83 FR 39095 - Privacy Act of 1974; System of Records

FEDERAL TRADE COMMISSION

Federal Register Volume 83, Issue 153 (August 8, 2018)

The FTC is publishing in final form a modification to all FTC Privacy Act system of records notices (SORNs) by amending and bifurcating an existing global routine use relating to assistance in data breach responses, to conform with Office of Management and Budget (OMB) guidance to federal agencies, OMB Memorandum 17-12.

[Federal Register Volume 83, Number 153 (Wednesday, August 8, 2018)]
[Notices]
[Pages 39095-39096]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-16935]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Privacy Act of 1974; System of Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of modified systems of records.

-----------------------------------------------------------------------

SUMMARY: The FTC is publishing in final form a modification to all FTC 
Privacy Act system of records notices (SORNs) by amending and 
bifurcating an existing global routine use relating to assistance in 
data breach responses, to conform with Office of Management and Budget 
(OMB) guidance to federal agencies, OMB Memorandum 17-12.

DATES: August 8, 2018, except that the new routine use shall be 
effective September 7, 2018.

FOR FURTHER INFORMATION CONTACT: G. Richard Gold and Alex Tang, 
Attorneys, Office of the General Counsel, FTC, 600 Pennsylvania Avenue 
NW, Washington, DC 20580, (202) 326-2424.

SUPPLEMENTARY INFORMATION: In a document previously published in the 
Federal Register, 83 FR 19560 (May 3, 2018), the Federal Trade 
Commission, as required by the Privacy Act, sought comments on a 
proposal to modify and bifurcate an existing routine use relating to 
assistance in data breach responses, which is applicable to all Federal 
Trade Commission SORNs, to conform with OMB Memorandum M-17-12, 
Preparing for and Responding to a Breach of Personally Identifiable 
Information (January 3, 2017). See 5 U.S.C. 552a(e)(4) and (11).
    The comment period closed on June 4, 2018, and the FTC received 
three comments to the proposal to modify and bifurcate an existing 
routine use relating to assistance in data breach responses. The 
commenters were Xyampza Kerz, Thomas Dickinson, and Dave Root. Xyampza 
Kerz's comment expressed concerns about the privacy of homeowner's 
personal information posted on the Web when they buy a home and about 
internet searches that allow a searcher to find out your age and 
possibly lead to discrimination. M/M. Kerz also complains about the 
practices of an online entity and asks that the entity be shut down. 
These are important privacy issues but are not

[[Page 39096]]

germane to the current public notice and comment process. We have 
referred M/M. Kerz's comment to the FTC's Consumer Response Center for 
entry into the Consumer Sentinel Network of complaints and related 
inquiries.
    The second commenter, Thomas Dickinson, also filed a comment that 
is non-germane to the current public notice and comment process. Mr. 
Dickinson asks the FTC to apply a ``monitor'' to individuals' home 
phones that identifies violations of the Do-Not-Call Rule and allows 
the FTC to take appropriate punitive actions. We have also referred Mr. 
Dickinson's complaint to the FTC's Consumer Response Center for entry 
into the Consumer Sentinel Network.
    The third commenter, Dave Root, commented that ``due process and . 
. . [his] . . . privacy . . . [would] . . . be harmed by open access to 
sharing . . . [his] . . . personal info between all government agencies 
as outlined in this notice.'' Mr. Root asked if there are ``any 
safeguards against `political weaponization' without any 
accountability, by any federal, state or local governmental agency 
having access to this information.'' Mr. Root asked for ```teeth' in 
the rule for anyone . . . that purposefully uses this information 
incorrectly . . . [meaning] . . . seriously enforced jail time for 
anyone who fails to act in the investigation and prosecution process.''
    The revised routine use would not provide ``open access'' to ``all 
government agencies'' but would require that the FTC receive a request 
from another Federal agency or Federal entity that provides enough 
supporting information such that the FTC can determine that information 
from an FTC Privacy Act system or systems is reasonably necessary to 
assist the recipient agency or entity in (a) responding to a suspected 
or confirmed breach or (b) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    The Privacy Act specifically provides civil remedies, 5 U.S.C. 
552a(g), including damages, and criminal penalties, 5 U.S.C. 552a(i), 
for violations of the Act. In addition, an individual may be fined up 
to $5,000 for knowingly and willfully requesting or gaining access to a 
record about an individual under false pretenses. 5 U.S.C. 552a(i)(3).
    As stated in the Federal Register Notice dated May 3, 2018, the FTC 
believes that the modified and bifurcated routine use on data breaches 
is compatible with the collection of information pertaining to 
individuals affected by a breach, and that the disclosure of such 
records will help prevent, minimize or remedy a data breach or 
compromise that may affect such individuals. By contrast, the FTC 
believes that failure to take reasonable steps to help prevent, 
minimize or remedy the harm that may result from such a breach or 
compromise would jeopardize, rather than promote, the privacy of such 
individuals.
    The FTC provided a public comment period and notice to OMB and 
Congress as required by the Privacy Act and implementing OMB 
guidelines.\1\
---------------------------------------------------------------------------

    \1\ See U.S.C. 552a(e)(11) and 552a(r); OMB Circular A-108 
(2016).
---------------------------------------------------------------------------

    Accordingly, the FTC hereby amends Appendix I of its Privacy Act 
system notices, as published at 73 FR 33591, by revising item number 
(22), adding new item number (23), and re-designating the former item 
number (23) as (24) (without any other change) at the end of the 
existing routine uses set forth in that Appendix:
* * * * *
    (22) To appropriate agencies, entities, and persons when (a) the 
FTC suspects or has confirmed that there has been a breach of the 
system of records; (b) the FTC has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the FTC (including its information systems, programs, and operations), 
the Federal Government, or national security; and (c) the disclosure 
made to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the FTC's efforts to respond to the suspected 
or confirmed breach or to prevent, minimize, or remedy such harm.
    (23) To another Federal agency or Federal entity, when the FTC 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (a) responding to 
a suspected or confirmed breach or (b) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.
    (24) May be disclosed to FTC contractors, volunteers, interns or 
other authorized individuals who have a need for the record in order to 
perform their officially assigned or designated duties for or on behalf 
of the FTC.

History
    73 FR 33591-33634 (June 12, 2008).

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018-16935 Filed 8-7-18; 8:45 am]
 BILLING CODE 6750-01-P