Privacy Act of 1974; System of Records

Issuing agencies

Abstract

The Export-Import Bank of the United States (EXIM) proposes to add a new electronic system of records, EXIM CRM (Customer Relationship Management), subject to the Privacy Act of 1974, as amended. This notice is necessary to meet the requirements of the privacy act which is to publish in the Federal Register a notice of the existence and character of records maintained by the agency. Included in this notice is the system of records notice (SORN) for EXIM CRM.

Full Text

<html>
<head>
<title>Federal Register, Volume 86 Issue 110 (Thursday, June 10, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 110 (Thursday, June 10, 2021)]
[Notices]
[Pages 30933-30935]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-12117]


=======================================================================
-----------------------------------------------------------------------

EXPORT-IMPORT BANK


Privacy Act of 1974; System of Records

AGENCY: Export-Import Bank of the United States.

ACTION: Notice of new system of records.

-----------------------------------------------------------------------

SUMMARY: The Export-Import Bank of the United States (EXIM) proposes to 
add a new electronic system of records, EXIM CRM (Customer Relationship 
Management), subject to the Privacy Act of 1974, as amended. This 
notice is necessary to meet the requirements of the privacy act which 
is to publish in the Federal Register a notice of the existence and 
character of records maintained by the agency. Included in this notice 
is the system of records notice (SORN) for EXIM CRM.

DATES: Comments must be received on or before July 12, 2021 to be 
assured of consideration.

ADDRESSES: Comments may be submitted electronically on 
<a href="http://www.regulations.gov">www.regulations.gov</a> or by mail to Tomeka Wray, Export-Import Bank of 
the United States, 811 Vermont Ave. NW, Washington, DC 20571.

FOR FURTHER INFORMATION CONTACT: Tomeka Wray, by email 
<a href="/cdn-cgi/l/email-protection#11457e7c747a703f46637068517469787c3f767e67"><span class="__cf_email__" data-cfemail="beead1d3dbd5df90e9ccdfc7fedbc6d7d390d9d1c8">[email&#160;protected]</span></a>, or telephone 202-565-3996, or by mail Export-
Import Bank of the United States, 811 Vermont Ave. NW, Washington, DC 
20571.

SUPPLEMENTARY INFORMATION: EXIM is establishing a new system of 
records, EXIM CRM. The system will be used to help EXIM business 
development and customer service operations essential to its mission of 
supporting American jobs

[[Page 30934]]

by facilitating the export of U.S. goods and services. EXIM CRM is 
comprised of two integrated, cloud-based applications, Salesforce and 
HubSpot.

SYSTEM NAME AND NUMBER:
    EXIM CRM, EIB 21-01.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Export-Import Bank of the United States, 811 Vermont Ave. NW, 
Washington, DC 20571.
    EXIM CRM consists of two cloud-based applications--Salesforce and 
HubSpot. The Salesforce application and data is hosted in Salesforce 
Government Cloud. The HubSpot application and data are hosted in Amazon 
Web Services (AWS) and Google Cloud Platform (GCP).

SYSTEM MANAGER(S):
    Senior Vice President, Office of Small Business, Export-Import Bank 
of the United States, 811 Vermont Ave. NW, Washington, DC 20571.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Export-Import Bank requests the information in this application 
under the following authorizations:
    Authority of the Export-Import Bank Act of 1945, as amended (12 
U.S.C. 635 et seq.), Executive Order 9397 as Amended by Executive Order 
13478 signed by President George W. Bush on November 18, 2008, Relating 
to Federal Agency Use of Social Security Numbers.

PURPOSE(S) OF THE SYSTEM:
    This system will enable EXIM business development and customer 
service operations essential to its mission of supporting American jobs 
by facilitating the export of U.S. goods and services. Information in 
the system will be used to manage relationships and track interactions 
with companies and their representatives who are potential, current, or 
former customers or that are also involved in an EXIM financing 
transaction (e.g., as a sponsor or an advisor). It will also be used to 
manage relationships and track interactions with partner organizations 
and agencies and their representatives (registered insurance brokers, 
commercial lenders, and members of the Regional Export Promotion 
Program) as well as other organizations and agencies whom EXIM works 
with in supporting U.S. exporters (e.g., other government agencies and 
nonprofit business development organizations). Additionally, EXIM CRM 
allows designated personnel from specific partner organizations to log 
in through Salesforce's Partner Portal to access resources and limited 
information on potential or current clients that helps them support 
those clients. EXIM CRM is also used for email outreach and to host 
landing pages and contact forms used by the public when requesting 
information or follow up from EXIM. Data from this system may also be 
used to track, evaluate, and improve EXIM's products and operations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Covered individuals are:
    <bullet> Staff or representatives of companies that are potential, 
current, or former customer or that are also involved in an EXIM deal 
(e.g., as a sponsor or an advisor).
    <bullet> Staff or representatives of EXIM partner organizations 
(registered insurance brokers, commercial lenders, members of EXIM's 
Regional Export Promotion Program).
    <bullet> Staff or representatives of other organizations EXIM works 
with in supporting U.S. exporters including local, state, and federal 
government agencies and nonprofit business development organizations.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Individual records in EXIM CRM include full name, company name, 
business address, phone number, email address, race, and ethnicity.

