Privacy Act of 1974; System of Records

Issuing agencies

Abstract

In accordance with the Privacy Act of 1974, as amended, the FDIC proposes to establish a new FDIC system of records titled FDIC- 041, "Personal Information Allowing Network Operations (PIANO)." This system of records maintains information collected from individuals that interact with FDIC information technology resources, including FDIC employees, FDIC contractors, FDIC volunteers, FDIC interns, Federal and State financial regulator employees, financial institution employees, and other members of the public. FDIC collects and maintains the information necessary in this system of records to support and facilitate the approval, monitoring, and disabling of access by individuals that interact with FDIC information technology resources. We hereby publish this notice for comment on the proposed action.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 84 (Tuesday, May 2, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 84 (Tuesday, May 2, 2023)]
[Notices]
[Pages 27509-27511]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-09204]


=======================================================================
-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION


Privacy Act of 1974; System of Records

AGENCY: Federal Deposit Insurance Corporation (FDIC).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, the 
FDIC proposes to establish a new FDIC system of records titled FDIC-
041, ``Personal Information Allowing Network Operations (PIANO).'' This 
system of records maintains information collected from individuals that 
interact with FDIC information technology resources, including FDIC 
employees, FDIC contractors, FDIC volunteers, FDIC interns, Federal and 
State financial regulator employees, financial institution employees, 
and other members of the public. FDIC collects and maintains the 
information necessary in this system of records to support and 
facilitate the approval, monitoring, and disabling of access by 
individuals that interact with FDIC information technology resources. 
We hereby publish this notice for comment on the proposed action.

DATES: This action will become effective on May 2, 2023. The routine 
uses in this action will become effective June 1, 2023, unless the FDIC 
makes changes based on comments received. Written comments should be 
submitted on or before June 1, 2023.

ADDRESSES: Interested parties are invited to submit written comments 
identified by Privacy Act Systems of Records (FDIC-041) by any of the 
following methods:
    <bullet> Agency Website: <a href="https://www.fdic.gov/resources/regulations/federal-register-publications/">https://www.fdic.gov/resources/regulations/federal-register-publications/</a>. Follow the instructions for 
submitting comments on the FDIC website.
    <bullet> Email: <a href="/cdn-cgi/l/email-protection#eb888486868e859f98ab8d8f8288c58c849d"><span class="__cf_email__" data-cfemail="88ebe7e5e5ede6fcfbc8eeece1eba6efe7fe">[email&#160;protected]</span></a>. Include ``Comments-SORN (FDIC-
041)'' in the subject line of communication.
    <bullet> Mail: James P. Sheesley, Assistant Executive Secretary, 
Attention: Comments-SORN (FDIC-041), Legal Division, Office of the 
Executive Secretary, Federal Deposit Insurance Corporation, 550 17th 
Street NW, Washington, DC 20429.
    <bullet> Hand Delivery: Comments may be hand-delivered to the guard 
station at the rear of the 17th Street NW building (located on F Street 
NW), on business days between 7:00 a.m. and 5:00 p.m.
    <bullet> Public Inspection: Comments received, including any 
personal information provided, may be posted without change to https://
www.fdic.gov/resources/regulations/federal-register-

[[Page 27510]]

publications/. Commenters should submit only information that the 
commenter wishes to make available publicly. The FDIC may review, 
redact, or refrain from posting all or any portion of any comment that 
it may deem to be inappropriate for publication, such as irrelevant or 
obscene material. The FDIC may post only a single representative 
example of identical or substantially identical comments, and in such 
cases will generally identify the number of identical or substantially 
identical comments represented by the posted example. All comments that 
have been redacted, as well as those that have not been posted, that 
contain comments on the merits of this document will be retained in the 
public comment file and will be considered as required under all 
applicable laws. All comments may be accessible under the Freedom of 
Information Act (FOIA).

FOR FURTHER INFORMATION CONTACT: Shannon Dahn, Chief, Privacy Program, 
703-516-5500, <a href="/cdn-cgi/l/email-protection#5d2d2f342b3c3e241d3b39343e733a322b"><span class="__cf_email__" data-cfemail="2b5b59425d4a48526b4d4f4248054c445d">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: FDIC conducts much of its business 
electronically and must ensure that its information technology 
resources operate in a secure and proper manner, which includes 
controlling and monitoring access to its information technology 
resources to ensure that access is restricted to authorized 
individuals. Accordingly, FDIC collects and maintains information in 
this system of records to support and facilitate the approval, 
monitoring, and disabling of access for individuals that interact with 
FDIC information technology resources, which includes FDIC employees, 
FDIC contractors, FDIC volunteers, FDIC interns, Federal and State 
financial regulator employees, financial institution employees, and 
other members of the public. This newly established system will be 
included in FDIC's inventory of record systems.

