[Federal Register Volume 86, Number 78 (Monday, April 26, 2021)]
[Rules and Regulations]
[Pages 21933-21935]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-06823]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Office of the Secretary

15 CFR Part 4

[Docket No. 210329-0073]
RIN 0605-AA49


Social Security Number Fraud Prevention Act of 2017 
Implementation

AGENCY: Office of the Secretary, Department of Commerce.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule revises the Department of Commerce 
(Department) regulations under the Freedom of Information Act (FOIA) 
and the Privacy Act. The revisions clarify and update the language of 
procedural requirements pertaining to the inclusion of Social Security 
account numbers on documents that the Department sends by mail. These 
revisions are necessary to implement the Social Security Number Fraud 
Prevention Act of 2017 (the Act), which restricts the inclusion of 
Social Security numbers (SSNs) on documents sent by mail by the Federal 
government.

DATES: Effective May 26, 2021.

ADDRESSES: Departmental Privacy Act Officer, Office of Privacy and Open 
Government, Department of Commerce, 1401 Constitution Ave. NW, Mail 
Stop 61025, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT: Departmental Privacy Act Officer, 
Office of Privacy and Open Government, Department of Commerce, (202) 
482-1190, [email protected].

SUPPLEMENTARY INFORMATION: 

Background

    The Act (Pub. L. 115-59; 42 U.S.C. 405 note), which was signed on 
September 15, 2017, restricts Federal agencies from including 
individuals' SSNs on documents sent by mail, unless the head of the 
agency determines that the inclusion of the SSN on the document is 
necessary (section 2(a) of the Act). The Act requires agency heads to 
issue regulations specifying the circumstances under which inclusion of 
a SSN on a document sent by mail is necessary. These regulations, which 
must be issued not later than five years after the date of enactment, 
shall include instructions for the partial

[[Page 21934]]

redaction of SSNs where feasible, and shall require that SSNs not be 
visible on the outside of any package sent by mail (section 2(b) of the 
Act). This final rule revises the Department regulations under FOIA 
(subpart A, 15 CFR part 4) and the Privacy Act (subpart B, 15 CFR part 
4), consistent with these requirements in the Act. This final rule also 
clarifies the language of procedural requirements pertaining to the 
inclusion of SSNs on documents that the Department sends by mail; makes 
clarifying updates by changing the term ``Privacy Officer'' to 
``Privacy Act Officer'' where it occurs in Subpart B of 15 CFR part 4, 
and by changing the term ``FOI Officer'' to ``FOIA Officer'' in several 
places in Appendix B.; and updates an office name by changing the 
phrase ``Assistant General Counsel for Employment, Litigation, and 
Oversight'' to ``Assistant General Counsel for Employment, Litigation, 
and Information'' where it occurs in part 4.

