[Federal Register Volume 84, Number 131 (Tuesday, July 9, 2019)]
[Notices]
[Pages 32786-32789]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-14605]


=======================================================================
-----------------------------------------------------------------------

PENSION BENEFIT GUARANTY CORPORATION


Privacy Act of 1974; System of Records

AGENCY: Pension Benefit Guaranty Corporation.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: The Pension Benefit Guaranty Corporation (PBGC) is proposing 
the following changes to its system of records notices to establish a 
new system of records PBGC-26: PBGC Insider Threat and Data Loss 
Prevention. The new system of records will cover records about 
individuals,

[[Page 32787]]

retrieved by personal identifier, which are compiled and used by PBGC's 
Insider Threat and Data Loss Prevention teams, to administer PBGC's 
insider threat and data loss prevention programs. Because records in 
this system include investigatory material compiled for law enforcement 
purposes, elsewhere in this issue of the Federal Register PBGC has 
published a final rule to exempt this system of records from certain 
requirements of the Privacy Act. The system of records is more fully 
described in in the SUPPLEMENTARY INFORMATION section of this notice 
and in the System of Records Notice (SORN) published in this notice.

DATES: Comments must be received on or before August 8, 2019. The 
system of records described herein will become effective July 9, 2019, 
without further notice, unless comments result in a contrary 
determination and a notice is published to that effect.

ADDRESSES: You may submit written comments to PBGC by any of the 
following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the website instructions for submitting comments.
     Email: [email protected]. Refer to SORN in the subject 
line.
     Mail or Hand Delivery: Regulatory Affairs Division, Office 
of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K 
Street NW, Washington, DC 20005-4026.
    All submissions must include the agency's name (Pension Benefit 
Guaranty Corporation, or PBGC) and refer to ``SORN.'' All comments 
received will be posted without change to PBGC's website, www.pbgc.gov, 
including any personal information provided. Copies of comments may 
also be obtained by writing to Disclosure Division, Office of the 
General Counsel, Pension Benefit Guaranty Corporation, 1200 K Street 
NW, Washington, DC 20005-4026, or calling 202-326-4040 during normal 
business hours. (TTY users may call the Federal relay service toll-free 
at 1-800-877-8339 and ask to be connected to 202-326-4040.)

FOR FURTHER INFORMATION CONTACT: Margaret Drake, Chief Privacy Officer, 
Pension Benefit Guaranty Corporation, Office of the General Counsel, 
1200 K Street NW, Washington, DC 20005, 202-326-4400, extension 6435. 
For access to any of PBGC's system of records, contact D. Camilla 
Perry, Disclosure Officer, Office of the General Counsel, Disclosure 
Division, 1200 K Street NW, Washington DC 20005, or by calling 202-326-
4040.

SUPPLEMENTARY INFORMATION: PBGC is proposing to establish a new system 
of records titled, ``PBGC-26, PBGC Insider Threat and Data Loss 
Prevention--PBGC.'' Executive Order 13587, issued on October 7, 2011, 
mandated that agencies with classified networks establish insider 
threat programs. While PBGC does not have any classified networks, it 
does maintain a significant amount of Controlled Unclassified 
Information (CUI) that, under law, it is required to safeguard from 
unauthorized access or disclosure. One method utilized by PBGC to 
ensure that only those with a need-to-know have access to CUI is a set 
of tools to minimize data loss, whether inadvertent or intentional.
    Working from the Minimum Standards set forth in the Presidential 
Memorandum--National Insider Threat Policy and Minimum Standards for 
Executive Branch Insider Threat Programs (Nov. 21, 2012), PBGC is also 
establishing an Insider Threat Program. While PBGC is not legally 
mandated to deploy an insider threat program, the principles developed 
by the National Institute of Standards and Technology and the National 
Insider Threat Task Force ``can also be employed effectively to improve 
the security of Controlled Unclassified Information in non-national 
security systems.'' An ``insider'' is any individual authorized to 
access PBGC facilities, information, equipment, and systems. This 
includes Federal employees and contractors. An ``insider threat'' 
occurs when that individual exceeds their authorized access, 
intentionally or not, or uses information for an improper purpose, 
including, but not limited to, personal gain, which ``negatively 
affect[s] the confidentiality, integrity, or availability'' of PBGC 
data.
    The records that PBGC will compile to administer its data loss 
prevention and insider threat programs may be from any PBGC program, 
record, or source, and may contain records pertaining to information 
security, personnel security, or physical security. The records covered 
under PBGC-26,PBGC Insider Threat and Data Loss Prevention--PBGC, 
include investigatory material compiled for law enforcement purposes. 
Accordingly, PBGC has published a Final Rule in the Federal Register to 
exempt such material in the new system or record from certain 
requirements under the Privacy Act of 1974 (5 U.S.C. 552a), based on 
subsection (k)(2) of the Act.
    The collection and maintenance of these records is new. The 
implementation of this new system of records will be effective on July 
9, 2019.

