Pension Benefit Guaranty Corporation.
Interim final rule; request for comments.
The Pension Benefit Guaranty Corporation is amending its Privacy Act regulation to exempt a system of records that supports a program of insider threat detection and data loss prevention.
Effective date: This interim final rule is effective on July 9, 2019.
Comment date: Comments must be received on or before August 8, 2019 to be assured of consideration.
Comments may be submitted by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov. Follow the online instructions for submitting comments.
Mail or Hand Delivery: Regulatory Affairs Division, Office of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K Street NW, Washington, DC 20005-4026.
All submissions must include the agency's name (Pension Benefit Guaranty Corporation, or PBGC) and title for this rulemaking (Privacy Act Regulation; Exemption for Insider Threat Program Records). Comments received will be posted without change to PBGC's website, http://www.pbgc.gov, including any personal information provided. Copies of comments may also be obtained by writing to Disclosure Division, Office of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K Street NW, Washington, DC 20005-4026, or calling 202-326-4040 during normal business hours. TTY users may call the Federal relay service toll-free at 800-877-8339 and ask to be connected to 202-326-4040.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Melissa Rifkin (firstname.lastname@example.org), Attorney, Regulatory Affairs Division, Office of the General Counsel, Pension Benefit Guaranty Corporation, 1200 K Street NW, Washington, DC 20005-4026; 202-326-4400, extension 6563; Margaret Drake (email@example.com), Chief Privacy Officer, Office of the General Counsel, 202-326-4400, extension 6435. (TTY users may call the Federal relay service toll-free at 800-877-8339 and ask to be connected to 202-326-4400, extension 6563.)
End Further Info
Start Supplemental Information
This rule amends PBGC's regulation on Disclosure and Amendment of Records Pertaining to Individuals under the Privacy Act (29 CFR part 4902) to exempt from disclosure information contained in a new system of records for PBGC's insider threat program. The exemption is needed because records in this system include investigatory material compiled for law enforcement purposes.
Authority for this rule is provided by section 4002(b)(3) of the Employee Retirement Income Security Act of 1974 (ERISA) and 5 U.S.C. 552a(k)(2).
The Pension Benefit Guaranty Corporation (PBGC) administers the pension plan insurance programs under title IV of the Employee Retirement Income Security Act of 1974 (ERISA). As a Federal agency, PBGC is subject to the Privacy Act of 1974, 5 U.S.C. 552a (Privacy Act), in its collection, maintenance, use, and dissemination of any personally identifiable information that it maintains in a “system of records.” A system of records is defined under the Privacy Act as “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 
PBGC is proposing to establish a new system of records, “PBGC-26, PBGC Insider Threat and Data Loss Prevention—PBGC.” This system of records is published in the “Notice” section of this issue of the Federal Register.
Executive Order 13587, issued October 7, 2011, requires Federal agencies to establish an insider threat detection and prevention program to ensure the security of classified networks and the responsible sharing and safeguarding of classified information consistent with appropriate protections for privacy and civil liberties. While PBGC does not have any classified networks, it does maintain a significant amount of Controlled Unclassified Information (CUI) that, under law, it is required to safeguard from unauthorized access or disclosure. One method utilized by PBGC to ensure that only those with a need-to-know have access to CUI is a set of tools to minimize data loss, whether inadvertent or intentional. This system will collect and maintain Personally Identifiable Information (PII) in the course of scanning traffic leaving PBGC's network and blocking traffic that violates PBGC's policies to safeguard PII.
This system covers “PBGC insiders,” who are individuals with access to PBGC resources, including facilities, information, equipment, networks, and systems. This includes Federal employees and contractors. Records from this system will be used on a need-Start Printed Page 32619to-know basis to manage insider threat matters; facilitate insider threat investigations and activities; identify threats to PBGC resources, including threats to PBGC's personnel, facilities, and information assets; track tips and referrals of potential insider threats to internal and external partners; meet other insider threat program requirements; and investigate/manage the unauthorized or attempted unauthorized disclosure of PII.
