in the public docket, you must include the phrase ``CONFIDENTIAL 
BUSINESS INFORMATION'' in the first paragraph of your comment. You must 
also prominently identify confidential business information to be 
redacted within the comment. If a comment has so much confidential 
business information that it cannot be effectively redacted, all or 
part of that comment may not be posted online or made available in the 
public docket.
    Personally identifying information and confidential business 
information identified and located as set forth above will be redacted 
and the comment, in redacted form, will be posted online and placed in 
the Department's public docket file. Please note that the Freedom of 
Information Act applies to all comments received. If you wish to 
inspect the agency's public docket file in person by appointment, 
please see the FOR FURTHER INFORMATION CONTACT section, below.

FOR FURTHER INFORMATION CONTACT: Laurence Reed, DOJ Insider Threat 
Program Manager, United States Department of Justice, Insider Threat 
Prevention and Detection Program, 145 N Street NE., Washington, DC 
20002, 202-357-0165, [email protected].

SUPPLEMENTARY INFORMATION:

DOJ Insider Threat Program

    The November 21, 2012, Presidential Memorandum--National Insider 
Threat Policy and Minimum Standards for Executive Branch Insider Threat 
Programs states that an insider threat is the threat that any person 
with authorized access to any United States Government resources, to 
include personnel, facilities, information, equipment, networks or 
systems, will use her/his authorized access, wittingly or unwittingly, 
to do harm to the security of the United States. This threat can 
include damage to the United States through espionage, terrorism, 
unauthorized disclosure of national security information, or through 
the loss or degradation of departmental resources or capabilities.
    In the Notice section of this Federal Register, the DOJ has 
established a new Privacy Act system of records titled ``DOJ Insider 
Threat Program Records,'' JUSTICE/DOJ-018. The system serves as a 
repository for DOJ information and for information lawfully received 
from other federal agencies or obtained from private companies and 
permits the comparison of data sets in order to provide a more complete 
picture of potential insider threats.
    In this rulemaking, the DOJ proposes to exempt this Privacy Act 
system of records from certain provisions of the Privacy Act in order 
to avoid interference with the responsibilities of the DOJ to detect, 
deter, and/or mitigate insider threats as established by federal law 
and policy. For an overview of the Privacy Act, see: https://www.justice.gov/opcl/privacy-act-1974.

Integration of the FBI Insider Threat Program Records (ITPR) System of 
Records

    On September 19, 2016, the Federal Bureau of Investigation (FBI), a 
component of the DOJ, published a new Privacy Act System of Records 
Notice titled, ``FBI Insider Threat Program Records (ITPR),'' JUSTICE/
FBI-023, at 81 FR 64198. The FBI also issued a notice of proposed 
rulemaking, CPCLO No. 008-2016, at 81 FR 64092, proposing to exempt 
JUSTICE/FBI-023 from certain provisions of the Privacy Act. To 
consolidate Privacy Act notices under one DOJ-wide system of records, 
the Department is rescinding JUSTICE/FBI-023. In addition, the 
Department hereby withdraws the proposed rule, CPCLO No. 008-2016, 
published September 19, 2016, at 81 FR 64092, and will not publish a 
final rule to exempt JUSTICE/FBI-023 from certain provisions of the 
Privacy Act. Instead, the Department has published a new Privacy Act 
System of Records Notice titled, ``DOJ Insider Threat Program 
Records,'' JUSTICE/DOJ-018, and proposes to exempt this DOJ-wide

[[Page 25752]]

system of records from certain provisions of the Privacy Act, as 
described below.

Regulatory Flexibility Act

    This proposed rule relates to individuals rather than small 
business entities. Pursuant to the requirements of the Regulatory 
Flexibility Act of 1980, 5 U.S.C. 601-612, therefore, the proposed rule 
will not have a significant economic impact on a substantial number of 
small entities.

Small Entity Inquiries

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996, 5 U.S.C. 801 et seq., requires the DOJ to comply with small 
entity requests for information and advice about compliance with 
statutes and regulations within DOJ jurisdiction. Any small entity that 
has a question regarding this document may contact the person listed in 
the FOR FURTHER INFORMATION CONTACT section, above. Persons can obtain 
further information regarding SBREFA on the Small Business 
Administration's Web page at http://www.sba.gov/advo/archive/sum_sbrefa.html.

Paperwork Reduction Act

    The Paperwork Reduction Act of 1995, 44 U.S.C. 3507(d), requires 
that DOJ consider the impact of paperwork and other information 
collection burdens imposed on the public. There are no current or new 
information collection requirements associated with this proposed rule. 
The records that are contributed to this system may be provided by 
individuals covered by this system, the DOJ and United States 
Government components, other domestic and foreign government entities, 
or purchased from private entities. Sharing of this information 
electronically will not increase the paperwork burden on the public.

Unfunded Mandates Reform Act of 1995

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public 
Law 103-3, 109 Stat. 48, requires Federal agencies to assess the 
effects of certain regulatory actions on State, local, and tribal 
governments, and the private sector. UMRA requires a written statement 
of economic and regulatory alternatives for proposed and final rules 
that contain Federal mandates. A ``Federal mandate'' is a new or 
additional enforceable duty, imposed on any State, local, or tribal 
government, or the private sector. If any Federal mandate causes those 
entities to spend, in aggregate, $100 million or more in any one year, 
the UMRA analysis is required. This proposed rule would not impose 
Federal mandates on any State, local, or tribal government or the 
private sector.

