Privacy Act of 1974; System of Records

AGENCY:

Export-Import Bank of the United States.

ACTION:

Notice of new system of records.

SUMMARY:

The Export-Import Bank of the United States (EXIM) proposes to add a new electronic system of records, EXIM CRM (Customer Relationship Management), subject to the Privacy Act of 1974, as amended. This notice is necessary to meet the requirements of the privacy act which is to publish in the Federal Register a notice of the existence and character of records maintained by the agency. Included in this notice is the system of records notice (SORN) for EXIM CRM.

DATES:

Comments must be received on or before July 12, 2021 to be assured of consideration.

ADDRESSES:

Comments may be submitted electronically on www.regulations.gov or by mail to Tomeka Wray, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

FOR FURTHER INFORMATION CONTACT:

Tomeka Wray, by email Tomeka.Wray@exim.gov, or telephone 202-565-3996, or by mail Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

SUPPLEMENTARY INFORMATION:

EXIM is establishing a new system of records, EXIM CRM. The system will be used to help EXIM business development and customer service operations essential to its mission of supporting American jobs by facilitating the export of U.S. goods and services. EXIM CRM is comprised of two integrated, cloud-based applications, Salesforce and HubSpot.

SYSTEM NAME AND NUMBER:

EXIM CRM, EIB 21-01.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

EXIM CRM consists of two cloud-based applications—Salesforce and HubSpot. The Salesforce application and data is hosted in Salesforce Government Cloud. The HubSpot application and data are hosted in Amazon Web Services (AWS) and Google Cloud Platform (GCP).

SYSTEM MANAGER(S):

Senior Vice President, Office of Small Business, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The Export-Import Bank requests the information in this application under the following authorizations:

Authority of the Export-Import Bank Act of 1945, as amended (12 U.S.C. 635 et seq.), Executive Order 9397 as Amended by Executive Order 13478 signed by President George W. Bush on November 18, 2008, Relating to Federal Agency Use of Social Security Numbers.

PURPOSE(S) OF THE SYSTEM:

This system will enable EXIM business development and customer service operations essential to its mission of supporting American jobs by facilitating the export of U.S. goods and services. Information in the system will be used to manage relationships and track interactions with companies and their representatives who are potential, current, or former customers or that are also involved in an EXIM financing transaction (e.g., as a sponsor or an advisor). It will also be used to manage relationships and track interactions with partner organizations and agencies and their representatives (registered insurance brokers, commercial lenders, and members of the Regional Export Promotion Program) as well as other organizations and agencies whom EXIM works with in supporting U.S. exporters (e.g., other government agencies and nonprofit business development organizations). Additionally, EXIM CRM allows designated personnel from specific partner organizations to log in through Salesforce's Partner Portal to access resources and limited information on potential or current clients that helps them support those clients. EXIM CRM is also used for email outreach and to host landing pages and contact forms used by the public when requesting information or follow up from EXIM. Data from this system may also be used to track, evaluate, and improve EXIM's products and operations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Covered individuals are:

• Staff or representatives of companies that are potential, current, or former customer or that are also involved in an EXIM deal (e.g., as a sponsor or an advisor).
• Staff or representatives of EXIM partner organizations (registered insurance brokers, commercial lenders, members of EXIM's Regional Export Promotion Program).
• Staff or representatives of other organizations EXIM works with in supporting U.S. exporters including local, state, and federal government agencies and nonprofit business development organizations.

CATEGORIES OF RECORDS IN THE SYSTEM:

Individual records in EXIM CRM include full name, company name, business address, phone number, email address, race, and ethnicity.