SYSTEM NAME AND NUMBER:
    Personal Information Allowing Network Operations, FDIC-041.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are centrally maintained at FDIC, 550 17th Street NW, 
Washington, DC 20429. There are instances where records may be 
maintained at other secure locations, as well as on secure servers 
maintained by third-party service providers for the FDIC.

SYSTEM MANAGER(S):
    Deputy Director, Infrastructure and Operations Services Branch, 
Division of Information Technology, FDIC, 3501 Fairfax Drive, 
Arlington, VA 22226.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Section 9, Corporate Powers, of the Federal Deposit Insurance Act 
(12 U.S.C. 1819).

PURPOSE(S) OF THE SYSTEM:
    The information in the system is being collected to support and 
facilitate the approval, monitoring, and disabling of access for 
individuals that interact with FDIC information technology resources.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered by this system of records include 
all individuals that interact with FDIC information technology 
resources, including FDIC employees, FDIC contractors, FDIC volunteers, 
FDIC interns, Federal and State financial regulator employees, 
financial institution employees, and other members of the public.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records in this system include: Records related to the 
authentication and verification of a user, which includes name, email 
address, government issued identification numbers, photographs of 
government-issued IDs, to include all personal information and images 
on the IDs, Social Security number (SSN), phone number, postal address, 
verification transaction ID, verification pass/fail indicator, date and 
time of verification transaction, user roles, justification for access, 
date of separation, trainings status and other prerequisites, and 
status codes associated with the verification transaction data, names, 
phone numbers of other contacts, and positions or business/
organizational affiliations and titles of individuals who can verify 
that the individual seeking access has a need for access as well as 
other contact information provided to FDIC that is derived from other 
sources to facilitate access to FDIC information technology resources. 
Logs of activity when interacting with FDIC information technology 
resources, including, but not limited to, network user ID, password, 
date and time of access, internet Protocol (IP) address of the device 
used for access, Media Access Control (MAC) address of the device used 
for access, hash files, and equipment used to access FDIC's network.

RECORD SOURCE CATEGORIES:
    Information in this system is obtained from individuals, entities, 
and/or information already in other FDIC records systems.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside the FDIC 
as a routine use as follows:
    (1) To appropriate Federal, State, local and foreign authorities 
responsible for investigating or prosecuting a violation of, or for 
enforcing or implementing a statute, rule, regulation, or order issued, 
when the information indicates a violation or potential violation of 
law, whether civil, criminal, or regulatory in nature, and whether 
arising by general statute or particular program statute, or by 
regulation, rule, or order issued pursuant thereto;
    (2) To a court, magistrate, or other administrative body in the 
course of presenting evidence, including disclosures to counsel or 
witnesses in the course of civil discovery, litigation, or settlement 
negotiations or in connection with criminal proceedings, when the FDIC 
is a party to the proceeding or has a significant interest in the 
proceeding, to the extent that the information is determined to be 
relevant and necessary;
    (3) To a congressional office in response to an inquiry made by the 
congressional office at the request of the individual who is the 
subject of the record;
    (4) To appropriate agencies, entities, and persons when (a) the 
FDIC suspects or has confirmed that there has been a breach of the 
system of records; (b) the FDIC has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the FDIC (including its information systems, programs, and operations), 
the Federal Government, or national security; and (c) the disclosure 
made to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the FDIC's efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm;
    (5) To another Federal agency or Federal entity, when the FDIC 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (a) responding to 
a suspected or confirmed breach, or (b) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its

[[Page 27511]]