    Issued in Washington, DC.
Gordon Hartogensis,
Director, Pension Benefit Guaranty Corporation.
SYSTEM NAME AND NUMBER
    PBGC--26: PBGC Insider Threat and Data Loss Prevention--PBGC

Security Classification
    Unclassified

System Location
    Pension Benefit Guaranty Corporation (PBGC), 1200 K Street NW, 
Washington, DC 20005. (Records may be kept at an additional location as 
backup for continuity of operations.)

System Manager(s) and Address
    Chief Information Officer, Office of Information Technology, PBGC, 
1200 K Street NW, Washington, DC 20005.

Authority for Maintenance of the System
    29 U.S.C. 1302(b)(3); 5 U.S.C. 301; 44 U.S.C. 3101; 44 U.S.C. 3554; 
Executive Order 13587, Structural Reforms To Improve the Security of 
Classified Networks and the Responsible Sharing and Safeguarding of 
Classified Information (Oct. 7, 2011); Presidential Memorandum--
National Insider Threat Policy and Minimum Standards for Executive 
Branch Insider Threat Programs (Nov. 21, 2012); Executive Orders 13488 
and 13467, as amended by 13764, To Modernize the Executive Branch-Wide 
Governance Structure and Processes for Security Clearances, Suitability 
and Fitness for Employment, and Credentialing, and Related Matters; 
Executive Order 3356, Controlled Unclassified Information (Nov. 4, 
2010); 5 CFR part 731; 5 CFR part 302; OMB Circular A-130 (July 28, 
2016); National Institute of Standards and Technology Special 
Publication 800-53.

Purpose(s) of the System
    The purpose of the system is to detect anomalous behavior by PBGC 
insiders and, as warranted, gather information from sources or existing 
PBGC systems of records to support an investigation of the incident.

Categories of Individuals Covered by the System
    The categories of individuals covered by this system are PBGC 
insiders, defined as any person with authorized access to any PBGC 
resource including facilities, information, equipment, networks, or 
systems.

Categories of Records in the System
A. The System Will Contain These Categories of Records
    Information collected through user activity monitoring, including

[[Page 32788]]

keystrokes, screen captures, and content transmitted via email, chat, 
or data import or export.
    Reports of investigation regarding security violations and privacy 
breaches, including incident reports; usernames and aliases, levels of 
network access, audit data, information regarding misuse of PBGC 
devices, information regarding unauthorized use of removable media, and 
logs of printer, copier, and facsimile machine use.
    Records relating to the management and operation of PBGC personnel 
and physical security, including information relating to continued 
eligibility for access to PBGC facilities, information, and information 
systems.
    Information identifying threats to PBGC personnel, property, 
facilities, and information; information obtained from the Department 
of Justice, the Federal Bureau of Investigation, or from other agencies 
or organizations about individuals known or suspected of being engaged 
in conduct constituting, preparing for, aiding, or relating to an 
insider threat, including espionage or unauthorized disclosure of 
personally identifiable information (PII).

B. The System May Include These Categories of Records
    Publicly available information, such as information regarding: 
Arrests and detentions; real property; bankruptcy; liens or holds on 
property; vehicles; licensure (including professional and pilot's 
licenses, firearms and explosive permits); business licenses and 
filings; and from social media.
    Reports furnished to the PBGC, or collected by PBGC, in connection 
with personnel security investigations and Insider Threat Detection 
Program operated by PBGC pursuant to Federal laws and Executive Orders, 
rules, regulations, guidance, and PBGC policies.
    Documentation pertaining to investigative or analytical efforts by 
PBGC Insider Threat Program Personnel to identify threats to PBGC 
personnel, property, facilities, and information.
    Intelligence reports and database query results relating to 
individuals covered by this system.

