[Federal Register Volume 83, Number 86 (Thursday, May 3, 2018)]
[Notices]
[Pages 19560-19563]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-09333]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of modified systems of records.

-----------------------------------------------------------------------

SUMMARY: The FTC proposes to modify all FTC Privacy Act system of 
records notices (SORNs) by amending and bifurcating an existing routine 
use relating to assistance in data breach responses, to conform with 
Office of Management and Budget (OMB) guidance to federal agencies, OMB 
Memorandum 17-12.

DATES: Comments must be submitted by June 4, 2018. This routine use, 
which is being published in proposed form, shall become final and 
effective July 2, 2018, without further notice unless otherwise amended 
or repealed by the Commission on the basis of any comments received.

ADDRESSES: Interested parties are invited to submit written comments by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Comments should refer to 
``Privacy Act of 1974; System of Records: FTC File No. P072104'' to 
facilitate the organization of comments. Please file your comment 
online at https://ftcpublic.commentworks.com/ftc/privacyactroutineuse 
by following the instructions on the web-based form. If you prefer to 
file your comment on paper, mail or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), Washington, DC 
20580, or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Constitution Center, 400 7th 
Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: G. Richard Gold and Alex Tang, 
Attorneys, Office of the General Counsel, FTC, 600 Pennsylvania Avenue 
NW, Washington, DC 20580, (202) 326-2424.

SUPPLEMENTARY INFORMATION:

[[Page 19561]]

Request for Comments

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before June 4, 2018. 
Write ``Privacy Act of 1974; System of Records: FTC File No. P072104'' 
on your comment. Your comment--including your name and your state--will 
be placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission website, at https://www.ftc.gov/policy/public-comments.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, the Commission encourages 
you to submit your comments online. To make sure that the Commission 
considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/privacyactroutineuse by following the 
instructions on the web-based form. If this Notice appears at 
www.regulations.gov, you also may file a comment through that website.
    If you file your comment on paper, write ``Privacy Act of 1974; 
System of Records: FTC File No. P072104'' on your comment and on the 
envelope, and mail it to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street, SW, 5th Floor, Suite 5610 (Annex 
J), Washington, DC 20024. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
website at www.ftc.gov, you are solely responsible for making sure that 
your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Once your comment has been posted on the public FTC website--as 
legally required by FTC Rule 4.9(b)--we cannot redact or remove your 
comment from the FTC website, unless you submit a confidentiality 
request that meets the requirements for such treatment under FTC Rule 
4.9(c), and the General Counsel grants that request. Comments 
containing material for which confidential treatment is requested must 
be filed in paper form, must be clearly labeled ``Confidential,'' and 
must comply with FTC Rule 4.9(c). In particular, the written request 
for confidential treatment that accompanies the comment must include 
the factual and legal basis for the request, and must identify the 
specific portions of the comment to be withheld from the public record. 
See FTC Rule 4.9(c).
    The FTC Act and other laws that the Commission administers permit 
the collection of public comments to consider and use in this 
proceeding as appropriate. The Commission will consider all timely and 
responsive public comments that it receives on or before June 4, 2018. 
You can find more information, including routine uses permitted by the 
Privacy Act, in the Commission's privacy policy, at www.ftc.gov/privacy.

Analysis to Aid Public Comment

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, this 
document provides public notice that the FTC is proposing to modify and 
bifurcate an existing routine use relating to assistance in data breach 
responses, which is applicable to all FTC SORNs, to conform with OMB 
Memorandum M-17-12, Preparing for and Responding to a Breach of 
Personally Identifiable Information (January 3, 2017). A list of the 
agency's current Privacy Act records systems is set out below and can 
be viewed on the FTC's website at: www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems. The modified and bifurcated routine 
use would be included in Appendix I, Authorized Disclosures and Routine 
Uses Applicable to All FTC Privacy Act Systems of Records, which 
describes routine uses that apply globally to all FTC Privacy Act 
records systems. Appendix I was previously published at 73 FR 33592 
(June 12, 2008), the text of which is available on the FTC's website at 
the above hyperlink and would be updated accordingly.

------------------------------------------------------------------------
                                                     Federal Register
             System number and name                   citations \1\
------------------------------------------------------------------------
FTC-I-1--Nonpublic Investigational and Other                 76 FR 60125
 Nonpublic Legal Program Records...............        75 FR 52749-52751
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-I-2--Disciplinary Action Investigatory           * 73 FR 33591-33634
 Files.........................................
FTC-I-3--Informal Advisory Opinion Request and       * 73 FR 33591-33634
 Response Files................................
FTC-I-4--Clearance Application and Response          * 73 FR 33591-33634
 Files.........................................
FTC-I-5--Matter Management System..............      * 82 FR 50872-50882
FTC-I-6--Public Records........................      * 73 FR 33591-33634
FTC-I-7--Office of Inspector General                 * 82 FR 50872-50882
 Investigative Files...........................
FTC-I-8--Stenographic Reporting Services                 80 FR 9460-9465
 Request System................................      * 73 FR 33591-33634
FTC-II-1--General Personnel Records............          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-II-2--Unofficial Personnel Records.........          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-II-3--Worker's Compensation................      * 82 FR 50872-50882