information systems, programs, and operations), the Federal Government, 
or national security, resulting from a suspected or confirmed breach;
    (6) To contractors, agents, or other authorized individuals 
performing work on a contract, service, cooperative agreement, job, or 
other activity on behalf of the FDIC or Federal Government and who have 
a need to access the information in the performance of their duties or 
activities;
    (7) To third parties providing remote or in-person authentication 
and identity proofing services, as necessary to authenticate and/or 
identity proof an individual for access to an FDIC service or 
application.
    (8) To sponsors, employers, contractors, facility operators, 
experts, and consultants in connection with establishing an access 
account for an individual or maintaining appropriate points of contact 
and when necessary to accomplish a FDIC need related to this system of 
records;
    (9) To Federal agencies such as Office of Personnel Management, the 
Merit Systems Protection Board, the Office of Management and Budget, 
Federal Labor Relations Authority, Government Accountability Office, 
and the Equal Employment Opportunity Commission in the fulfillment of 
these agencies' official duties.
    (10) To international, Federal, State and local, Tribal, or private 
entities for the purpose of the regular exchange of business contact 
information in order to facilitate collaboration for official business.
    (11) To a Federal agency, organization, or individual for the 
purpose of performing audit or oversight operations as authorized by 
law.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored in electronic media and in paper format in 
secure facilities.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are indexed and may be retrieved by a variety of fields, 
including, but not limited to, name, username, email address, business 
affiliation, or other data fields previously identified in this SORN.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records may be maintained for as long as six years following the 
termination of an individual's FDIC user account in accordance with 
approved records retention schedules.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records are protected from unauthorized access and improper use 
through administrative, technical, and physical security measures. 
Administrative safeguards include written guidelines on handling 
personal information, including agency-wide procedures for safeguarding 
personally identifiable information. In addition, all FDIC staff are 
required to take annual privacy and security training. Technical 
security measures within FDIC include restrictions on computer access 
to authorized individuals who have a legitimate need to know the 
information; required use of strong passwords that are frequently 
changed; multi-factor authentication for remote access and access to 
many FDIC network components; use of encryption for certain data types 
and transfers; firewalls and intrusion detection applications; and 
regular review of security procedures and best practices to enhance 
security. Physical safeguards include restrictions on building access 
to authorized individuals, security guard service, and maintenance of 
records in lockable offices and filing cabinets.

RECORD ACCESS PROCEDURES:
    Individuals wishing to request access to records about them in this 
system of records should submit their request online through <a href="https://www.securerelease.us/">https://www.securerelease.us/</a>. Individuals will be required to provide proof of 
identity, a detailed description of the records they seek, including 
the time period when the records were created and other supporting 
information where possible. Alternatively, individuals may provide a 
request in writing to the FDIC FOIA & Privacy Act Group, 550 17th 
Street NW, Washington, DC 20429, or email <a href="/cdn-cgi/l/email-protection#6c090a03050d2c0a08050f420b031a"><span class="__cf_email__" data-cfemail="98fdfef7f1f9d8fefcf1fbb6fff7ee">[email&#160;protected]</span></a>. Requests must 
include full name, address, and verification of identity in accordance 
with FDIC regulations at 12 CFR part 310.

CONTESTING RECORD PROCEDURES:
    Individuals wishing to contest or request an amendment to their 
records in this system of records should submit their request online 
through <a href="https://www.securerelease.us/">https://www.securerelease.us/</a>. Individuals will be required to 
provide proof of identity, a detailed description of the records they 
seek, including the time period when the records were created and other 
supporting information where possible, and the reason for amendment or 
correction. Alternatively, individuals can provide a request in writing 
to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, 
DC 20429, or email <a href="/cdn-cgi/l/email-protection#dfbab9b0b6be9fb9bbb6bcf1b8b0a9"><span class="__cf_email__" data-cfemail="7f1a1910161e3f191b161c51181009">[email&#160;protected]</span></a>. Requests must specify the 
information being contested, the reasons for contesting it, and the 
proposed amendment to such information in accordance with FDIC 
regulations at 12 CFR part 310.

NOTIFICATION PROCEDURES:
    Individuals wishing to know whether this system contains 
information about them should submit their request online through 
<a href="https://www.securerelease.us/">https://www.securerelease.us/</a>. Individuals will be required to provide 
proof of identity, a detailed description of the records they seek, 
including the time period when the records were created and other 
supporting information where possible. Alternatively, individuals can 
provide a request in writing to the FDIC FOIA & Privacy Act Group, 550 
17th Street NW, Washington, DC 20429, or email <a href="/cdn-cgi/l/email-protection#fc999a93959dbc9a98959fd29b938a"><span class="__cf_email__" data-cfemail="f194979e9890b197959892df969e87">[email&#160;protected]</span></a>. Requests 
must include full name, address, and verification of identity in 
accordance with FDIC regulations at 12 CFR part 310.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

Federal Deposit Insurance Corporation.

    Dated at Washington, DC, on April 25, 2023.
James P. Sheesley,
Assistant Executive Secretary.
[FR Doc. 2023-09204 Filed 5-1-23; 8:45 am]
BILLING CODE 6714-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>