[Federal Register Volume 72, Number 110 (Friday, June 8, 2007)]
[Notices]
[Pages 31835-31836]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-11122]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
Privacy Act of 1974; System of Records
AGENCY: Federal Trade Commission (FTC).
ACTION: Notice of routine use.
-----------------------------------------------------------------------
SUMMARY: The FTC is adopting in final form a new routine use that
permits disclosure of FTC records protected by the Privacy Act when
reasonably necessary to respond and prevent, minimize, or remedy harm
that may result from an agency data breach or compromise.
DATES: The routine use is effective June 8, 2007.
FOR FURTHER INFORMATION CONTACT: Alex Tang, Attorney, FTC, Office of
General Counsel, 600 Pennsylvania Ave. NW, Washington, DC 20580, 202-
326-2447, [email protected].
SUPPLEMENTARY INFORMATION: In a document previously published in the
FEDERAL REGISTER, 72 FR 14814 (Mar. 29, 2007), the FTC, as required by
the Privacy Act of 1974, 5 U.S.C. 552a, sought comments on a proposed
new ``routine use'' of the FTC's Privacy Act records systems.\1\ As the
FTC explained, the new routine use, the text of which is set forth at
the end of this document,\2\ is necessary to allow for disclosures of
Privacy Act records by the FTC to appropriate persons and entities for
purposes of response and remedial efforts in the event of a breach of
data contained in the protected systems. The routine use will
facilitate an effective response to a confirmed or suspected breach by
allowing for disclosure to individuals affected by the breach, in
cases, if any, where such disclosure is not otherwise authorized under
the Act. The routine use will also authorize disclosures to others who
are in a position to assist in response efforts, either by assisting in
notification to affected individuals or otherwise playing a role in
preventing, minimizing, or remedying harms from the breach. The FTC
explained that this new routine use would be added to Appendix 1 of the
FTC's Privacy Act system notice; that Appendix describes the routine
uses that apply globally to all FTC Privacy Act records systems.\3\
---------------------------------------------------------------------------
\1\ The FTC simultaneously provided OMB and the Congress with 40
days advance notice of the proposed routine use, as required by the
Privacy Act, 5 U.S.C. 552a(r), and OMB Circular A-130, Revised,
Appendix I.
\2\ The text of the routine use was taken from the routine use
that has already been published in final form by the Department of
Justice after public comment. See 72 FR 3410 (Jan. 25, 2007).
\3\ See 57 FR 45678 (1992), http://www.ftc.gov/foia/sysnot/appendix1.pdf. A list of the agency's current Privacy Act records
systems can be viewed on the FTC's web site at: http://www.ftc.gov/foia/listofpasystems.htm.
---------------------------------------------------------------------------
The Privacy Act authorizes agencies, after public notice and
comment, to adopt routine uses that are compatible with the purpose for
which information subject to the Act has been collected. 5 U.S.C.
552a(b)(3); see also 5 U.S.C. 552a(a)(7). The FTC believes that it is
consistent with the agency's collection of information pertaining to
individuals under the Privacy Act to disclose such records when, in
doing so, it will help prevent, minimize or remedy a data breach or
compromise that may affect such individuals. By contrast, the FTC
believes that failure to take reasonable steps to help prevent,
minimize or remedy the harm that may result from such a breach or
compromise would jeopardize, rather than promote, the privacy of such
individuals.
In seeking public comments on the proposed routine use, the FTC
explained that it would take into account any such comments and make
appropriate or necessary revisions, if any, before publishing the
proposed routine use as final. In response, the FTC received one
comment, from the Electronic Privacy Information Center (EPIC).\4\
---------------------------------------------------------------------------
\4\ See http://www.ftc.gov/os/publiccomments.shtm
(207).
---------------------------------------------------------------------------
First, EPIC urges that the FTC narrow the proposed routine use to
the minimum required to fulfill the agency's stated purpose. EPIC
questions what standards or requirements the agency would follow in
determining the Privacy Act disclosures to be made in the case of a
data breach, and wonders whether the agency would now be routinely
disclosing Social Security numbers or other sensitive personal
information to other agencies, entities and persons in every data
breach investigation. Recognizing that specific disclosures may be
necessary, EPIC suggests, for example, that the FTC could create tiers
of access, allowing specific categories of individuals limited access
to data, according to the needs of the agency's investigation.
