Supporting Statement for Paperwork Reduction Act Submission
12 CFR part 748, Security Program and Appendix B
OMB Control Number 3133-0033
September 2013
A. Justification
1. Circumstances that make the collection necessary:
This collection is a notice requirement derived from a rule requiring federally insured credit unions to design their security programs to respond to incidents of unauthorized access to member information. The rule is accompanied by guidance, in the form of Appendix B, which describes NCUA’s expectations for credit unions to meet this obligation, and closely follows similar guidance published by the other federal banking agencies (Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the Office of Thrift Supervision).
In accordance with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. §§6801 et seq., federally-insured credit unions are required to implement information security programs designed to protect member information. Appendix B describes the components of a response program and establishes a standard for providing notice to members affected by unauthorized access to or use of member information that could result in substantial harm or inconvenience to those members, thereby reducing the risk of losses due to fraud or identity theft.
The guidance describes NCUA’s expectation that "a credit union should notify affected members when it becomes aware of unauthorized access to sensitive member information unless the credit union, after an appropriate investigation, reasonably concludes that misuse is unlikely to occur and takes appropriate steps to safeguard the interests of affected members, including monitoring affected members’ accounts for unusual or suspicious activity." This third party disclosure is considered a collection of information under the Paperwork Reduction Act.
2. Use of the information:
The collection helps federally insured credit unions to develop and implement administrative, technical, and physical safeguards to: (1) insure the security and confidentiality of member records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any member.
A response program, of which this collection is a critical part, contains policies and procedures that enable the credit unions to: (A) assess the situation to determine the nature and scope of the incident, and identify the information systems and types of member information affected; (B) notify the credit union’s primary Federal regulator and, in accordance with applicable regulations and guidance, file a Suspicious Activity Report and notify appropriate law enforcement agencies; (C) take measures to contain and control the incident to prevent further unauthorized access to or misuse of member information, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls; and (D) address and mitigate harm to individual members.
3. Consideration of the use of improved information technology:
Respondents may use any technology they wish to reduce the burden associated with this collection.
4. Efforts to identify duplication:
The information collection is unique to federally-insured credit unions and is not duplicated elsewhere.
5. Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities:
The collection applies to all institutions, regardless of size.
6. Consequence to the Federal program if the collections were conducted less frequently:
NCUA believes that less frequent collection (i.e., a less comprehensive security program with diminished expectations as to the member response elements) would result in unacceptable harm to credit union members.
7. Special circumstances necessitating that a collection be conducted in a manner inconsistent with 5 CFR § 1320.5(d) (2):
No special circumstances exist.
8. Efforts to consult with persons outside the agency:
Contact was made with a federal banking agency to discuss renewal of this collection. Notice of the proposed information collection was published with a 60-day comment period in the Federal Register on July 19, 2013 (78 FR 43230). NCUA did not receive any comments regarding the collection.
9. Payment to respondents:
There is no decision to provide any payment or gift to respondents.
10. Assurance of confidentiality:
Federally-insured credit unions, like all other regulated financial institutions, are required to preserve and maintain the confidentiality of member financial information. All collected information associated with this rule and Appendix B would be treated with the same degree of confidentiality as other disclosures of sensitive member information.
11. Justification for questions of a sensitive nature:
The information covered by this collection is not of a “sensitive nature,” and would, in any case, be limited to the account holder(s).
12. Burden estimates:
It is estimated it will take federally-insured credit unions 20 hours (2.5 business days) to revise and produce the notices described in the Guidance and 24 hours per incident (three business days) to determine which members should receive the notice and to notify the members. For this analysis, it is estimated that two percent of federally- insured credit unions will experience an incident of unauthorized access to member information on an annual basis, resulting in member notification.
Thus, the burden associated for this collection of information may be summarized as follows:
Number of Respondents: 6,753
Estimated Time per Response:
IC 1. Developing notices: 20 hrs. x 6,753 = 135,060 hours
IC 2. Notifying members: 24 hrs. x 135 = 3,240 hours
Total Estimated Annual Burden: 138,300 hours
This burden estimate does not include time required for credit unions to adjust their contracts with third party service providers, if needed; nor for service providers to disclose information pursuant to the proposed guidance.
Estimate of annualized cost: 138,300 hours x $50/hour = $6,915,000.
13. Estimate of total annual cost burden to respondents or recordkeepers resulting from the collection of information:
It is not anticipated that federally insured credit unions will incur any significant third party costs or expenditures pursuant to this information collection, as credit unions should be able to use readily available equipment and procedures.
14. Estimate of annualized cost to the federal government:
The cost to the federal government is negligible.
15. Changes in burden:
NCUA has modified the burden estimates to reflect the decline in the number of federally-insured credit unions since the previous filing. Credit unions would have developed a response program, but would need to revise notices based on the type of unauthorized access. The reduction in the “Total annual hours requested” is directly related to the decline in the number of federally-insured credit unions since the previous filing.
16. Information regarding collection whose results are planned to be published for statistical use:
This question does not apply for this filing.
17. Request to not display the expiration date:
We are not seeking to not display the expiration date.
18. Exceptions to the certification statement:
There are no exceptions to the certification statement.
B. Employment of statistical methods:
This collection does not employ statistical methods.
File Type | application/msword |
File Title | Supporting Statement for Paperwork Reduction Act Submission |
Author | NCUA |
Last Modified By | Jerilynn Walker |
File Modified | 2013-10-18 |
File Created | 2013-10-18 |