[[Page 19562]]

 
FTC-II-4--Employment Application-Related               * 80 FR 9460-9465
 Records.......................................        73 FR 33591-33634
FTC-II-5--Equal Employment Opportunity               * 82 FR 50872-50882
 Statistical Reporting System..................
FTC-II-6--Discrimination Complaint System......        75 FR 52749-52751
                                                       73 FR 33591-33634
FTC-II-7--Ethics Program Records...............          80 FR 9460-9465
                                                       75 FR 52749-52751
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-II-8--Employee Adverse Action and                    80 FR 9460-9465
 Disciplinary Records..........................      * 73 FR 33591-33634
FTC-II-9--Claimants Under Federal Tort Claims            80 FR 9460-9465
 Act and Military Personnel and Civilian               74 FR 17863-17866
 Employees' Claims Act.........................      * 73 FR 33591-33634
FTC-II-10--Employee Health Care Records........      * 82 FR 50872-50882
FTC-II-11--Personnel Security, Identity                  80 FR 9460-9465
 Management, and Access Control Records System.      * 73 FR 33591-33634
FTC-II-12--e-Train Learning Management System..          80 FR 9460-9465
                                                       75 FR 52749-52751
                                                       73 FR 33591-33634
FTC-II-13--Staff Time and Activity Reporting         * 73 FR 33591-33634
 (STAR) System.................................
FTC-III-1--Personnel Payroll System............          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-III-2--Travel Management System............      * 82 FR 50872-50882
FTC-III-3--Financial Management System.........          80 FR 9460-9465
                                                     * 73 FR 33591-33634
FTC-III-4--Automated Acquisitions System.......      * 73 FR 33591-33634
FTC-III-5--Employee Transportation Program           * 82 FR 50872-50882
 Records.......................................
FTC-IV-1--Consumer Information System..........          80 FR 9460-9465
                                                       74 FR 17863-17866
                                                     * 73 FR 33591-33634
FTC-IV-2--Miscellaneous Office Correspondence        * 73 FR 33591-33634
 Tracking System Records.......................
FTC-IV-3--National Do Not Call Registry System.        74 FR 17863-17866
FTC-V-1--Freedom of Information Act Requests         * 73 FR 33591-33634
 and Appeals...................................
FTC-V-2--Privacy Act Requests and Appeals......      * 82 FR 50872-50882
FTC-VI-1--Mailing and Contact Lists............      * 73 FR 33591-33634
FTC-VII-1--Automated Library Management System.      * 73 FR 33591-33634
FTC-VII-2--Employee Locator (STAFFID) System...          80 FR 9460-9465
                                                     * 73 FR 33591-33634
FTC-VII-3--Computer Systems User Identification          80 FR 9460-9465
 and Access Records............................        74 FR 17863-17866
FTC-VII-4--Call Detail Records.................          80 FR 9460-9465
                                                       74 FR 17863-17866
FTC-VII-5--Property Management System..........      * 73 FR 33591-33634
FTC-VII-6--Document Management and Retrieval         * 73 FR 33591-33634
 System........................................
FTC-VII-7--Information Technology Service                80 FR 9460-9465
 Ticket System.................................
FTC-VII-8--Administrative Service Call System..      * 73 FR 33591-33634
------------------------------------------------------------------------
\1\ An asterisk (*) designates the last full Federal Register notice
  that includes all of the elements that are required to be in a System
  of Records Notice.

Appendices Applicable to all FTC Systems

 
------------------------------------------------------------------------
 
------------------------------------------------------------------------
Appendix I--Authorized Disclosures and Routine         73 FR 33591-33634
 Uses Applicable to All FTC Privacy Act Systems
 of Records....................................
Appendix II--How To Make A Privacy Act Request.        73 FR 33591-33634
Appendix III--Locations of FTC Buildings and             80 FR 9460-9465
 Regional Offices..............................
------------------------------------------------------------------------

    The Privacy Act authorizes the agency to adopt routine uses that 
are consistent with the purpose for which information is collected. 5 
U.S.C. 552a(b)(3); see also 5 U.S.C. 552a(a)(7).
    On June 8, 2007, in response to a recommendation by The President's 
Identity Theft Task Force \2\ and using model language issued by the 
Department of Justice, the FTC published a new routine use that allowed 
for disclosure of records to appropriate persons and entities for 
purposes of response and remedial efforts in the event of a breach of 
data contained in the protected systems. 72 FR 31835. This routine use, 
currently included in Appendix I, Authorized

[[Page 19563]]

Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems 
of Records, states as follows:

    \2\ See The President's Identity Theft Task Force Report 
(September 2008) at https://www.ftc.gov/sites/default/files/documents/reports/presidents-identity-theft-task-force-report/081021taskforcereport.pdf.
---------------------------------------------------------------------------

    (22) May be disclosed to appropriate agencies, entities, and 
persons when: (a) The FTC suspects or has confirmed that the 
security or confidentiality of information in the system of records 
has been compromised; (b) the FTC has determined that as a result of 
the suspected or confirmed compromise there is a risk of harm to 
economic or property interests, identity theft or fraud, or harm to 
the security or integrity of this system or other systems or 
programs (whether maintained by the FTC or another agency or entity) 
that rely upon the compromised information; and (c) the disclosure 
made to such agencies, entities, and persons is reasonably necessary 
to assist in connection with the FTC's efforts to respond to the 
suspected or confirmed compromise and prevent, minimize, or remedy 
such harm.

