Privacy Act of 1974; System of Records

AGENCY:

Export-Import Bank of the United States.

ACTION:

Notice of new system of records.

SUMMARY:

The Export-Import Bank of the United States (EXIM) proposes to add a new electronic System of Records, EXIM CRM (Customer Relationship Management), subject to the Privacy Act of 1974, as amended. This notice is necessary to meet the requirements of the Privacy Act which is to publish in the Federal Register a notice of the existence and character of records maintained by the agency. Included in this notice is the System of Records Notice (SORN) for EXIM CRM.

DATES:

Comments must be received on or before March 15, 2021 to be assured of consideration.

ADDRESSES:

Comments may be submitted electronically on www.regulations.gov or by mail to Tomeka Wray, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

FOR FURTHER INFORMATION CONTACT:

Tomeka Wray, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571. Telephone number: 202.565.3996.

SUPPLEMENTARY INFORMATION:

The EXIM CRM system is used to manage relationships with potential or current customers, partners, and other organizations and agencies involved in EXIM deals or whom EXIM works with in supporting U.S. exporters. EXIM CRM is comprised of a cloud-based Salesforce application and a cloud-based HubSpot module connection integrating the HubSpot database to the Salesforce API.

SYSTEM OF RECORDS NOTICE

EIB 21-01 EXIM CRM

SYSTEM NAME AND NUMBER:

EIB 21-01 EXIM CRM, EXIM CRM

SECURITY CLASSIFICATION:

Unclassified

SYSTEM LOCATION:

EXIM CRM's Salesforce application is hosted in the Salesforce Government Cloud. The physical location and technical operation of the system is at the Salesforce Government Cloud's Chicago (Elk Grove Village, IL) and Washington (Ashburn, VA) data centers. The HubSpot application uses cloud storage and computes services from Amazon Web Services (AWS) and Google Cloud Platform (GCP). HubSpot's production infrastructure is centralized in AWS and GCP cloud hosting facilities, and is managed by the HubSpot engineering team.

SYSTEM MANAGER(S):

Senior Vice President, Office of Small Business, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The Export-Import Bank requests the information in this application under the following authorizations:

Authority of the Export-Import Bank Act of 1945, as amended (12 U.S.C. 635 et seq.), Executive Order 9397 as Amended by Executive Order 13478 signed by President George W. Bush on November 18, 2008, Relating to Federal Agency Use of Social Security Numbers.

PURPOSE(S) OF THE SYSTEM:

The purpose of this system is to allow EXIM staff to manage relationships and track interactions with potential and existing customers, partners (e.g., registered brokers, lenders, and Regional Export Promotion Program (REPP) member organizations), and other organizations and agencies involved in EXIM deals or whom EXIM works with in supporting U.S. exporters. Additionally, EXIM CRM allows designated personnel from specific partner organizations to log in through Salesforce's Partner Portal to access resources and limited customer information that helps them support EXIM's customers.

EXIM CRM is comprised of the following functional modules:

• Salesforce Customer Relationship Management
• Salesforce Partner Relationship Management
• HubSpot Marketing module, Enterprise version

EXIM utilizes HubSpot Marketing Hub, integrated with Salesforce, for email automation and to host landing pages and contact forms used by the public when requesting information or follow up from EXIM.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The EXIM CRM system will contain current or potential customer information; partner organization information; EXIM employee and contractor information.

CATEGORIES OF RECORDS IN THE SYSTEM:

EXIM CRM contains information related to individuals and corporate entities that are potential, current, or former customers, partners, or other organizations and agencies involved in EXIM transactions or whom EXIM works with in supporting U.S. exporters. The EXIM CRM system contains information on EXIM employees and contractors who are users of the system.

For customer, partner, and other organization or agency information—company name, individual contact names, email address, race, ethnicity, business address, phone number, company website, number of employees, annual revenue, DUNS Number, TINS, IBANs, NAICS Code, industry, products exported, EXIM transaction number, EXIM Master Guarantee Agreement Number, EXIM Delegated Authority Lender Agreement Number.