List of Subjects in 28 CFR Part 16

    Administrative practices and procedures, Courts, Freedom of 
Information Act, Privacy Act.

    Pursuant to the authority vested in the Attorney General by 5 
U.S.C. 552a and delegated to me by Attorney General Order 2940-2008, 28 
CFR part 16 is proposed to be amended as follows:

PART 16--[AMENDED]

0
1. The authority citation for part 16 continues to read as follows:

    Authority: 5 U.S.C. 301, 552, 552a, 553; 28 U.S.C. 509, 510, 
534; 31 U.S.C. 3717.

Subpart E--Exemption of Records Systems Under the Privacy Act

0
2. Add Sec.  16.137 to subpart E to read as follows:


Sec.  16.137  Exemption of the Department of Justice Insider Threat 
Program Records, JUSTICE/DOJ-018.

    (a) The Department of Justice Insider Threat Program Records 
(JUSTICE/DOJ-018) system of records is exempted from subsections 5 
U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2) and 
(3); (e)(4)(G), (H) and (I); (e)(5) and (8); (f) and (g) of the Privacy 
Act. These exemptions apply only to the extent that information in this 
system is subject to exemption pursuant to 5 U.S.C. 552a(j) or (k). 
Where DOJ determines compliance would not appear to interfere with or 
adversely affect the purpose of this system to detect, deter, and/or 
mitigate insider threats, the applicable exemption may be waived by the 
DOJ in its sole discretion.
    (b) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3), the requirement that an accounting be 
made available to the named subject of a record, because this system is 
exempt from the access provisions of subsection (d). Also, because 
making available to a record subject the accounting of disclosures of 
records concerning him/her would specifically reveal any insider 
threat-related interest in the individual by the DOJ or agencies that 
are recipients of the disclosures. Revealing this information could 
compromise ongoing, authorized law enforcement and intelligence 
efforts, particularly efforts to identify and/or mitigate insider 
threats. Revealing this information could also permit the record 
subject to obtain valuable insight concerning the information obtained 
during any investigation and to take measures to impede the 
investigation, e.g., destroy evidence or flee the area to avoid the 
investigation.
    (2) From subsection (c)(4) notification requirements because this 
system is exempt from the access and amendment provisions of subsection 
(d) as well as the accounting of disclosures provision of subsection 
(c)(3). The DOJ takes seriously its obligation to maintain accurate 
records despite its assertion of this exemption, and to the extent it, 
in its sole discretion, agrees to permit amendment or correction of DOJ 
records, it will share that information in appropriate cases.
    (3) From subsection (d)(1), (2), (3) and (4), (e)(4)(G) and (H), 
(e)(8), (f) and (g) because these provisions concern individual access 
to and amendment of law enforcement, intelligence and 
counterintelligence, and counterterrorism records and compliance could 
alert the subject of an authorized law enforcement or intelligence 
activity about that particular activity and the interest of the DOJ 
and/or other law enforcement or intelligence agencies. Providing access 
could compromise information classified to protect national security; 
disclose information that would constitute an unwarranted invasion of 
another's personal privacy; reveal a sensitive investigative or 
intelligence technique; provide information that would allow a subject 
to avoid detection or apprehension; or constitute a potential danger to 
the health or safety of law enforcement personnel, confidential 
sources, or witnesses.
    (4) From subsection (e)(1) because it is not always possible to 
know in advance what information is relevant and necessary for law 
enforcement and intelligence purposes. The relevance and utility of 
certain information that may have a nexus to insider threats may not 
always be fully evident until and unless it is vetted and matched with 
other information necessarily and lawfully maintained by the DOJ.
    (5) From subsection (e)(2) and (3) because application of these 
provisions could present a serious impediment to efforts to detect, 
deter and/or mitigate insider threats. Application of these provisions 
would put the subject of an investigation on notice of the 
investigation and allow the subject an opportunity to engage in conduct 
intended to impede the investigative activity or avoid apprehension.
    (6) From subsection (e)(4)(I), to the extent that this subsection 
is interpreted to require more detail regarding the

[[Page 25753]]

record sources in this system than has been published in the Federal 
Register. Should the subsection be so interpreted, exemption from this 
provision is necessary to protect the sources of law enforcement and 
intelligence information and to protect the privacy and safety of 
witnesses and informants and others who provide information to the DOJ. 
Further, greater specificity of sources of properly classified records 
could compromise national security.
    (7) From subsection (e)(5) because in the collection of information 
for authorized law enforcement and intelligence purposes, including 
efforts to detect, deter, and/or mitigate insider threats, due to the 
nature of investigations and intelligence collection, the DOJ often 
collects information that may not be immediately shown to be accurate, 
relevant, timely, and complete, although the DOJ takes reasonable steps 
to collect only the information necessary to support its mission and 
investigations. Additionally, the information may aid in establishing 
patterns of activity and providing criminal or intelligence leads. It 
could impede investigative progress if it were necessary to assure 
relevance, accuracy, timeliness and completeness of all information 
obtained throughout the course and within the scope of an 
investigation. Further, some of the records in this system may come 
from other domestic or foreign government entities, or private 
entities, and it would not be administratively feasible for the DOJ to 
vouch for the compliance of these agencies with this provision.

    Dated: May 19, 2017.
Peter A. Winn,
Acting Chief Privacy and Civil Liberties Officer, United States 
Department of Justice.
[FR Doc. 2017-10788 Filed 6-2-17; 8:45 am]
BILLING CODE 4410-NW-P