[Federal Register Volume 84, Number 131 (Tuesday, July 9, 2019)]
[Rules and Regulations]
[Pages 32618-32619]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-14604]


=======================================================================
-----------------------------------------------------------------------

PENSION BENEFIT GUARANTY CORPORATION

29 CFR Part 4902


Privacy Act Regulation; Exemption for Insider Threat Program 
Records

AGENCY: Pension Benefit Guaranty Corporation.

ACTION: Interim final rule; request for comments.

-----------------------------------------------------------------------

SUMMARY: The Pension Benefit Guaranty Corporation is amending its 
Privacy Act regulation to exempt a system of records that supports a 
program of insider threat detection and data loss prevention.

DATES: 
    Effective date: This interim final rule is effective on July 9, 
2019.
    Comment date: Comments must be received on or before August 8, 2019 
to be assured of consideration.

ADDRESSES: Comments may be submitted by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the online instructions for submitting comments.
     Email: [email protected].
     Mail or Hand Delivery: Regulatory Affairs Division, Office 
of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K 
Street NW, Washington, DC 20005-4026.
    All submissions must include the agency's name (Pension Benefit 
Guaranty Corporation, or PBGC) and title for this rulemaking (Privacy 
Act Regulation; Exemption for Insider Threat Program Records). Comments 
received will be posted without change to PBGC's website, http://www.pbgc.gov, including any personal information provided. Copies of 
comments may also be obtained by writing to Disclosure Division, Office 
of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K 
Street NW, Washington, DC 20005-4026, or calling 202-326-4040 during 
normal business hours. TTY users may call the Federal relay service 
toll-free at 800-877-8339 and ask to be connected to 202-326-4040.

FOR FURTHER INFORMATION CONTACT: Melissa Rifkin 
([email protected]), Attorney, Regulatory Affairs Division, 
Office of the General Counsel, Pension Benefit Guaranty Corporation, 
1200 K Street NW, Washington, DC 20005-4026; 202-326-4400, extension 
6563; Margaret Drake ([email protected]), Chief Privacy Officer, 
Office of the General Counsel, 202-326-4400, extension 6435. (TTY users 
may call the Federal relay service toll-free at 800-877-8339 and ask to 
be connected to 202-326-4400, extension 6563.)

SUPPLEMENTARY INFORMATION:

Executive Summary

    This rule amends PBGC's regulation on Disclosure and Amendment of 
Records Pertaining to Individuals under the Privacy Act (29 CFR part 
4902) to exempt from disclosure information contained in a new system 
of records for PBGC's insider threat program. The exemption is needed 
because records in this system include investigatory material compiled 
for law enforcement purposes.
    Authority for this rule is provided by section 4002(b)(3) of the 
Employee Retirement Income Security Act of 1974 (ERISA) and 5 U.S.C. 
552a(k)(2).

Background

    The Pension Benefit Guaranty Corporation (PBGC) administers the 
pension plan insurance programs under title IV of the Employee 
Retirement Income Security Act of 1974 (ERISA). As a Federal agency, 
PBGC is subject to the Privacy Act of 1974, 5 U.S.C. 552a (Privacy 
Act), in its collection, maintenance, use, and dissemination of any 
personally identifiable information that it maintains in a ``system of 
records.'' A system of records is defined under the Privacy Act as ``a 
group of any records under the control of any agency from which 
information is retrieved by the name of the individual or by some 
identifying number, symbol, or other identifying particular assigned to 
the individual.'' \1\
---------------------------------------------------------------------------

    \1\ See 5 U.S.C. 552a(a)(5).
---------------------------------------------------------------------------

    PBGC is proposing to establish a new system of records, ``PBGC-26, 
PBGC Insider Threat and Data Loss Prevention--PBGC.'' This system of 
records is published in the ``Notice'' section of this issue of the 
Federal Register.
    Executive Order 13587, issued October 7, 2011, requires Federal 
agencies to establish an insider threat detection and prevention 
program to ensure the security of classified networks and the 
responsible sharing and safeguarding of classified information 
consistent with appropriate protections for privacy and civil 
liberties. While PBGC does not have any classified networks, it does 
maintain a significant amount of Controlled Unclassified Information 
(CUI) that, under law, it is required to safeguard from unauthorized 
access or disclosure. One method utilized by PBGC to ensure that only 
those with a need-to-know have access to CUI is a set of tools to 
minimize data loss, whether inadvertent or intentional. This system 
will collect and maintain Personally Identifiable Information (PII) in 
the course of scanning traffic leaving PBGC's network and blocking 
traffic that violates PBGC's policies to safeguard PII.
    This system covers ``PBGC insiders,'' who are individuals with 
access to PBGC resources, including facilities, information, equipment, 
networks, and systems. This includes Federal employees and contractors. 
Records from this system will be used on a need-

[[Page 32619]]

to-know basis to manage insider threat matters; facilitate insider 
threat investigations and activities; identify threats to PBGC 
resources, including threats to PBGC's personnel, facilities, and 
information assets; track tips and referrals of potential insider 
threats to internal and external partners; meet other insider threat 
program requirements; and investigate/manage the unauthorized or 
attempted unauthorized disclosure of PII.