The FTC agrees that any disclosure of Privacy Act records in order
to investigate or remedy a breach must be necessary and narrowly
tailored to the circumstances. The FTC believes that the restriction on
disclosures to those that are ``reasonably necessary'' accurately and
appropriately describes the relevant limitation on disclosures under
this routine use. The scope of potential disclosures authorized by that
routine use is not intended to suggest that the FTC will always
disclose all of an individual's records, if any, every time there is a
breach that the agency needs to investigate or mitigate. Rather, the
purpose and intent of the routine use is to give individuals full and
fair notice of the extent of potential
[[Page 31836]]
disclosures, consistent with the Privacy Act's requirement that
individuals be made aware of how their records may be disclosed, even
if the FTC anticipates that there may often be very limited or no
disclosure of an individual's records to third parties as part of the
agency's investigatory or remedial efforts.
Developing fixed categories of access for certain entities or
individuals, as EPIC suggests, would not appear to confer significantly
greater protection, if any, for an individual's records than limiting
disclosures to those that are ``reasonably necessary.'' The
determination of when disclosure is ``reasonably necessary'' will
logically depend on a case-by-case evaluation of the specific
circumstances of the breach, including how much of an individual's
information, if any, it is reasonably necessary to disclose, and the
specific nature of the entities to whom such information needs to be
disclosed, in order to investigate or respond to a breach.\5\ Amending
a routine use to accommodate disclosures in response to a breach is not
a viable option when there is a clear need to respond rapidly and
effectively in investigating and mitigating the breach, in light of the
prior notice and comment requirements of the Privacy Act for routine
use amendments.
---------------------------------------------------------------------------
\5\ For example, under FTC rules, disclosures to other law
enforcement agencies may be made on a confidential basis for law
enforcement purposes. See Commission Rule 4.11(c), 16 CFR 4.11(c).
---------------------------------------------------------------------------
Second, EPIC's comment advocates that consumers be notified as soon
as possible after a security breach results in their personal
information being accessed by an unauthorized person, and before
notifying any other agency, entity or individual. That issue, however,
is outside the scope of a routine use notice under the Privacy Act. The
Act requires that agencies notify individuals about the establishment
of a Privacy Act system of records, the routine uses of such systems of
records, and additional notice at the time that information in such a
system is collected from individuals.
Nothing in the Act, however, governs or provides criteria for
determining when notice of a data breach to affected individuals would
be appropriate or not. Guidance on that issue has been issued to all
Federal agencies by the Office of Management & Budget (OMB), in
conjunction with the President's Identity Theft Task Force, chaired by
the Attorney General and co-chaired by the FTC Chairman.\6\ As stated
in that guidance, agencies must consider various factors in determining
whether notice is appropriate in a given case. The routine use
published by the FTC neither addresses nor is it intended to supersede
or supplant such guidance, or any other applicable guidance that may
later arise in applicable statute, rule or policy regarding when notice
to individuals must or should be given.
---------------------------------------------------------------------------
\6\ See Memorandum for the Heads of Department and Agencies,
from Clay Johnson, Deputy Director for Management, OMB,
``Recommendations for Identity Theft Related Data Breach
Notification'' (Sept. 20, 2006) (attaching Memorandum from the
Identity Theft Task Force, ``Identity Theft Related Data Security
Breach Notification Guidance'' (Sept. 19, 2006), also reproduced in
The President's Identity Theft Task Force, Combating Identity Theft:
A Strategic Plan (Apr. 2007) at 73-82 (App. A)).
---------------------------------------------------------------------------
Accordingly, after consideration of the above, the FTC has
determined to adopt the routine use for data breach as originally
published, and hereby amends Appendix 1 of its Privacy Act system
notices, as published at 57 FR 45678, by adding the following new
routine use at the end of the existing routine uses set forth in that
Appendix:
* * *
To appropriate agencies, entities, and persons when (1) the FTC
suspects or has confirmed that the security or confidentiality of
information in the system of records has been compromised; (2) the FTC
has determined that as a result of the suspected or confirmed
compromise there is a risk of harm to economic or property interests,
identity theft or fraud, or harm to the security or integrity of this
system or other systems or programs (whether maintained by the FTC or
another agency or entity) that rely upon the compromised information;
and (3) the disclosure made to such agencies, entities, and persons is
reasonably necessary to assist in connection with the FTC's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm.
By direction of the Commission.
Donald S. Clark
Secretary
[FR Doc. E7-11122 Filed 6-7-07: 8:45 am]
[BILLING CODE 6750-01-S]