Privacy Act of 1974; System of Records

AGENCY:

Federal Deposit Insurance Corporation (FDIC).

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended, the FDIC proposes to establish a new FDIC system of records titled FDIC–041, “Personal Information Allowing Network Operations (PIANO).” This system of records maintains information collected from individuals that interact with FDIC information technology resources, including FDIC employees, FDIC contractors, FDIC volunteers, FDIC interns, Federal and State financial regulator employees, financial institution employees, and other members of the public. FDIC collects and maintains the information necessary in this system of records to support and facilitate the approval, monitoring, and disabling of access by individuals that interact with FDIC information technology resources. We hereby publish this notice for comment on the proposed action.

DATES:

This action will become effective on May 2, 2023. The routine uses in this action will become effective June 1, 2023, unless the FDIC makes changes based on comments received. Written comments should be submitted on or before June 1, 2023.

ADDRESSES:

Interested parties are invited to submit written comments identified by Privacy Act Systems of Records (FDIC–041) by any of the following methods:

• Agency Website: https://www.fdic.gov/resources/regulations/federal-register-publications/. Follow the instructions for submitting comments on the FDIC website.

• Email: comments@fdic.gov. Include “Comments-SORN (FDIC–041)” in the subject line of communication.

• Mail: James P. Sheesley, Assistant Executive Secretary, Attention: Comments-SORN (FDIC–041), Legal Division, Office of the Executive Secretary, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.

• Hand Delivery: Comments may be hand-delivered to the guard station at the rear of the 17th Street NW building (located on F Street NW), on business days between 7:00 a.m. and 5:00 p.m.

• Public Inspection: Comments received, including any personal information provided, may be posted without change to https://www.fdic.gov/resources/regulations/federal-register- publications/. Commenters should submit only information that the commenter wishes to make available publicly. The FDIC may review, redact, or refrain from posting all or any portion of any comment that it may deem to be inappropriate for publication, such as irrelevant or obscene material. The FDIC may post only a single representative example of identical or substantially identical comments, and in such cases will generally identify the number of identical or substantially identical comments represented by the posted example. All comments that have been redacted, as well as those that have not been posted, that contain comments on the merits of this document will be retained in the public comment file and will be considered as required under all applicable laws. All comments may be accessible under the Freedom of Information Act (FOIA).

FOR FURTHER INFORMATION CONTACT:

Shannon Dahn, Chief, Privacy Program, 703–516–5500, privacy@fdic.gov.

SUPPLEMENTARY INFORMATION:

FDIC conducts much of its business electronically and must ensure that its information technology resources operate in a secure and proper manner, which includes controlling and monitoring access to its information technology resources to ensure that access is restricted to authorized individuals. Accordingly, FDIC collects and maintains information in this system of records to support and facilitate the approval, monitoring, and disabling of access for individuals that interact with FDIC information technology resources, which includes FDIC employees, FDIC contractors, FDIC volunteers, FDIC interns, Federal and State financial regulator employees, financial institution employees, and other members of the public. This newly established system will be included in FDIC's inventory of record systems.

SYSTEM NAME AND NUMBER:

Personal Information Allowing Network Operations, FDIC–041.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are centrally maintained at FDIC, 550 17th Street NW, Washington, DC 20429. There are instances where records may be maintained at other secure locations, as well as on secure servers maintained by third-party service providers for the FDIC.

SYSTEM MANAGER(S):

Deputy Director, Infrastructure and Operations Services Branch, Division of Information Technology, FDIC, 3501 Fairfax Drive, Arlington, VA 22226.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Section 9, Corporate Powers, of the Federal Deposit Insurance Act (12 U.S.C. 1819).

PURPOSE(S) OF THE SYSTEM:

The information in the system is being collected to support and facilitate the approval, monitoring, and disabling of access for individuals that interact with FDIC information technology resources.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Categories of individuals covered by this system of records include all individuals that interact with FDIC information technology resources, including FDIC employees, FDIC contractors, FDIC volunteers, FDIC interns, Federal and State financial regulator employees, financial institution employees, and other members of the public.

CATEGORIES OF RECORDS IN THE SYSTEM:

Records in this system include: Records related to the authentication and verification of a user, which includes name, email address, government issued identification numbers, photographs of government-issued IDs, to include all personal information and images on the IDs, Social Security number (SSN), phone number, postal address, verification transaction ID, verification pass/fail indicator, date and time of verification transaction, user roles, justification for access, date of separation, trainings status and other prerequisites, and status codes associated with the verification transaction data, names, phone numbers of other contacts, and positions or business/organizational affiliations and titles of individuals who can verify that the individual seeking access has a need for access as well as other contact information provided to FDIC that is derived from other sources to facilitate access to FDIC information technology resources. Logs of activity when interacting with FDIC information technology resources, including, but not limited to, network user ID, password, date and time of access, internet Protocol (IP) address of the device used for access, Media Access Control (MAC) address of the device used for access, hash files, and equipment used to access FDIC's network.

