SUPPORTING STATEMENT
Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice
(OMB Control No. 1550-0110)
JUSTIFICATION
Circumstances and Need
On March 29, 2005, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), and Office of Thrift Supervision (OTS) (collectively, the Agencies) published the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 FR 15736) (Guidance). The Guidance interprets the requirements of section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801, and the Interagency Guidelines Establishing Information Security Standards (Security Guidelines)1 to include the development and implementation of a response program to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. The Guidance states that every financial institution should develop and implement a response program designed to address incidents of unauthorized access to customer information maintained by the institution or its service provider, and describes the appropriate elements of a financial institution’s response program, including customer notification procedures. OTS is now seeking OMB’s approval to renew this collection of information.
Use of the Information Collected
The collection helps to establish standards for financial institutions relating to administrative, technical, and physical safeguards to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
A response program, of which this collection is a critical part, contains policies and procedures that enable the financial institution to: (a) assess the situation to determine the nature and scope of the incident, and identify the information systems and types of customer information affected; (b) notify the institution’s primary Federal regulator and, in accordance with applicable regulations and guidance, file a Suspicious Activity Report and notify appropriate law enforcement agencies; (c) take measures to contain and control the incident to prevent further unauthorized access to or misuse of customer information, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls; and (d) address and mitigate harm to individual customers.
Use of Technology to Reduce Burden
OTS permits and encourages savings associations to use advanced technology in the preparation of the required information.
Effort to Identify Duplication
The information collection is not duplicative within the meaning of the PRA and OMB regulations. The collection is unique and covers each institution’s particular circumstances.
Minimizing the Burden on Small Entities
The collection applies to all institutions, regardless of size.
Consequences of Less Frequent Collections
OTS believes that less frequent collection (a less stringent disclosure standard) would result in unacceptable harm to customers of financial institutions.
Special Circumstances
These information collections are conducted in a manner consistent with the requirements of 5 CFR 1320.
Consultation with Persons Outside the Agency
Notice of intent to renew this information collection was published in the Federal Register on February 10, 2010 (75 FR 6790). OTS received no comments.
Payment or Gift to Respondents
No payments or gifts are made in connection with this information collection.
Confidentiality
Financial institutions would treat these disclosure requirements with the same degree of confidentiality as other disclosures of sensitive customer information.
Information of a Sensitive Nature
The disclosure of this information would be limited to account holders.
Estimate of Annual Burden
It is estimated that it will initially take institutions 16 hours to develop and produce the notices described in the Guidance and 20 hours per incident to determine which customers should receive the notice and notify the customers. For the purposes of this analysis, 320 was used as the number of incidents of unauthorized access requiring customer notice under the Guidance. This is the actual number experienced by covered institutions in 2009.
Thus, the burden associated for this collection of information may be summarized as follows:
Developing Notices: 16 hours x 657 = 10,512 hours
Notifying Customers: 20 hours x 320 = 6,400 hours
Total Estimated Annual Burden = 16,912 hours
Estimate of annualized cost: 16,912 hours x $50/hour = $ 845,600
Total Annual Cost Burden
Not applicable.
Annualized Cost to the Federal Government
Negligible.
Reason for Program Changes or Adjustments
OTS is citing a decrease in the inventory burden of (6,525) hours. This is due to a reduction in the number of respondents.
16. Publication
Not applicable.
17. Display of Expiration Date
Not applicable.
18. Exceptions to Certification
None.
STATISTICAL METHODS
Not applicable.
1 12 CFR part 570, app. B (OTS).
| File Type | application/msword |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| Last Modified By | Ira Mills |
| File Modified | 2010-04-14 |
| File Created | 2010-01-05 |