Department of Veterans Affairs.
This document adopts, without change, the interim final rule that was published in the Federal Register on June 22, 2007, addressing data breaches of sensitive personal information that is processed or maintained by the Department of Veterans Affairs (VA). This final rule implements certain provisions of the Veterans Benefits, Health Care, and Information Technology Act of 2006. The regulations prescribe the mechanisms for taking action in response to a data breach of sensitive personal information.
Effective Date: April 11, 2008.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Jonelle Lewis, Office of Information Protection and Risk Management (005R), U.S. Department of Veterans Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Telephone: (202) 461-6400. This is not a toll-free number.End Further Info End Preamble Start Supplemental Information
On June 22, 2007, VA published an interim final rule in the Federal Register (72 FR 34395). The interim final rule addressed data breaches of sensitive personal information that is processed or maintained by VA. This final rule implements 38 U.S.C. 5724 and 5727, which were enacted as part of Title IX of Public Law 109-461, the Veterans Benefits, Health Care, and Information Technology Act of 2006.
We provided a 60-day comment period that ended August 21, 2007. We received no comments. Based on the rationale set forth in the interim final rule, we adopt the provisions of the interim final rule as a final rule without any changes.
Administrative Procedure Act
This document, without change, affirms the amendment made by the interim final rule that is already in effect. The Secretary of Veterans Affairs concluded that, under 5 U.S.C. 553, there was good cause to dispense with the opportunity for prior comment with respect to this rule. The Secretary found that it was unnecessary to delay this regulation for the purpose of soliciting prior public comment based on the statutory mandate in 38 U.S.C. 5724 to publish the amendment as an interim final rule. Nevertheless, the Secretary invited public comment on the interim final rule but did not receive any comments.
Executive Order 12866
Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive impacts; and equity). The Executive Order classifies a “significant regulatory action,” requiring review by the Office of Management and Budget (OMB), as any regulatory action that is likely to result in a rule that may: (1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.
The economic, interagency, budgetary, legal, and policy implications of this rule have been examined and it has been determined to be a significant regulatory action under the Executive Order because it is likely to result in a rule that may raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.
The Unfunded Mandates Reform Act of 1995 requires, at 2 U.S.C. 1532, that agencies prepare an assessment of anticipated costs and benefits before issuing any rule that may result in expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more (adjusted annually for inflation) in any Start Printed Page 19748given year. This rule would have no such effect on State, local, and tribal governments or the private sector.
Paperwork Reduction Act
This document contains no provisions constituting a collection of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3521).
Regulatory Flexibility Act
The provisions of the Regulatory Flexibility Act (5 U.S.C. 601-612) do not apply to this interim final rule because the provisions of 38 U.S.C. 5724 require that this document be promulgated as an interim final rule, and, consequently, a notice of proposed rulemaking was not required for the rule. 5 U.S.C. 603-604.
Catalog of Federal Domestic Assistance Numbers
There are no Catalog of Federal Domestic Assistance numbers and titles for this rule.Start List of Subjects
List of Subjects in 38 CFR Part 75
- Administrative practice and procedure
- Credit monitoring
- Data breach
- Data breach analysis
- Data mining
- Fraud alerts
- Identity theft insurance
- Risk analysis
- Security measures
Approved: April 4, 2008.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
PART 75—INFORMATION SECURITY MATTERSEnd Part End Supplemental Information
[FR Doc. E8-7726 Filed 4-10-08; 8:45 am]
BILLING CODE 8320-01-P