[Federal Register Volume 88, Number 97 (Friday, May 19, 2023)]
[Rules and Regulations]
[Pages 32138-32140]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-10279]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

41 CFR Part 105-64

[GSPMR Case 2022-105-1; Docket No. GSA-GSPMR-2022-0017; Sequence No. 1]
RIN 3090-AK62


Enterprise Data & Privacy Management Office (IDE); Social 
Security Number Fraud Prevention

AGENCY: Enterprise Data & Privacy Management Office (IDE), General 
Services Administration (GSA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: GSA is issuing a final rule amending our Privacy Act Rules to 
implement the Social Security Number Fraud Prevention Act of 2017. The 
revisions would clarify and update the language of procedural 
requirements pertaining to the inclusion of Social Security account 
numbers (SSNs) on documents that GSA sends by mail.

DATES: Effective June 20, 2023.

FOR FURTHER INFORMATION CONTACT: Mr. Richard Speidel, Chief Privacy 
Officer (General Services Administration), Enterprise Data & Privacy 
Management Office (IDE). Email address for the GSA Privacy Office is 
[email protected]. Telephone number is 202-969-5830 for 
clarification of content. For information pertaining to status or 
publication schedules, contact the Regulatory Secretariat Division at 
202-501-4755 or [email protected]. Please cite GSPMR Case 2022-105-1.

SUPPLEMENTARY INFORMATION: 

I. Background

    GSA is issuing a final rule amending 41 CFR part 105-64, GSA 
Privacy Act Rules, to implement the Social Security Number Fraud 
Prevention Act of 2017. The proposed rule was published on October 7, 
2022, at 87 FR 60955.
    The Social Security Number Fraud Prevention Act of 2017 (the Act) 
(Pub. L. 115-59; 42 U.S.C. 405 note), which was signed on September 15, 
2017,

[[Page 32139]]

restricts Federal agencies from including individuals' SSNs on 
documents sent by mail, unless the head of the agency determines that 
the inclusion of the SSN on the document is necessary (section 2(a) of 
the Act). The Act requires agency heads to issue regulations specifying 
the circumstances under which inclusion of a SSN on a document sent by 
mail is necessary. These regulations, which must be issued not later 
than five years after the date of enactment, shall include instructions 
for the partial redaction of SSNs where feasible, and shall require 
that SSNs not be visible on the outside of any package sent by mail 
(section 2(b) of the Act). This rule would revise the Agency 
regulations under the Privacy Act (41 CFR part 105-64), consistent with 
these requirements in the Act. The rule would clarify the language of 
procedural requirements pertaining to the inclusion of SSNs on 
documents that the Agency sends by mail. These revisions are necessary 
to implement the Social Security Number Fraud Prevention Act of 2017, 
which restricts the inclusion of Social Security account Numbers (SSNs) 
on documents sent by mail by the Federal Government.

II. Discussion of the Final Rule

A. Summary of Significant Changes

    There are no significant changes, as the comments were supportive 
of the rule. GSA did change the regulatory text from the published 
proposed rule, but the changes are not substantive (merely reorganizing 
the prior content for readability and to avoid redundancy).

B. Analysis of Public Comments

    GSA received two (2) comments from the public. GSA acknowledge the 
respondents' support for the rule. GSA did not change the regulatory 
text of the definition from the published proposed rule.
    Comment: The proposed amendment by GSA is positively impacting US 
citizens' information security by protecting their personal 
information, specifically their social security number. This rule 
defines the requirement to not include a social security number unless 
determined necessary by the head of the agency. However, clarification 
is required on the process to obtain a determination by the head of the 
agency such that there is not an increased burden on business to 
understand this process. In addition, the rule states that social 
security numbers can only be included if required by law. It is the 
best interest of the people to identify which laws would require this 
information and validate that is still true. In general, this rule 
provides minimal economic impact to the people, provides increased 
information security and we are in support if the above items are 
clarified in the documentation. If no such clarification is provided, 
it could lead to confusion and economic impact for businesses trying to 
follow the rule. Finally, cyber security should be as important as mail 
fraud and this rule should also apply to electronic transmission of 
documents with social security numbers. As a US citizen I recommend 
applying this in both written and electronic communication since the 
fraud of my identity could mean substantial harm financially and 
emotionally for myself.
    Response: Although the Comment requests more clarity around the 
process for determining which documents are on the Un-redacted SSN 
Mailed Document List, GSA finds that the rule as written provides 
appropriate flexibility to arrive at a list in implementation of the 
statute while involving necessary agency stakeholders such as GSA-IT 
and GSA Office of the General Counsel (OGC). Subsequent to the posting 
of the final rule, GSA intends to make available on the GSA publicly 
facing privacy page (www.gsa.gov/reference/gsa-privacy-program) the 
specific documents for which the inclusion of the Social Security 
account number (SSN) is determined to be necessary to fulfill a 
compelling Agency business need. GSA will review on a regular basis the 
laws and authorities that would require an un-redacted social security 
number on mailed documents. GSA handles the transmission of electronic 
documents in accordance with the Privacy Act.
    Comment: The proposed rule will provide members of government 
agencies with greater clarity. I believe providing a clear 
understanding pertaining to the inclusion of full Social Security 
numbers on documents sent via U.S. mail will provide confidence in 
senders and receivers of these correspondences. Many Americans have 
been victims of identity theft, the steps and feelings involved in the 
process are uncomforting and time consuming. After reviewing the 
proposed standards for agencies to follow I believe they are easy to 
comprehend and leave little room for question. I thank you for 
investing time and efforts into this proposed rule.
    Response: GSA acknowledges this comment.