Under section 552a(k) of the Privacy Act, PBGC may promulgate regulations exempting information contained in certain systems of records from specified sections of the Privacy Act including the section mandating disclosure of information to an individual who has requested it. Among other systems, PBGC may exempt a system that is “investigatory material compiled for law enforcement purposes.” 
Under this provision, PBGC has exempted, in § 4209.11 of its Privacy Act regulation, records of the investigations conducted by its Inspector General and contained in a system of records entitled “PBGC-17, Office of Inspector General Investigative File System—PBGC.”
The PBGC-26, PBGC Insider Threat and Data Loss Prevention—PBGC system contains: (1) Records derived from PBGC security investigations, (2) summaries or reports containing information about potential insider threats or the data loss prevention program, (3) information related to investigative or analytical efforts by PBGC insider threat program personnel, (4) reports about potential insider threats obtained through the management and operation of the PBGC insider threat program, and (5) reports about potential insider threats obtained from other Federal Government sources. The records contained in this new system include investigative material of actual, potential, or alleged criminal, civil, or administrative violations and law enforcement actions. These records are within the material permitted to be exempted under section 552a(k)(2) of the Privacy Act.
PBGC is amending its Privacy Act regulation to add a new § 4902.12 that exempts PBGC-26, PBGC Insider Threat and Data Loss Prevention—PBGC, from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f). Exemption from these sections of the Privacy Act means that, with respect to records in the system, PBGC will not be required to: (1) Disclose records to an individual upon request, (2) keep an accounting of individuals who request records, (3) maintain only records as necessary to accomplish an agency purpose, or (4) publish notice of certain revisions of the system of records.
Compliance With Rulemaking Guidelines
This is a rule of “agency organization, procedure, or practice” and is limited to “agency organization, management, or personnel matters.” The exemption from provisions of the Privacy Act provided by the interim final rule affects only PBGC insiders described above. Accordingly, this rule is exempt from notice and public comment requirements under 5 U.S.C. 553(b) and the requirements of Executive Order 12866 and Executive Order 13771.
Because no general notice of proposed rulemaking is required, the Regulatory Flexibility Act does not apply to this rule. See 5 U.S.C. 601(2), 603, 604.
PBGC finds good cause exists for making the amendments set forth in this interim final rule effective less than 30 days after publication because the amendments support PBGC's new system of records for insider threat detection and data loss prevention, which is effective July 9, 2019.
Start List of Subjects
End List of Subjects
In consideration of the foregoing, PBGC is amending 29 CFR part 4902 as follows:
PART 4902—DISCLOSURE AND AMENDMENT OF RECORDS PERTAINING TO INDIVIDUALS UNDER THE PRIVACY ACT
Start Amendment Part
1. The authority citation for part 4902 is revised to read as follows: End Amendment Part
Start Amendment Part
2. Amend § 4902.1(d) by removing “4902.11” and adding in its place “4902.12”. End Amendment Part
Start Amendment Part
[Redesignated as § 4902.13]
3. Redesignate § 4902.12 as § 4902.13. End Amendment Part
Start Amendment Part
4. Add new § 4902.12 to read as follows: End Amendment Part
Specific exemptions: Insider Threat and Data Loss Prevention.
(a) Other law enforcement—(1) Exemption. Under the authority granted by 5 U.S.C. 552a(k)(2), PBGC hereby exempts the system of records entitled “PBGC-26, PBGC Insider Threat and Data Loss Prevention—PBGC” from the provisions of 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f).
(2) Reasons for exemption. The reasons for asserting the exemption in this section are because the disclosure and other requirements of the Privacy Act could substantially compromise the efficacy and integrity of PBGC's ability to investigate insider threat activities and the improper exfiltration of personally identifiable information. Disclosure could invade the privacy of other individuals and disclose their identity when they were expressly promised confidentiality. Disclosure could interfere with the integrity of information which would otherwise be subject to privileges, see, e.g., 5 U.S.C. 552(b)(5), and which could interfere with other important law enforcement concerns, see, e.g., 5 U.S.C. 552(b)(7).
End Supplemental Information
Issued in Washington, DC.
Director, Pension Benefit Guaranty Corporation.
[FR Doc. 2019-14604 Filed 7-8-19; 8:45 am]
BILLING CODE 7709-02-P