RECORD SOURCE CATEGORIES:

Information in this system is obtained from individuals, entities, and/or information already in other FDIC records systems.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the FDIC as a routine use as follows:

(1) To appropriate Federal, State, local and foreign authorities responsible for investigating or prosecuting a violation of, or for enforcing or implementing a statute, rule, regulation, or order issued, when the information indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto;

(2) To a court, magistrate, or other administrative body in the course of presenting evidence, including disclosures to counsel or witnesses in the course of civil discovery, litigation, or settlement negotiations or in connection with criminal proceedings, when the FDIC is a party to the proceeding or has a significant interest in the proceeding, to the extent that the information is determined to be relevant and necessary;

(3) To a congressional office in response to an inquiry made by the congressional office at the request of the individual who is the subject of the record;

(4) To appropriate agencies, entities, and persons when (a) the FDIC suspects or has confirmed that there has been a breach of the system of records; (b) the FDIC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FDIC (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FDIC's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm;

(5) To another Federal agency or Federal entity, when the FDIC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach, or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach;

(6) To contractors, agents, or other authorized individuals performing work on a contract, service, cooperative agreement, job, or other activity on behalf of the FDIC or Federal Government and who have a need to access the information in the performance of their duties or activities;

(7) To third parties providing remote or in-person authentication and identity proofing services, as necessary to authenticate and/or identity proof an individual for access to an FDIC service or application.

(8) To sponsors, employers, contractors, facility operators, experts, and consultants in connection with establishing an access account for an individual or maintaining appropriate points of contact and when necessary to accomplish a FDIC need related to this system of records;

(9) To Federal agencies such as Office of Personnel Management, the Merit Systems Protection Board, the Office of Management and Budget, Federal Labor Relations Authority, Government Accountability Office, and the Equal Employment Opportunity Commission in the fulfillment of these agencies' official duties.

(10) To international, Federal, State and local, Tribal, or private entities for the purpose of the regular exchange of business contact information in order to facilitate collaboration for official business.

(11) To a Federal agency, organization, or individual for the purpose of performing audit or oversight operations as authorized by law.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in electronic media and in paper format in secure facilities.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are indexed and may be retrieved by a variety of fields, including, but not limited to, name, username, email address, business affiliation, or other data fields previously identified in this SORN.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records may be maintained for as long as six years following the termination of an individual's FDIC user account in accordance with approved records retention schedules.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Records are protected from unauthorized access and improper use through administrative, technical, and physical security measures. Administrative safeguards include written guidelines on handling personal information, including agency-wide procedures for safeguarding personally identifiable information. In addition, all FDIC staff are required to take annual privacy and security training. Technical security measures within FDIC include restrictions on computer access to authorized individuals who have a legitimate need to know the information; required use of strong passwords that are frequently changed; multi-factor authentication for remote access and access to many FDIC network components; use of encryption for certain data types and transfers; firewalls and intrusion detection applications; and regular review of security procedures and best practices to enhance security. Physical safeguards include restrictions on building access to authorized individuals, security guard service, and maintenance of records in lockable offices and filing cabinets.

RECORD ACCESS PROCEDURES:

Individuals wishing to request access to records about them in this system of records should submit their request online through https://www.securerelease.us/. Individuals will be required to provide proof of identity, a detailed description of the records they seek, including the time period when the records were created and other supporting information where possible. Alternatively, individuals may provide a request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Requests must include full name, address, and verification of identity in accordance with FDIC regulations at 12 CFR part 310.

CONTESTING RECORD PROCEDURES:

Individuals wishing to contest or request an amendment to their records in this system of records should submit their request online through https://www.securerelease.us/. Individuals will be required to provide proof of identity, a detailed description of the records they seek, including the time period when the records were created and other supporting information where possible, and the reason for amendment or correction. Alternatively, individuals can provide a request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Requests must specify the information being contested, the reasons for contesting it, and the proposed amendment to such information in accordance with FDIC regulations at 12 CFR part 310.

NOTIFICATION PROCEDURES:

Individuals wishing to know whether this system contains information about them should submit their request online through https://www.securerelease.us/. Individuals will be required to provide proof of identity, a detailed description of the records they seek, including the time period when the records were created and other supporting information where possible. Alternatively, individuals can provide a request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Requests must include full name, address, and verification of identity in accordance with FDIC regulations at 12 CFR part 310.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.