RECORD SOURCE CATEGORIES
    The primary source of information is from the individual about whom 
the record is maintained. Additional sources of information are EXIM's 
partner organizations and other government agencies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures that are generally permitted under 
5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to authorized 
entities, as is determined to be relevant and necessary, outside EXIM 
as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To commercial lenders who issue loans covered by EXIM 
guarantees, for the purpose of assisting current/potential EXIM 
customers apply for or service an EXIM guaranteed loan;
    b. To registered insurance brokers who distribute EXIM Export 
Credit Insurance policies, for the purpose of assisting current/
potential EXIM customers apply for or manage an EXIM policy;
    c. To a Federal agency partner including the Department of Commerce 
(DOC), Small Business Administrations (SBA), U.S. Trade & Development 
Agency (USTDA), and Development Finance Corporation (DFC) for the 
purpose of assisting current/potential EXIM customers, or companies 
that do not qualify for EXIM financing, with export financing or other 
export/trade support services;
    d. To a state government, local government, or non-profit business 
development organization partners for the purpose of assisting current/
potential EXIM customers, or companies that do not qualify for EXIM 
financing, with export/trade support services;
    e. To EXIM contractors, agents, or others performing work on a 
contract, service, cooperative agreement, job, or other activity for 
EXIM and who have a need to access the information in the performance 
of their duties or activities for EXIM;
    f. To the appropriate Federal, State, local, territorial, tribal, 
foreign, or international law enforcement authority or other 
appropriate entity where a record, either alone or in conjunction with 
other information, indicates a violation or potential violation of law, 
whether criminal, civil, or regulatory in nature;
    g. In an appropriate proceeding before a court, grand jury, or 
administrative or adjudicative body or official, when EXIM or other 
Agency representing EXIM determines the records are relevant and 
necessary to the proceeding; or in an appropriate proceeding before an 
administrative or adjudicative body when the adjudicator determines the 
records to be relevant to the proceeding;
    h. To any component of the Department of Justice for the purpose of 
representing EXIM, or its components, officers, employees, or members 
in pending or potential litigation to which the record is pertinent;
    i. To a Congressional office in response to an inquiry from the 
congressional office made at the request of the individual to whom the 
record pertains;
    j. To the National Archives and Records Administration (NARA) for 
records management purposes;
    k. To appropriate agencies, entities, and persons when (1) EXIM 
suspects or has confirmed that there has been a breach of the system of 
records; (2) EXIM has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, EXIM, the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is

[[Page 30935]]

reasonably necessary to assist in connection with EXIM's efforts to 
respond to the suspected or confirmed breach or to prevent, minimize, 
or remedy such harm; and
    l. To another Federal agency or Federal entity, when EXIM 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS.
    Records are stored digitally in encrypted format in the Salesforce 
and HubSpot cloud environments.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records may be retrieved by business entity name, individual name, 
or email address.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    All records are retained and disposed of in accordance with EXIM 
directives, EXIM's Record Schedule DAA-GRS2017-0002-0002, and General 
Records Schedule GRS 6.5 Item 020.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Information will be stored in electronic format within EXIM CRM. 
EXIM CRM has configurable, layered data sharing and permissions 
features to ensure users have proper access. Access to Salesforce and 
HubSpot is restricted to EXIM personnel who need it for their job. 
Authorized users have access only to the data and functions required to 
perform their job functions. Designated personnel at specific lender, 
insurance broker, and Regional Export Promotion Program (REPP) partner 
organizations are granted limited access to EXIM CRM through 
Salesforce's Partner Portal. This access is managed via Salesforce's 
and HubSpot's System Administration, User, and security functions.
    Salesforce Government Cloud is compliant with the Federal Risk and 
Authorization Management Program (FedRAMP). The PII information in EXIM 
CRM will be encrypted and stored in place, and HTTPS protocol will be 
employed in accessing Salesforce.
    HubSpot is hosted in AWS and GCP environments that are FedRAMP 
compliant, and ISO 27001 certified. The PII information in EXIM CRM 
will be encrypted and stored in place, and HTTPS protocol will be 
employed in accessing HubSpot.

RECORD ACCESS PROCEDURE:
    Requests to access records under the Privacy Act must be submitted 
in writing and signed by the requestor. Requests should be addressed to 
the Freedom of Information and Privacy Office, Export-Import Bank of 
the United States, 811 Vermont Ave. NW, Washington, DC 20571. The 
request must comply with the requirements of 12 CFR 404.14.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest and/or amend records under the 
Privacy Act must submit a request in writing. The request must be 
signed by the requestor and should be addressed to the Freedom of 
Information and Privacy Office, Export-Import Bank of the United 
States, 811 Vermont Ave. NW, Washington, DC 20571. The request must 
comply with the requirements of 12 CFR 404.14.

NOTIFICATION PROCEDURES:
    Individuals seeking to be notified if this system contains a record 
pertaining to himself or herself must submit a request in writing. The 
request must be signed by the requestor and should be addressed to the 
Freedom of Information and Privacy Office, Export-Import Bank of the 
United States, 811 Vermont Ave. NW, Washington, DC 20571. The request 
must comply with the requirements of 12 CFR 404.14.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY
    Not Applicable.

Bassam Doughman,
IT Specialist.
[FR Doc. 2021-12117 Filed 6-9-21; 8:45 am]
BILLING CODE 6690-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>