[Federal Register Volume 89, Number 72 (Friday, April 12, 2024)]
[Rules and Regulations]
[Pages 25749-25750]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-07750]



 ========================================================================
 Rules and Regulations
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains regulatory documents 
 having general applicability and legal effect, most of which are keyed 
 to and codified in the Code of Federal Regulations, which is published 
 under 50 titles pursuant to 44 U.S.C. 1510.
 
 The Code of Federal Regulations is sold by the Superintendent of Documents. 
 
 ========================================================================
 

  Federal Register / Vol. 89, No. 72 / Friday, April 12, 2024 / Rules 
and Regulations  

[[Page 25749]]



OFFICE OF PERSONNEL MANAGEMENT

5 CFR Part 297

[Docket ID: OPM-2023-0035]
RIN 3206-AO16


Social Security Number Fraud Prevention Act Requirements

AGENCY: Office of Personnel Management.

ACTION: Direct final rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Personnel Management (OPM) is publishing this 
direct final rule to implement the requirements of the Social Security 
Number Fraud Prevention Act of 2017 (Act). In accordance with the Act, 
OPM is amending its privacy procedures to prohibit the inclusion of 
Social Security numbers (SSNs) on any document sent through the mail 
unless the Director of OPM deems it necessary. This rule also 
establishes requirements for safeguarding SSNs sent through the mail by 
partially redacting SSNs where feasible and prohibiting the display of 
SSNs on the outside of any package or envelope sent by mail.

DATES: This rule is effective on June 26, 2024, without further action 
unless significant adverse comments are received by June 11, 2024. If 
significant adverse comments are received, OPM will withdraw this 
direct final rule and publish a proposed rule.

ADDRESSES: You may submit comments for this direct final rule using the 
following method:
     Federal Rulemaking Portal: https://www.regulations.gov. 
Follow the instructions for sending comments.
    All submissions received must include the agency name and docket 
number for this direct final rule. The general policy for comments and 
other submissions from members of the public is to make these 
submissions available for public viewing at https://www.regulations.gov 
as they are received, without change, including any personal 
identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Kirsten J. Moncada, Executive 
Director, Office of the Executive Secretariat, Privacy, and Information 
Management, 202-936-0251.

SUPPLEMENTARY INFORMATION: The Social Security Number Fraud Prevention 
Act of 2017, Public Law 115-59, 42 U.S.C. 405 note, restricts the 
inclusion of SSNs on documents sent by mail unless the head of the 
agency determines that the inclusion of the SSNs on the documents is 
necessary. The Act also directs agencies to issue regulations that 
specify when inclusion of an SSN is necessary and include requirements 
for the safeguarding of SSNs by partially redacting SSNs where feasible 
and prohibiting the display of SSNs on the outside of any package or 
envelope sent by mail.
    To implement the Act, OPM is adding new subpart F, titled 
``Protecting Social Security Numbers in Mailed Documents,'' to its 
privacy procedures at 5 CFR part 297. The new requirements in subpart F 
prohibit the inclusion of SSNs on any document OPM program offices send 
through the mail unless the Director of OPM, on the advice of the 
Senior Agency Official for Privacy, deems it necessary and precautions 
are taken to protect the SSNs. In addition, subpart F includes 
requirements for OPM program offices to partially redact SSNs where 
feasible and specifically prohibits the display of complete or partial 
SSNs on the outside of any package or envelope sent by mail or through 
the window of an envelope or package. Subpart F applies to all OPM 
office activities and written or printed documents OPM sends by mail 
that include a complete or partial SSN.
    OPM is also amending 5 CFR 297.102 to add the definitions of 
``document,'' and ``mail'' to make explicit OPM's meaning of the terms 
in this new subpart F. For the purposes of this rule, a document is a 
record of some information that can be used as an authority or for 
reference, further analyses, or study. This includes all records OPM 
maintains and uses to identify, track, and correspond with agencies, 
Federal employees, contractors, and annuitants, among others. Mail is 
defined as artifacts used to assemble letters and packages that are 
sent or delivered by the United States Postal Service or other 
commercial letter or parcel delivery services.

Direct Final Rule Justification

    This rule of agency organization, procedure, or practice is exempt 
from the prior public notice and comment requirements of the 
Administrative Procedure Act. See 5 U.S.C. 553(b)(3)(A). This rule will 
not have any effect on the rights, obligations, or interests of any 
affected parties, as it is merely procedural and reflects a statutory 
requirement that is already in effect. The rule restricts and 
safeguards the inclusion of SSNs in documents that are mailed to 
prevent unauthorized disclosure of SSNs and protect individual privacy. 
Accordingly, OPM for good cause finds that the notice and comment 
requirements are unnecessary. See 5 U.S.C. 553(b)(3)(B).
    This rule is also suitable for direct final rulemaking because it 
is non-controversial and consistent with Federal law and policy 
regarding the appropriate handling and protection of SSNs. The 
provisions of the rule will be beneficial to members of the public and 
Federal employees because it protects their personally identifiable 
information. Because this non-substantive rule makes no changes to the 
legal obligations or rights of any affected parties (i.e., reflects a 
statutory requirement that is already in effect) and because it is in 
the public interest to have this rule be effective as soon as possible, 
OPM does not expect to receive any significant adverse comments.
    This rule will be effective June 26, 2024, without further action 
unless significant adverse comments are received. A significant adverse 
comment is one that explains: (1) why the rule is inappropriate, 
including challenges to the rule's underlying premise or approach; or 
(2) why the direct final rule will be ineffective or unacceptable 
without a change. If such comments are received, this direct final rule 
will be withdrawn and a proposed rule for comments will be published. 
If no such comments are received, this direct final rule will become 
effective 15 days after the comment period expires. In determining 
whether a significant adverse comment necessitates withdrawal of this 
direct final rule, OPM will consider whether the

[[Page 25750]]

comment raises an issue serious enough to warrant a substantive 
response had it been submitted in a standard notice and comment 
process. A comment recommending an addition to the rule will not be 
considered significant and adverse unless the comment explains how this 
direct final rule would be ineffective without the addition.