For EXIM employees and contractors—individual name, work email address, phone number.

RECORD SOURCE CATEGORIES:

The record information contained in EXIM CRM is obtained using one of three methods: Manual entry, direct database connection to supply the required information, or through importing source flat files to the EXIM CRM database.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures that are generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed to authorized entities, as is determined to be relevant and necessary, outside EXIM as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

a. For EXIM employees to support current or potential customers.

b. For EXIM employees to support current or potential partners.

c. To lenders for the purposes of applying for and servicing an EXIM loan guarantee.

d. To registered insurance brokers for the purpose of applying for and servicing an EXIM export credit insurance policy.

e. To provide information to a Federal agency partner including the Department of Commerce (DOC), Small Business Administrations (SBA), U.S. Trade & Development Agency (USTDA), and Development Finance Corporation (DFC) based on customer need for the purpose of linking U.S. businesses to available government business resources.

f. To provide information to partner state governments, local governments, non-profit business development and assistance organizations based on customer need for the purpose of linking U.S. businesses to exporting and other business resources.

g. To provide information to a Congressional Office from the record of an individual in response to an inquiry from that Office.

h. To disclose information to EXIM contractors supporting EXIM authorized activities.

i. For investigations of potential violations of law.

j. For litigation.

k. By National Archives and Records Administration for record management inspections in its role as Archivist.

l. For data breach and mitigation response.

m. To disclose pertinent information to the appropriate Federal, State, or local agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation or another purpose, when the disclosing agency becomes aware of an indication of a violation or potential violation of civil or criminal law or regulations.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

On electronic digital media in encrypted format within the Salesforce Government Cloud controlled environment and accessed only by authorized personnel.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Information may be retrieved by business entity name, individual name, or email address.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

All records shall be retained and disposed of in accordance with EXIM directives, EXIM's Record Schedule DAA-GRS2017-0002-0002, and General Records Schedule GRS 6.5 Item 020.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Information will be stored in electronic format within EXIM CRM. EXIM CRM has configurable, layered data sharing and permissions features to ensure users have proper access. Access to Salesforce and HubSpot is restricted to EXIM personnel who need it for their job. Authorized users have access only to the data and functions required to perform their job functions. Designated personnel at specific lender, insurance broker, and Regional Export Promotion Program (REPP) partner organizations are granted limited access to EXIM CRM through Salesforce's Partner Portal. This access is managed via Salesforce's and HubSpot's System Administration, User, and security functions.

Salesforce Government Cloud is compliant with the Federal Risk and Authorization Management Program (FedRAMP). The PII information in EXIM CRM will be encrypted and stored in place, and HTTPS protocol will be employed in accessing Salesforce.

HubSpot is hosted in AWS and GCP environments that are FedRAMP compliant, and ISO 27001 certified. The PII information in EXIM CRM will be encrypted and stored in place, and HTTPS protocol will be employed in accessing HubSpot.

RECORD ACCESS PROCEDURES:

Individuals wishing to make an amendment of records about them should write to: Senior Vice President, Office of Small Business, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

And provide the following information:

1. Name.

2. Employer Identification Number (EIN) or Social Security Number, as applicable.

3. Type of information requested.

4. Signature.

CONTESTING RECORD PROCEDURES:

Individuals wishing to contest records about them should write to: Senior Vice President, Office of Small Business, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

And provide the following information:

1. Name.

2. Employer Identification Number (EIN) or Social Security Number, as applicable.

3. Signature.

4. Precise identification of the information to be amended.

NOTIFICATION PROCEDURES:

Individuals wishing to determine whether this system of records contains information about them may do so by writing to: Senior Vice President, Office of Small Business, Export-Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

And provide the following information:

1. Name.

2. Employer Identification Number (EIN) or Social Security Number, as applicable.

3. Type of information requested.

4. Address to which the information should be sent.

5. Signature.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.