C. Expected Cost Impact to the Public

    GSA does not expect the final rule to have a significant economic 
impact on a substantial number of small entities within the meaning of 
the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. This rule does 
not impose a requirement for small businesses to report or keep records 
on any of the requirements contained in this rule.

III. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
OIRA has determined that this is not a significant regulatory action 
and, therefore, was not subject to review under Section 6(b) of 
Executive Order 12866, Regulatory Planning and Review, dated September 
30, 1993.

IV. Congressional Review Act

    OIRA has determined that this rule is not a ``major rule'' as 
defined by 5 U.S.C. 804(2). Subtitle E of the Small Business Regulatory 
Enforcement Fairness Act of 1996 (codified at 5 U.S.C. 801-808), also 
known as the Congressional Review Act or CRA, generally provides that 
before a ``major rule'' may take effect, the agency promulgating the 
rule must submit a rule report, which includes a copy of the rule, to 
each House of the Congress and to the Comptroller General of the United 
States. The General Services Administration will submit a report 
containing this rule and other required information to the U.S. Senate, 
the U.S. House of Representatives, and the Comptroller General of the 
United States. A major rule under the CRA cannot take effect until 60 
days after it is published in the Federal Register.

V. Regulatory Flexibility Act

    This final rule will not have a significant economic impact on a 
substantial number of small entities within the meaning of the 
Regulatory Flexibility Act, 5 U.S.C. 601, et seq. This rule does not 
impose a requirement for small businesses to report or keep records on 
any of the requirements contained in this rule. Therefore, a Final 
Regulatory Flexibility Analysis has not been performed.

VI. The Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the GSPMR do not impose recordkeeping or

[[Page 32140]]

information collection requirements, or the collection of information 
from offerors, contractors, or members of the public that require the 
approval of the Office of Management and Budget (OMB) under 44 U.S.C. 
3501, et seq.

List of Subjects in 41 CFR Part 105-64

    Privacy.

Robin Carnahan,
Administrator, General Services Administration.

    For the reasons set forth in the preamble, GSA amends 41 CFR part 
105-64 as set forth below:

PART 105-64--GSA PRIVACY ACT RULES

0
1. The authority citation for 41 CFR part 105-64 continues to read as 
follows:

    Authority:  5 U.S.C. 552a.


0
2. Amend Sec.  105-64.001 by adding in alphabetical order the 
definition ``Un-redacted SSN Mailed Documents Listing'' to read as 
follows:


Sec.  105-64.001  What terms are defined in this part?

* * * * *
    Un-redacted SSN Mailed Documents Listing (USMDL) means the Agency 
approved list, as posted at www.gsa.gov/reference/gsa-privacy-program, 
designating those documents for which the inclusion of the Social 
Security account number (SSN) is determined to be necessary to fulfill 
a compelling Agency business need when the documents are requested by 
individuals outside the Agency or other Federal agencies, as determined 
by the Administrator or their designee.

0
3. Amend Sec.  105-64.107 by adding paragraph (c) to read as follows:


Sec.  105-64.107  What standards of conduct apply to employees with 
privacy-related responsibilities?

* * * * *
    (c) (1) The following conditions must be met for the inclusion of 
an unredacted (full) SSN or partially redacted (truncated) SSN on any 
document sent by mail on behalf of the agency:
    (i) The inclusion of the full SSN or truncated SSN of an individual 
must be required or authorized by law; and
    (ii) The document must be listed on the USMDL.
    (2) Even when the conditions set forth in paragraph (c)(1) are met, 
employees shall redact SSNs in all documents sent by mail where 
feasible. Where full redaction is not possible due to agency 
requirements, partial redaction to create a truncated SSN shall be 
preferred to no redaction.
    (3) In no case shall any complete or partial SSN be visible on the 
outside of any envelope or package sent by mail or displayed on 
correspondence that is visible through the window of an envelope or 
package.

[FR Doc. 2023-10279 Filed 5-18-23; 8:45 am]
BILLING CODE P