RECORD SOURCE CATEGORIES

The primary source of information is from the individual about whom the record is maintained. Additional sources of information are EXIM's partner organizations and other government agencies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures that are generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed to authorized entities, as is determined to be relevant and necessary, outside EXIM as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

a. To commercial lenders who issue loans covered by EXIM guarantees, for the purpose of assisting current/potential EXIM customers apply for or service an EXIM guaranteed loan;

b. To registered insurance brokers who distribute EXIM Export Credit Insurance policies, for the purpose of assisting current/potential EXIM customers apply for or manage an EXIM policy;

c. To a Federal agency partner including the Department of Commerce (DOC), Small Business Administrations (SBA), U.S. Trade & Development Agency (USTDA), and Development Finance Corporation (DFC) for the purpose of assisting current/potential EXIM customers, or companies that do not qualify for EXIM financing, with export financing or other export/trade support services;

d. To a state government, local government, or non-profit business development organization partners for the purpose of assisting current/potential EXIM customers, or companies that do not qualify for EXIM financing, with export/trade support services;

e. To EXIM contractors, agents, or others performing work on a contract, service, cooperative agreement, job, or other activity for EXIM and who have a need to access the information in the performance of their duties or activities for EXIM;

f. To the appropriate Federal, State, local, territorial, tribal, foreign, or international law enforcement authority or other appropriate entity where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether criminal, civil, or regulatory in nature;

g. In an appropriate proceeding before a court, grand jury, or administrative or adjudicative body or official, when EXIM or other Agency representing EXIM determines the records are relevant and necessary to the proceeding; or in an appropriate proceeding before an administrative or adjudicative body when the adjudicator determines the records to be relevant to the proceeding;

h. To any component of the Department of Justice for the purpose of representing EXIM, or its components, officers, employees, or members in pending or potential litigation to which the record is pertinent;

i. To a Congressional office in response to an inquiry from the congressional office made at the request of the individual to whom the record pertains;

j. To the National Archives and Records Administration (NARA) for records management purposes;

k. To appropriate agencies, entities, and persons when (1) EXIM suspects or has confirmed that there has been a breach of the system of records; (2) EXIM has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, EXIM, the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with EXIM's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm; and

l. To another Federal agency or Federal entity, when EXIM determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS.

Records are stored digitally in encrypted format in the Salesforce and HubSpot cloud environments.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records may be retrieved by business entity name, individual name, or email address.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

All records are retained and disposed of in accordance with EXIM directives, EXIM's Record Schedule DAA-GRS2017-0002-0002, and General Records Schedule GRS 6.5 Item 020.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Information will be stored in electronic format within EXIM CRM. EXIM CRM has configurable, layered data sharing and permissions features to ensure users have proper access. Access to Salesforce and HubSpot is restricted to EXIM personnel who need it for their job. Authorized users have access only to the data and functions required to perform their job functions. Designated personnel at specific lender, insurance broker, and Regional Export Promotion Program (REPP) partner organizations are granted limited access to EXIM CRM through Salesforce's Partner Portal. This access is managed via Salesforce's and HubSpot's System Administration, User, and security functions.

Salesforce Government Cloud is compliant with the Federal Risk and Authorization Management Program (FedRAMP). The PII information in EXIM CRM will be encrypted and stored in place, and HTTPS protocol will be employed in accessing Salesforce.

HubSpot is hosted in AWS and GCP environments that are FedRAMP compliant, and ISO 27001 certified. The PII information in EXIM CRM will be encrypted and stored in place, and HTTPS protocol will be employed in accessing HubSpot.

RECORD ACCESS PROCEDURE:

Requests to access records under the Privacy Act must be submitted in writing and signed by the requestor. Requests should be addressed to the Freedom of Information and Privacy Office, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571. The request must comply with the requirements of 12 CFR 404.14.

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest and/or amend records under the Privacy Act must submit a request in writing. The request must be signed by the requestor and should be addressed to the Freedom of Information and Privacy Office, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571. The request must comply with the requirements of 12 CFR 404.14.

NOTIFICATION PROCEDURES:

Individuals seeking to be notified if this system contains a record pertaining to himself or herself must submit a request in writing. The request must be signed by the requestor and should be addressed to the Freedom of Information and Privacy Office, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571. The request must comply with the requirements of 12 CFR 404.14.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY

Not Applicable.