Supporting Statement for
Guidance Regarding Unauthorized Access
to Customer Information
OMB Control No. 1557-0227
A. Justification
Circumstances that Make the Collection of Information Necessary:
Section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) requires the OCC to establish appropriate standards for national banks relating to administrative, technical, and physical safeguards:
(1) To insure the security and confidentiality of customer records and information;
(2) To protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) To protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer.
The Interagency Guidelines Establishing Information Security Standards, 12 CFR Part 30, Appendix B and Part 170, Appendix B (collectively, Security Guidelines), implementing section 501(b), require each entity supervised by the OCC (supervised institution) to consider and adopt a response program, if appropriate, that specifies actions to be taken when the supervised institution suspects or detects that unauthorized individuals have gained access to customer information.
Use of the Information Collected:
The Interagency Guidance on Response Programs for Unauthorized Customer Information and Customer Notice (Breach Notice Guidance1), which provides interpretation of the Security Guidelines, states that, at a minimum, a supervised institution’s response program should contain procedures for the following:
(1) Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
(2) Notifying its primary Federal regulator as soon as possible when the supervised institution becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information;
(3) Consistent with the OCC’s Suspicious Activity Report regulations, notifying appropriate law enforcement authorities, as well as filing a timely SAR in situations in which Federal criminal violations require immediate attention, such as when a reportable violation is ongoing;
(4) Taking appropriate steps to contain and control the incident in an effort to prevent further unauthorized access to, or use of, customer information (for example, by monitoring, freezing, or closing affected accounts), while preserving records and other evidence; and
(5) Notifying customers when warranted.
This collection of information covers the notice provisions in the Breach Notice Guidance.
Consideration of the use of improved information technology:
Respondents may use any technology they wish to reduce the burden associated with this collection.
Efforts to identify duplication:
There is no duplication.
Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities:
This information collection does not have a significant impact on a substantial number of small entities.
Consequences to the Federal program if the collection were conducted less frequently:
The OCC believes that less frequent collection (a less stringent disclosure standard) would result in unacceptable harm to customers.
Special circumstances necessitating collection inconsistent with 5 CFR part 1320:
No special circumstances exist.
Consultation with persons outside the agency:
Payment to respondents:
Not applicable.
Confidentiality:
The information collected is kept confidential to the extent permissible by law.
Information of a Sensitive Nature:
The disclosure of this information would be limited to customers.
Burden estimate:
The burden associated with this collection of information is summarized as follows:
Estimated
Number of Respondents:
344
Developing
notices: 16 hrs. x 344 respondents = 5,504 hours
Notifying
customers: 20 hrs. x 344 respondents = 6,880 hours
Estimated average burden per respondent: 36 hours.
Total Estimated Annual Burden: 12,384 hours
Estimate of annualized costs to respondents:
Not applicable.
Estimate of annualized costs to the government:
Not applicable.
Changes to burden:
Prior burden:
Estimated number of Respondents: 495.
Estimated Average Burden per Respondent: 36 hours.
Total Estimated Annual Burden: 17,820 hours.
Current Burden:
Estimated Number of Respondents: 344.
Estimated Average Burden per Respondent: 36 hours.
Total Estimated Annual Burden: 12,384 hours.
Difference:
Estimated Number of Respondents: -151.
Estimated Average Burden per Respondent: no change.
Total Estimated Annual Burden: -5,436 hours.
The decrease in burden is due to the decrease in the number of national banks.
Information regarding collections whose results are planned to be
published for statistical use:
The results of these collections will not be published for statistical use.
17. Display of expiration date:
Not applicable.
18. Exceptions to certification statement:
None.
STATISTICAL METHODS
Not applicable.
1 12 CFR Part 30, Appendix B, Supplement A.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| File Modified | 0000-00-00 |
| File Created | 2021-01-29 |