SUPPORTING STATEMENT
Notice Regarding Unauthorized Access to Customer Information
(3064-0145)
INTRODUCTION
The FDIC is requesting OMB approval for a three-year extension, without change in the method or substance of collection, to continue the information collection requirements contained in the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published jointly by the FDIC, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency. The information collection expires on May 31, 2019.
A. JUSTIFICATION
1. Circumstances that make the collection necessary:
The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice describes the Agencies’ expectations regarding a response program, including customer notification procedures, that a financial institution should develop and apply under the circumstances described in the Guidance to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. The Guidance advises financial institutions when and how they might develop and adopt policies and procedures regarding unauthorized access to customer information. The guidance also states that "an institution should notify affected customers when it becomes aware of unauthorized access to sensitive customer information unless the institution, after an appropriate investigation, reasonably concludes that misuse is unlikely to occur and takes appropriate steps to safeguard the interests of affected customers, including monitoring affected customers' accounts for unusual or suspicious activity."
2. Use of the information:
The collection is intended to help financial institutions develop administrative, technical, and physical safeguards to: (1) insure the security and confidentiality of customer records and information; (2) protect against anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
A response program, of which this collection is a critical part, contains policies and procedures that enable the financial institution to: (a) assess the situation to determine the nature and scope of the incident, and identify the information systems and types of customer information affected; (b) notify the institution’s primary Federal regulator and, in accordance with applicable regulations and guidance, file a Suspicious Activity Report and notify appropriate law enforcement agencies; (c) take measures to contain and control the incident to prevent further unauthorized access to or misuse of customer information, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls; and (d) address and mitigate harm to individual customers.
3. Consideration of the use of improved information technology:
Respondents may use any technology they wish to reduce the burden associated with this collection.
4. Efforts to identify duplication:
There is no duplication. Each respondent is encouraged to adopt policies and procedures appropriate to their particular circumstances, level of complexity and size.
5. Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities:
The information collection is not expected to have a significant impact on a substantial number of small entities. Each respondent is encouraged to adopt policies and procedures appropriate to their particular circumstances, level of complexity and size.
6. Consequences to the Federal program if the collection were conducted less frequently:
The FDIC believes that less frequent collection (a less stringent disclosure standard) would result in unacceptable risk of harm to customers of financial institutions.
7. Special circumstances necessitating collection inconsistent with 5 CFR Part 1320.5(d)(2):
There are no special circumstances. This information collection is conducted in accordance with the guidelines in 5 CFR 1320.5(d)(2).
8. Efforts to consult with persons outside the agency:
Extensive interagency collaboration was involved in creating the Guidance. When the Guidance was first developed in 2003, it was published in proposed form in the Federal Register and revised based on comments received. With respect to the current renewal of this information collection, on November 23, 2018, FDIC published a Federal Register notice seeking public comment for a 60-day period (83 FR 59833). No comments were received.
9. Payments or gifts to respondents:
None.
10. Any assurance of confidentiality:
Confidential information will be kept private to the extent allowed by law.
11. Justification for questions of a sensitive nature:
The information collection does not request information of a sensitive nature.
12. Estimate of hour burden including annualized hourly costs:
Summary of Annual Burden |
|||||
|
Type of Burden |
Estimated Number of Respondents |
Estimated Time per Response |
Frequency of Response |
Total Estimated Annual Burden Hours |
Implementation (One Time) |
|
|
|
|
|
Develop Policies and Procedures for Response Program |
Recordkeeping |
2 |
24 hours |
1 |
48 hours |
Ongoing |
|
|
|
|
|
Notice Regarding Unauthorized Access to Customer Information |
Third Party Disclosure |
315 |
36 hours |
On Occasion |
11,340 hours |
Total Estimated Annual Burden |
|
|
|
|
11,388 hours |
Estimated Cost Burden:
FDIC estimated the total burden cost for the ICR (OMB 3064-0145) using the May 2017 75th percentile hourly wage reported by the Bureau of Labor Statistics (BLS) National Industry-Specific Occupational Employment and Wage Estimates for the relevant occupations in the depository credit intermediation sector.
Occupations, Depository Credit Intermediation Sector |
Hourly Wage |
Weights |
Weighted Hourly Wage |
Office and Administrative Support Occupations |
$20.41 |
30% |
$6.12 |
Financial Managers |
$71.59 |
45% |
$32.22 |
Lawyers |
$100 1 |
15% |
$15.00 |
Top Executives |
$87.95 |
10% |
$8.80 |
Weighted Average |
|
|
$62.14 |
The hourly wage rates reported do not include non-monetary compensation. According to the June 2018 Employer Cost of Employee Compensation data, compensation rates for health and other benefits are 35.7 percent of total compensation. Therefore, the agency adjusted the hourly wage rates reported by BLS based on changes in the Consumer Price Index for Urban Consumers (CPI-U) from May 2017 to June 2018 (2.85%) to account for inflation and ensure that the wage information is contemporaneous with the non-monetary compensation statistic. We grossed up the inflation adjusted wages to include non-monetary compensation. After calculating these adjustments, the estimated total hourly compensation rates are as follows:
Occupations, Depository Credit Intermediation Sector |
Adjusted Hourly Wage |
Weights |
Weighted Adjusted Hourly Wage |
Office and Administrative Support Occupations |
$32.65 |
30% |
$9.80 |
Financial Managers |
$114.51 |
45% |
$51.53 |
Lawyers |
$159.95 |
15% |
$24.00 |
Top Executives |
$140.68 |
10% |
$14.07 |
Weighted Average |
|
|
$99.40 |
Using the total estimated hourly burden and the total hourly compensation estimate, the total estimated cost burden for the ICR (OMB No. 3064-0145) is $1,155,823.20 per year (11,628 hours/year x $99.40/hr).
13. Estimate of start-up costs to respondents:
None.
14. Estimate of annualized costs to the government:
None.
15. Analysis of change in burden:
There is no change in the method or substance of the information collection. With respect to the third party disclosure requirements associated with providing notices regarding unauthorized access to customer information, the FDIC revised its estimate of the response time from 29 hours per response to 36 hours per response. The agency also revised its estimate of the number of annual respondents from 80 to 315 to reflect current industry trend data.
16. Information regarding collections whose results are planned to be published for statistical use:
The results of this collection will not be published for statistical use.
17. Display of expiration date
Not applicable.
STATISTICAL METHODS
Not Applicable
1 The BLS does not report hourly wages greater than $100. Therefore, $100 should be considered a low-bound estimate for the lawyer wage.
| File Type | application/msword |
| File Title | SUPPORTING STATEMENT |
| Author | FDIC |
| Last Modified By | SYSTEM |
| File Modified | 2019-02-26 |
| File Created | 2019-02-26 |