Expected Impact of This Direct Final Rule

    SSNs are used as unique identifiers by government agencies, 
businesses, and other entities. The theft and fraudulent use of SSNs 
can result in significant repercussions for the SSN holder, as well as 
the entities from which SSNs were stolen. This direct final rule 
formalizes in regulation OPM's current practice of safeguarding SSNs in 
mailed documents and will support efforts to protect individual 
privacy. In accordance with the E-Government Act (2002), OPM currently 
applies encryption technology and other security controls, such as 
password protection, to minimize the risk of unauthorized disclosure of 
SSNs. OPM program offices are also required to conduct proper 
assessments to minimize the use of SSNs and the impact to individual 
privacy as a result of their inclusion in any document. This rule 
supplements these procedures and is beneficial because it protects 
individual privacy and standardizes OPM's procedures for mailing 
documents with SSNs. There are no alternatives to this rule because it 
is required by statute.

Regulatory Review

    Executive Orders 13563, 12866, and 14094 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). The 
Office of Information and Regulatory Affairs in the Office of 
Management and Budget has determined this rule is not a ``significant 
regulatory action'' under section 3(f) of Executive Order 12866, as 
amended by Executive Order 14094.

Regulatory Flexibility Act

    The Director of OPM certifies that this rule will not have a 
significant economic impact on a substantial number of small entities 
because it is a procedural rule that only applies only to OPM.

E.O. 13132, Federalism

    This rule will not have substantial direct effects on the States, 
on the relationship between the National Government and the States, or 
on distribution of power and responsibilities among the various levels 
of government. Therefore, in accordance with Executive Order 13132, OPM 
has determined that this direct rule does not have federalism 
implications that require preparation of a federalism summary impact 
statement.

E.O. 12988, Civil Justice Reform

    OPM has determined that this rule meets the relevant standards of 
Executive Order 12988.

Unfunded Mandates Reform Act of 1995

    This rule will not result in the expenditure by State, local, or 
tribal governments, or the private sector of more than $100 million 
annually. Thus, no written assessment of unfunded mandates is required.

Congressional Review Act

    Subtitle E of the Small Business Regulatory Enforcement Fairness 
Act of 1996 (known as the Congressional Review Act or CRA) (5 U.S.C. 
801, et seq.) requires rules to be submitted to Congress before taking 
effect. OPM will submit to Congress and the Comptroller General of the 
United States a report regarding the issuance of this rule before its 
effective date, as required by 5 U.S.C. 801. The Office of Information 
and Regulatory Affairs in the Office of Management and Budget has 
determined that this rule is not a major rule as defined by the CRA (5 
U.S.C. 804).

Paperwork Reduction Act of 1995

    This regulatory action will not impose any reporting or 
recordkeeping requirements under the Paperwork Reduction Act (44 U.S.C. 
Chapter 35).

List of Subjects in 5 CFR Part 297

    Privacy.

Office of Personnel Management.
Kayyonne Marston,
Federal Register Liaison.

    For reasons stated in the preamble, OPM amends 5 CFR part 297 as 
follows:

PART 297--PRIVACY PROCEDURES FOR PERSONNEL RECORDS

0
1. The authority citation for part 297 is revised to read as follows:

    Authority:  5 U.S.C. 552a; Pub. L. 115-59, 113 Stat. 1152 (42 
U.S.C. 405 note).


0
2. Amend Sec.  297.102 by adding in alphabetical order the definitions 
for ``Document'' and ``Mail'' to read as follows:


Sec.  297.102  Definitions.

* * * * *
    Document means a piece of written or printed matter that provides 
information or evidence or that serves as official record.
    Mail means artifacts used to assemble letters and packages that are 
sent or delivered by the United States Postal Service or other 
commercial letter or parcel delivery services.
* * * * *

0
3. Add subpart F, consisting of Sec. Sec.  297.601 and 297.602, to read 
as follows:

Subpart F--Privacy and Social Security Number Fraud Prevention

Sec.
297.601 Purpose and scope.
297.602 Protecting Social Security numbers in mailed documents.


Sec.  297.601  Purpose and scope.

    The purpose of this subpart is to implement the requirements of the 
Social Security Number Fraud Prevention Act of 2017 to limit the use of 
Social Security numbers on documents mailed by the Office of Personnel 
and Management (OPM). The subpart applies to all written or printed 
documents that OPM sends by mail that include a complete or partial 
Social Security number.


Sec.  297.602  Protecting Social Security numbers in mailed documents.

    (a) Social Security numbers must not be visible on the outside of 
any package OPM sends by mail or displayed on correspondence that is 
visible through the window of an envelope or package.
    (b) A document OPM sends by mail may only include a Social Security 
number if the Director of OPM determines, on the advice of the Senior 
Agency Official for Privacy, that the inclusion of a Social Security 
number on a document sent by mail is necessary and appropriate to meet 
legal and mission requirements.
    (c) The inclusion of a Social Security number on a document sent by 
mail is necessary when--
    (1) Required by law; or
    (2) Necessary to identify a specific person and no adequate 
substitute is available.
    (d) Social Security numbers must be partially redacted in documents 
sent by mail whenever feasible to mitigate any risks to privacy.

[FR Doc. 2024-07750 Filed 4-11-24; 8:45 am]
BILLING CODE 6325-67-P