Comments on the Proposed Rule

    The Office of the Secretary received four general comments on the 
proposed rule from members of the public. The comments on the proposed 
rule can be viewed and downloaded at the following link: https://www.regulations.gov/document/DOC-2020-0001-0001. No changes have been 
made to the regulatory text of the proposed rule in response to these 
four comments. The following are our responses to the comments.
    Comment 1: I haven't received my stimulus check. I want to check my 
information and update my information.
    Response: This comment is not addressed, as it is not within the 
scope of this action to amend the Department's regulations in order to 
implement the Act.
    Comment 2: Noting concerns about fraud and criminal activity, a 
commenter stated that SSNs should be allowed to be used only for social 
security. The commenter stated that a company wanting to do business 
with you should assign an account number to serve as your 
identification, rather than request and use your personal information, 
including your SSN, and that this needs to be put into law.
    Response: The Act is a law that restricts the inclusion of SSNs on 
Federal documents sent by mail. This final rule implements the Act by 
making changes to the Department's regulations, which state that the 
collection of SSNs on Federal documents by mail must be required or 
authorized by law, or must be deemed by the agency to be necessary for 
fulfilling a compelling business need of the agency. To the extent that 
this comment addresses the enactment of laws or the conduct of 
businesses and other entities, the comment is not applicable to this 
action amending the Department's regulations.
    Comment 3: Noting concerns about privacy and potential identity 
theft, another commenter agreed with the proposed rule, but requested 
the listing out of specific circumstances in which the inclusion of a 
SSN on a document is necessary. The commenter stated that the SSN 
should not appear on any document, because ensuring that the SSN does 
not appear on the envelope is not enough to guarantee that the 
information will not be stolen. The commenter also asked why the Act 
allows a five-year period for implementation, and notes that the Act 
should be implemented sooner.
    Response: The Department has policies and procedures in place for 
justifying the collections, maintenance, and uses of SSNs, as well as 
for maintaining an inventory of forms collecting SSNs, and for 
safeguarding the SSNs. The Department also has policies and procedures 
in place for eliminating the unnecessary collections, maintenance, and 
uses of SSNs. The Act requires Federal agencies with Chief Financial 
Officers to issue regulations, and the rationale for such 
determination, not later than five years after enactment. We note that 
the question regarding the Congress' reasons for including a five-year 
implementation period in the Act is beyond the scope of this final 
rule. However, this final rule will fully implement the Act's 
requirements in advance of the prescribed statutory five-year period.
    Comment 4: One commenter stated that protecting American's 
identities needs to be a high concern of the United States government. 
With the advancement of technology, it is becoming easier for 
individuals to engage in identity fraud through SSNs. Therefore, the 
SSN should not be sent by the Federal government through mail. Many 
citizens are awaiting their stimulus checks, and criminals may be 
looking to steal checks that are mailed.
    Response: The Act requires Federal agencies with Chief Financial 
Officers to issue regulations specifying the circumstances under which 
the inclusion of the SSN is necessary on a mailed document. The 
regulations must include instructions for partial redaction of the SSN 
where feasible and a requirement that the SSN not be visible on the 
outside of any mail. The Department has policies and procedures in 
place for eliminating the unnecessary collections, maintenance, and 
uses of SSNs. The comment regarding the potential theft of stimulus 
checks is not addressed, as it is not within the scope of this action 
to amend the Department's regulations in order to implement the Act.

Changes Between the Proposed Rule and Final Rule

    This final rule makes no changes to the regulatory text of the 
proposed rule.

Classification

    This final rule has been determined to be not significant for 
purposes of review under Executive Order 12866. In accordance with the 
Regulatory Flexibility Act (5 U.S.C. 605(b)), the Chief Counsel for 
Regulation has reviewed this rule and certified that this regulation, 
if implemented, will not have a significant economic impact on a 
substantial number of small entities. This rule is largely procedural 
in nature, and, therefore, will not affect requesters. This regulation 
does not contain a collection of information as defined by the 
Paperwork Reduction Act, 44 U.S.C. 3501, et seq.

List of Subjects in 15 CFR Part 4

    Appeals, Freedom of Information Act, Information, Privacy, Privacy 
Act.

Jennifer Goode,
Acting Director and Deputy Director of Open Government, and 
Departmental Privacy Officer.

    For the reasons stated in the preamble, the Department of Commerce 
amends Subparts A and B of 15 CFR part 4 as follows:

PART 4--DISCLOSURE OF GOVERNMENT INFORMATION

0
1. The authority citation for part 4 continues to read as follows:

    Authority:  5 U.S.C. 301; 5 U.S.C. 552; 5 U.S.C. 552a; 5 U.SC. 
553; 31 U.S.C. 3717; 44 U.S.C. 3101; Reorganization Plan No. 5 of 
1950; Pub. L. 115-59, 131 Stat. 1152 (42 U.S.C. 405, note).

Subpart A--Freedom of Information Act

0
2. In Sec.  4.7, add paragraph (d) to read as follows:


Sec.  4.7  Responses to Requests.