Exemption

    Under section 552a(k) of the Privacy Act, PBGC may promulgate 
regulations exempting information contained in certain systems of 
records from specified sections of the Privacy Act including the 
section mandating disclosure of information to an individual who has 
requested it. Among other systems, PBGC may exempt a system that is 
``investigatory material compiled for law enforcement purposes.'' \2\ 
Under this provision, PBGC has exempted, in Sec.  4209.11 of its 
Privacy Act regulation, records of the investigations conducted by its 
Inspector General and contained in a system of records entitled ``PBGC-
17, Office of Inspector General Investigative File System--PBGC.''
---------------------------------------------------------------------------

    \2\ See 5 U.S.C. 552a(k)(2).
---------------------------------------------------------------------------

    The PBGC-26, PBGC Insider Threat and Data Loss Prevention--PBGC 
system contains: (1) Records derived from PBGC security investigations, 
(2) summaries or reports containing information about potential insider 
threats or the data loss prevention program, (3) information related to 
investigative or analytical efforts by PBGC insider threat program 
personnel, (4) reports about potential insider threats obtained through 
the management and operation of the PBGC insider threat program, and 
(5) reports about potential insider threats obtained from other Federal 
Government sources. The records contained in this new system include 
investigative material of actual, potential, or alleged criminal, 
civil, or administrative violations and law enforcement actions. These 
records are within the material permitted to be exempted under section 
552a(k)(2) of the Privacy Act.
    PBGC is amending its Privacy Act regulation to add a new Sec.  
4902.12 that exempts PBGC-26, PBGC Insider Threat and Data Loss 
Prevention--PBGC, from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), 
(H), and (I) and (f). Exemption from these sections of the Privacy Act 
means that, with respect to records in the system, PBGC will not be 
required to: (1) Disclose records to an individual upon request, (2) 
keep an accounting of individuals who request records, (3) maintain 
only records as necessary to accomplish an agency purpose, or (4) 
publish notice of certain revisions of the system of records.

Compliance With Rulemaking Guidelines

    This is a rule of ``agency organization, procedure, or practice'' 
and is limited to ``agency organization, management, or personnel 
matters.'' The exemption from provisions of the Privacy Act provided by 
the interim final rule affects only PBGC insiders described above. 
Accordingly, this rule is exempt from notice and public comment 
requirements under 5 U.S.C. 553(b) and the requirements of Executive 
Order 12866 and Executive Order 13771.\3\ Because no general notice of 
proposed rulemaking is required, the Regulatory Flexibility Act does 
not apply to this rule. See 5 U.S.C. 601(2), 603, 604.
---------------------------------------------------------------------------

    \3\ See section 3(d)(3) of Executive Order 12866 and section 
4(b) of Executive Order 13771.
---------------------------------------------------------------------------

    PBGC finds good cause exists for making the amendments set forth in 
this interim final rule effective less than 30 days after publication 
because the amendments support PBGC's new system of records for insider 
threat detection and data loss prevention, which is effective July 9, 
2019.

List of Subjects in 29 CFR Part 4902

    Privacy.

    In consideration of the foregoing, PBGC is amending 29 CFR part 
4902 as follows:

PART 4902--DISCLOSURE AND AMENDMENT OF RECORDS PERTAINING TO 
INDIVIDUALS UNDER THE PRIVACY ACT

0
1. The authority citation for part 4902 is revised to read as follows:

    Authority: 5 U.S.C. 552a, 29 U.S.C. 1302(b)(3).


Sec.  4902.1   [Amended]

0
2. Amend Sec.  4902.1(d) by removing ``4902.11'' and adding in its 
place ``4902.12''.


Sec.  4902.12  [Redesignated as Sec.  4902.13]

0
3. Redesignate Sec.  4902.12 as Sec.  4902.13.

0
4. Add new Sec.  4902.12 to read as follows:


Sec.  4902.12   Specific exemptions: Insider Threat and Data Loss 
Prevention.

    (a) Other law enforcement--(1) Exemption. Under the authority 
granted by 5 U.S.C. 552a(k)(2), PBGC hereby exempts the system of 
records entitled ``PBGC-26, PBGC Insider Threat and Data Loss 
Prevention--PBGC'' from the provisions of 5 U.S.C. 552a(c)(3), (d), 
(e)(1), (e)(4)(G), (H), and (I) and (f).
    (2) Reasons for exemption. The reasons for asserting the exemption 
in this section are because the disclosure and other requirements of 
the Privacy Act could substantially compromise the efficacy and 
integrity of PBGC's ability to investigate insider threat activities 
and the improper exfiltration of personally identifiable information. 
Disclosure could invade the privacy of other individuals and disclose 
their identity when they were expressly promised confidentiality. 
Disclosure could interfere with the integrity of information which 
would otherwise be subject to privileges, see, e.g., 5 U.S.C. 
552(b)(5), and which could interfere with other important law 
enforcement concerns, see, e.g., 5 U.S.C. 552(b)(7).
    (b) [Reserved]

    Issued in Washington, DC.
Gordon Hartogensis,
Director, Pension Benefit Guaranty Corporation.
[FR Doc. 2019-14604 Filed 7-8-19; 8:45 am]
BILLING CODE 7709-02-P