1557-0227 Supporting Statement 6-11-19

1557-0227 Supporting Statement 6-11-19.docx

Guidance Regarding Unauthorized Access to Customer Information

OMB: 1557-0227

Document [docx]
Download: docx | pdf

Supporting Statement for

Guidance Regarding Unauthorized Access

to Customer Information

OMB Control No. 1557-0227


A. Justification


  1. Circumstances that Make the collection necessary:


Section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) requires the OCC to establish appropriate standards for national banks relating to administrative, technical, and physical safeguards:


(1) To insure the security and confidentiality of customer records and information;


(2) To protect against any anticipated threats or hazards to the security or integrity of such records; and


(3) To protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer.


The Interagency Guidelines Establishing Information Security Standards, 12 CFR part 30, appendix B (Security Guidelines), which implement section 501(b), require each entity supervised by the OCC (supervised institution) to consider and adopt a response program, if appropriate, that specifies actions to be taken when the supervised institution suspects or detects that unauthorized individuals have gained access to customer information.


  1. Use of the information:


The Interagency Guidance on Response Programs for Unauthorized Customer Information and Customer Notice (Breach Notice Guidance),1 which provides interpretation of the Security Guidelines, states that, at a minimum, a supervised institution’s response program should contain procedures for the following:


(1) Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;


(2) Notifying its primary federal regulator as soon as possible when the supervised institution becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information;


(3) Taking appropriate steps to contain and control the incident in an effort to prevent further unauthorized access to, or use of, customer information (for example, by monitoring, freezing, or closing affected accounts), while preserving records and other evidence; and


(4) Notifying customers when warranted.


  1. Consideration of the use of improved information technology:


Respondents may use any technology they wish to reduce the burden associated with this collection.


4. Efforts to identify duplication:


There is no duplication.


5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.


Appendix B to 12 CFR part 30 applies to all OCC-supervised institutions regardless of asset size.  The OCC believes that all institutions should prepare customer response programs.  However, the OCC recognizes that an institution’s program will vary depending on the size and complexity of the institution and the nature and scope of its activities.


6. Consequences to the federal program if the collection were conducted less frequently:


The OCC believes that less frequent collection (a less stringent disclosure standard) would result in unacceptable harm to customers.


7. Special circumstances necessitating collection inconsistent with 5 CFR part 1320:


No special circumstances exist.


8. Efforts to consult with persons outside the agency:


The collection was published for public comment at 84 FR 14194 (April 9, 2019). No comments were received.


9. Payment or gift to respondents:


Not applicable.


10. Any assurance of confidentiality:


The information collected is kept private to the extent permissible by law.


11. Justification for questions of a sensitive nature:


The disclosure of this information would be limited to customers.


12. Burden estimate:

The burden associated with this collection of information is summarized as follows:

Estimated Number of Respondents: 20.

Developing notices: 16 hrs. x 20 respondents = 320 hours

Notifying customers: 20 hrs. x 20 respondents = 400 hours

Estimated average burden per respondent: 36 hours.

Total Estimated Annual Burden: 720 hours

Cost of Hour Burden

720 x $114 = $84,080


To estimate wages we reviewed May 2018 data for wages (by industry and occupation) from the U.S. Bureau of Labor Statistics (BLS) for credit intermediation and related activities excluding nondepository credit intermediaries (NAICS 5220A1). To estimate compensation costs associated with the rule, we use $114 per hour, which is based on the average of the 90th percentile for nine occupations adjusted for inflation (2.8 percent as of Q1 2019 according to the BLS), plus an additional 33.2 percent for benefits (based on the percent of total compensation allocated to benefits as of Q4 2018 for NAICS 522: credit intermediation and related activities).


13. Estimate of total annual costs to respondents (excluding cost of hour burden in Item #12:


Not applicable.


14. Estimate of annualized costs to the federal government:


Not applicable.


15. Change in burden:


There is no change in burden.


16. Information regarding collections whose results are planned to be published for statistical use:


The results of these collections will not be published for statistical use.

17. Reasons for not displaying OMB approval expiration date:


Not applicable.


18. Exceptions to certification statement:


None.


B. Collections of Information Employing Statistical Methods.


Not applicable.


1 12 CFR part 30, appendix B.

5


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitlePAPERWORK REDUCTION ACT SUBMISSION
AuthorFDIC
File Modified0000-00-00
File Created2021-01-16

© 2024 OMB.report | Privacy Policy