* * * * *
    (d) All responses shall be made subject to the provisions of Sec.  
4.25(b)(2)(iv).
* * * * *

Subpart B--Privacy Act

0
3. Amend subpart B by removing the words ``Privacy Officer'' wherever 
they

[[Page 21935]]

appear and adding in their place the words ``Privacy Act Officer''.

0
4. Amend Sec.  4.22 by adding paragraph (b)(10) to read as follows:


Sec.  4.22  Definitions.

* * * * *
    (b) * * *
    (10) Un-redacted SSN Mailed Documents Listing (USMDL) means the 
Department approved list, as posted at www.commerce.gov/privacy, 
designating those documents for which the inclusion of SSN is 
determined to be necessary to fulfill a compelling Department business 
need when the documents are requested by individuals outside the 
Department or other Federal agencies, as determined jointly by the 
Senior Agency Official for Privacy and the Departmental Privacy Act 
Officer.

0
5. Amend Sec.  4.25 by:
0
a. Adding paragraphs (a)(3) and (4); and
0
b. Revising paragraph (b)(2)(iii) and adding paragraphs (b)(2)(iv) and 
(v).
    The additions and revisions read as follows:


Sec.  4.25  Disclosure of requested records to individuals [Amended]

    (a) * * *
    (3) Inclusion of SSNs on responsive documents.
    (i) The Department shall redact SSNs from responsive documents 
provided to requesters where feasible. Where full redaction is not 
feasible, partial redaction to create a truncated SSN shall be 
preferred to no redaction. The following conditions must be met for the 
inclusion of an unredacted (full) SSN or partially redacted (truncated) 
SSN on a responsive document:
    (ii) The inclusion of the full SSN or truncated SSN of an 
individual must be required or authorized by law,
    (iii) The inclusion of the full SSN or truncated SSN of an 
individual must be determined by the Senior Agency Official for Privacy 
and Departmental Privacy Act Officer to be necessary to fulfill a 
compelling Department business need; and
    (iv) The full SSN of an individual may be included only on 
documents listed on the USMDL.
    (4) The following requirements apply when the Department mails or 
delivers responsive documents containing SSNs or truncated SSNs:
    (i) The full SSN of an individual may be included only on documents 
listed on the USMDL.
    (ii) For documents that are listed on the USMDL and that include 
the full SSN of an individual, the signature of the recipient is 
required upon delivery.
    (iii) For documents that include the truncated form of the SSN of 
an individual, the signature of the recipient is required upon 
delivery.
    (iv) The full SSN, the truncated SSN, any part of the SSN of an 
individual must not be visible from the outside of the envelope or 
package.
    (b) * * *
    (2) * * *
    (iii) Copies of documents may be mailed at the request of the 
individual and may be subject to payment of the fees prescribed in 
Sec. Sec.  4.25(a)(3) and 4.31. In the event that the Department, at 
its own initiative, elects to provide a copy by mail, no fee will be 
charged to the individual.
    (iv) Copies of documents listed on the USMDL that include full SSNs 
and that are requested by an individual are subject to payment of the 
fees prescribed in Sec.  4.31.
    (v) Documents containing SSNs or truncated SSNs that are required 
to be returned by the individual to the Department will be mailed or 
delivered along with a prepaid mail or delivery service envelope at the 
expense of the Department.
* * * * *

Appendix B to Part 4 [Amended]

0
6. Amend Appendix B to part 4 by:
0
a. Adding the word ``Act'' after the phrase ``Freedom of Information'' 
wherever it appears in the introductory text, under ``Office of the 
Secretary,'' and under ``Assistant Secretary for Administration''; and
0
b. Adding a semicolon after the term ``Office of Privacy and Open 
Government: Director''.

[FR Doc. 2021-06823 Filed 4-23-21; 8:45 am]
BILLING CODE 3510-17-P