    Since 2007, OMB has determined that agencies needed authority to 
make disclosures that go beyond those contemplated by the original 
routine use. Thus, in January 2017, OMB issued in M-17-12, directing 
the Senior Agency Official for Privacy (SAOP) of each agency to include 
the following routine use in each of the agency's SORNs to facilitate 
the agency's response to a breach of its own records:

    To appropriate agencies, entities, and persons when (1) [the 
agency] suspects or has confirmed that there has been a breach of 
the system of records, (2) [the agency] has determined that as a 
result of the suspected or confirmed breach there is a risk of harm 
to individuals, [the agency] (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, 
and persons is reasonably necessary to assist in connection with 
[the agency's] efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.\3\

    \3\ Hereafter, this is referred to as the ``first proposed 
routine use.''
---------------------------------------------------------------------------

In M-17-12, OMB also directed the SAOP to ensure that agencies are able 
to disclose records in their systems of records that may reasonably be 
needed by another agency in responding to a breach by incorporating the 
following additional routine use into each of the agency's SORNs:

    To another Federal agency or Federal entity, when [the agency] 
determines that information from this system of records is 
reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the 
recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.\4\

    \4\ Hereafter, this is referred to as the ``second proposed 
routine use.''
---------------------------------------------------------------------------

    Although the first proposed routine use required by M-17-12 is very 
similar to the language of the FTC's original routine use as finalized 
in 2007, OMB's 2017 version more specifically addresses harm to 
individuals and expands the concept to make clear that it is not 
limited to identity theft or financial/property damage.
    With regard to the second proposed routine use, breaches affecting 
Federal personnel data have shown the need for an additional routine 
use that expressly allows an agency to disclose information from a 
system of records (e.g., current contact information for the agency's 
employees or other individuals) to another Federal agency when 
reasonably needed by that agency to respond to a breach (e.g., 
providing notice to the affected individuals), to take any other steps 
to prevent, minimize, or remedy the risk of harm to affected 
individuals or that agency's information systems, programs, or 
operations, and, if necessary, to address the broader risk of harm, if 
any, to the Federal Government or national security that may arise from 
the breach. The FTC's existing routine use, while allowing disclosure 
to other agencies, does so in the limited context of a breach of the 
FTC's own system(s) of records.
    For the reasons stated above, the FTC believes that it is 
compatible with the collection of information pertaining to individuals 
affected by a breach to disclose Privacy Act records about them when, 
in doing so, it will help prevent, minimize or remedy a data breach or 
compromise that may affect such individuals. By contrast, the FTC 
believes that failure to take reasonable steps to help prevent, 
minimize or remedy the harm that may result from such a breach or 
compromise would jeopardize, rather than promote, the privacy of such 
individuals. Accordingly, the Commission concludes that it is 
authorized under the Privacy Act to adopt the proposed and updated 
routine uses permitting disclosure of Privacy Act records for the 
purposes described above.
    In accordance with the Privacy Act, see 5 U.S.C. 552a(e)(4) and 
(11), the FTC is publishing notice of these routine uses and giving the 
public a 30-day period to comment before adopting them as final. The 
FTC has provided advance notice of this proposed system notice 
amendment to OMB and the Congress, as required by the Act, 5 U.S.C. 
552a(r), and OMB Circular A-108 (2016). As set forth below, the 
Commission proposes that the new routine uses become effective on the 
date noted earlier, unless the Commission amends or revokes the routine 
uses on the basis of any comments received.
    Accordingly, the FTC hereby proposes to amend Appendix I of its 
Privacy Act system notices, as published at 73 FR 33591, by revising 
item number (22), adding new item number (23), and re-designating the 
former item number (23) as (24) (without any other change) at the end 
of the existing routine uses set forth in that Appendix:
* * * * *
    (22) To appropriate agencies, entities, and persons when (a) the 
FTC suspects or has confirmed that there has been a breach of the 
system of records, (b) the FTC has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the FTC (including its information systems, programs, and operations), 
the Federal Government, or national security; and (c) the disclosure 
made to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the FTC's efforts to respond to the suspected 
or confirmed breach or to prevent, minimize, or remedy such harm.
    (23) To another Federal agency or Federal entity, when the FTC 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (a) responding to 
a suspected or confirmed breach or (b) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    (24) May be disclosed to FTC contractors, volunteers, interns or 
other authorized individuals who have a need for the record in order to 
perform their officially assigned or designated duties for or on behalf 
of the FTC.

History

    73 FR 33591-33634 (June 12, 2008).

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018-09333 Filed 5-2-18; 8:45 am]
BILLING CODE 6750-01-P