Record Source Categories
    To monitor for, identify, and respond to potential insider threats, 
information in the system will be received on an as needed basis from 
PBGC employees, contractors, vendors, interns, and detailees; officials 
from other foreign, federal, tribal, state, and local government 
agencies and organizations; non-government, commercial, public, and 
private agencies and organizations; complainants, informants, suspects, 
and witnesses; and from relevant records, including counterintelligence 
and security databases and files; personnel security databases and 
files; PBGC human resources databases and files; PBGC contractor files; 
PBGC's Office of Information Technology; information collected through 
user activity monitoring; PBGC telephone usage records; federal, state, 
tribal, territorial, and local law enforcement and investigatory 
records; Inspector General records; available U.S. Government 
intelligence and counterintelligence reporting information and analytic 
products pertaining to adversarial threats; other Federal agencies; and 
publicly available information.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses
    Information about covered individuals may be disclosed without 
consent as permitted by the Privacy Act of 1974, 5 U.S.C. 522a(b), and:
    1. General Routine Uses G1 through G14 apply to this system of 
records (see Prefatory Statement of General Routine Uses).
    2. Records may be disclosed to any person, organization, or 
governmental entity in order to notify them of a serious threat for the 
purpose of guarding against or responding to the threat.
    3. Records may be disclosed to a federal, state, or local agency, 
or other appropriate entities or individuals, or through established 
liaison channels to selected foreign governments, in order to enable 
the intelligence agency with the relevant authority and responsibility 
for the matter to carry out its responsibilities under the National 
Security Act of 1947 as amended, the CIA act of 1949 as emended, 
Executive Order 12333 or any successor order, applicable national 
security directives, or classified implementing procedures approved by 
the Attorney General and promulgated pursuant to such statutes, orders 
or directives.
    4. Records may be disclosed to the U.S. Department of Homeland 
Security (DHS) if captured in an intrusion detection system used by 
PBGC and DHS pursuant to a DHS cybersecurity program that monitors 
internet traffic to and from federal government computer networks to 
prevent a variety of types of cybersecurity incidents.

Policies and Practices for Storage of Records
    Records are maintained in electronic form (including computer 
databases or discs). Records may also be maintained on back-up tapes, 
or on a PBGC or a contractor-hosted network.

Policies and Practices for Retrieval of Records
    Information from this system may be retrieved by numerous data 
elements and key word searches, including, but not limited to name, 
dates, subject, and other information retrievable with full text 
searching capability.

Administrative, Technical, and Physical Safeguards
    PBGC has established security and privacy protocols that meet the 
required security and privacy standards issued by the National 
Institute of Standards and Technology (NIST). Records are maintained in 
a secure, password protected electronic system that utilizes security 
hardware and software to include multiple firewalls, active intruder 
detection, and role-based access controls. PBGC has adopted appropriate 
administrative, technical, and physical controls in accordance with 
PBGC's security program to protect the confidentiality, integrity, and 
availability of the information, and to ensure that records are not 
disclosed to or accessed by unauthorized individuals.
    Electronic records are stored on computer networks, which may 
include cloud-based systems, and protected by controlled access with 
Personal Identity Verification (PIV) cards, assigning user accounts to 
individuals needing access to the records and by passwords set by 
authorized users that must be changed periodically.

Policies and Practices for Retention and Disposal of Records
    The records in this system of records are covered by National 
Archives and Records Administration General Records Schedule 5.6, items 
210, 220, 230, and 240.

Record Access Procedures
    Individuals, or third parties with written authorization from the 
individual, wishing to request access to their records in accordance 
with 29 CFR 4902.4, should submit a written request to the Disclosure 
Officer, PBGC, 1200 K Street NW, Washington, DC 20005, providing their 
name, address, date of birth, and verification of their identity in 
accordance with 29 CFR 4902.3(c).

Contesting Record Procedures
    Individuals, or third parties with written authorization from the 
individual, wishing to amend their records must submit a written 
request identifying the information they wish to correct in their file, 
in addition to

[[Page 32789]]

following the requirements of the Record Access Procedure above.

Notification Procedures
    Individuals, or third parties with written authorization from the 
individual, wishing to learn whether this system of records contains 
information about them should submit a written request to the 
Disclosure Officer, PBGC, 1200 K Street NW, Washington, DC 20005, 
providing their name, address, date of birth, and verification of their 
identity in accordance with 29 CFR 4902.3(c).

Exemptions Promulgated for the System
    Pursuant to 5 U.S.C. 552a(k)(2), PBGC has established regulations 
at 29 CFR 4902.12 that exempt records in this system depending on their 
purpose.

History
    None.

[FR Doc. 2019-14605 Filed 7-8-19; 8:45 am]
BILLING CODE 7709-02-P