Unknown. Final rule

7,701 words·~35 min read·/register/2004/11/29/04-25995

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

--- schema: federal-register doc_type: fedreg source_file: FR-2004-11-29.xml --- 69 228 Monday, November 29, 2004 Contents Agency Agency for Toxic Substances and Disease Registry NOTICES Hazardous substances releases and facilities: Public health assessments and effects; list, 69371-69372 04-26318 Agriculture Agriculture Department See Forest Service See Natural Resources Conservation Service Antitrust Antitrust Division NOTICES National cooperative research notifications: AAF Association, Inc., 69391 04-26201 ACORD Corp., 69391 04-26206 Aluminum Association, Inc., 69392 04-26200 American Dental Association, 69392 04-26212 American Gear Manufacturers Association, 69392 04-26217 American Public Transportation Association, 69392-69393 04-26197 Cemented Carbide Producers Association, 69393 04-26202 Compressed Air and Gas Institute, 69393 04-26211 DVD Copy Control Association, 69393-69394 04-26207 DVD Forum, 69394 04-26224 EMVCo, LLC, 69394 04-26208 Enterprise Grid Alliance, 69394 04-26215 Forum on Education Abroad, Inc., 69394-69395 04-26221 Government Electronics & Information Technology Association, 69395 04-26219 HR-XML Consortium, Inc., 69395 04-26220 IMS Global Learning Consortium, Inc., 69395 04-26227 Insulating Glass Manufacturers Alliance, 69395-69396 04-26198 International Association of Plumbing and Mechanical Officials, 69396 04-26222 International Code Council, Inc., 69396 04-26213 Joint Committee on Standards for Educational Evaluation, 69396 04-26205 Joint Venture Under ATP Award No. 70NAB4H3055, 69397 04-26214 Mobile Enterprise Alliance, Inc., 69397 04-26210 MPLS and Frame Relay Alliance, 69397 04-26204 Natinonal Electrical Contractors Association, 69397-69398 04-26209 Network Processing Forum, 69398 04-26218 Petroleum Convenience Alliance for Technology Standards, 69398 04-26226 PICMG-PCI Industrial Computer Manufacturers Group, Inc., 69398 04-26225 Seimens Westinghouse Power Corp., 69398-69399 04-26223 Smart Active Label Consortium, Inc., 69399 04-26203 U.S.

Product Data Association, 69399 04-26216 Army Army Department See Engineers Corps Centers Centers for Disease Control and Prevention NOTICES Agency information collection activities; proposals, submissions, and approvals, 69372-69373 04-26319 Civil Civil Rights Commission NOTICES Meetings; State advisory committees: Florida, 69350 04-26264 Rhode Island, 69350 04-26300 Commerce Commerce Department See International Trade Administration See National Oceanic and Atmospheric Administration Comptroller Comptroller of the Currency NOTICES Agency information collection activities; proposals, submissions, and approvals, 69447 04-26236 Copyright Copyright Office, Library of Congress RULES Copyright Arbitration Royalty Panel rules and procedures:

DART royalty funds; claims filing methods, 69288-69290 04-26266 Corporation Corporation for National and Community Service NOTICES Agency information collection activities; proposals, submissions, and approvals, 69360 04-26326 Defense Defense Department See Engineers Corps NOTICES Federal Acquisition Regulation (FAR): Agency information collection activities; proposals, submissions, and approvals, 69360-69361 04-26276 04-26277 Drug Drug Enforcement Administration NOTICES *Applications, hearings, determinations, etc.:* Bordeaux, Deborah, M.D., 69399-69400 04-26306 CWK Enterprises, Inc., 69400-69402 04-26309 Hale, Dan E., D.O., 69402-69407 04-26310 Prachi Enterprises, Inc., 69407-69409 04-26311 Volusia Wholesale, 69409-69411 04-26312 Education Education Department NOTICES Agency information collection activities; proposals, submissions, and approvals, 69363-69365 E4-3344 E4-3345 04-26230 Employment Employment and Training Administration NOTICES Agency information collection activities; proposals, submissions, and approvals, 69411-69412 E4-3355 Alien temporary employment labor certification process:

Relocation of foreign labor certification staff to the Dallas and Philadelphia backlog processing centers, 69412 E4-3352 Energy Energy Department NOTICES Recommendations: Complex, high-hazard nuclear operations; oversight, 69365-69368 04-26281 Engineers Engineers Corps NOTICES Environmental statements; notice of intent: James River, SD; feasibility study, 69361-69362 04-26262 San Francisco Bay and Estuary, CA; regional dredged material management plan, 69362-69363 04-26261 EPA Environmental Protection Agency RULES Air pollutants, hazardous; national emission standards:

Hazardous air pollutants; source category list— Ethylene glycol monobutyl ether; delisting, 69320-69325 04-26071 Air quality implementation plans: Preparation, adoption, and submittal— Volatile organic compounds definition; exclusions, 69290-69304 04-26069 04-26070 Air quality implementation plans; approval and promulgation; various States: Maryland, 69304-69320 04-26291 PROPOSED RULES Air quality implementation plans; approval and promulgation; various States; air quality planning purposes; designation of areas:

Washington, 69338-69348 04-26295 04-26296 NOTICES Agency information collection activities; proposals, submissions, and approvals, 69368-69369 04-26297 Executive Executive Office of the President See Presidential Documents FAA Federal Aviation Administration RULES Airworthiness directives: Boeing, 69277-69278 04-26190 Bombardier, 69274-69277 04-25674 Class E airspace; correction, 69448 C4-24259 FCC Federal Communications Commission RULES Television broadcasting: Digital television conversion— Digital low power television, television translator stations, and digital television booster stations and related issues, 69325-69337 04-25742 Federal Highway Federal Highway Administration NOTICES Environmental statements; notice of intent:

Pope County, AR, 69445-69446 04-26229 Federal Reserve Federal Reserve System NOTICES Banks and bank holding companies: Change in bank control, 69369 04-26282 Formations, acquisitions, and mergers, 04-26283 69369-69370 04-26327 Permissible nonbanking activities, 69370 04-26284 Federal Open Market Committee: Domestic policy directives, 69370 04-26285 Food Food and Drug Administration RULES Human drugs: Labeling of drug products (OTC)— Sodium phosphate-sodium biphosphate-containing rectal drug products, 69278-69280 04-26269 NOTICES Agency information collection activities; proposals, submissions, and approvals, 69373 04-26235 04-26270 Human drugs:

Drug products withdrawn from sale for reasons other than safety or effectiveness— 7.5 and 8.4 percent sodium bicarbonate injection in polyethylene terephthalate abboject vials, 69373-69374 04-26271 Reports and guidance documents; availability, etc.: Role of HIV drug resistance testing in antiretroviral drug development, 69374-69375 04-26272 Forest Forest Service NOTICES Meetings: Black Hills National Forest Advisory Board, 69349 04-26317 GSA General Services Administration NOTICES Agency information collection activities; proposals, submissions, and approvals, 69370-69371 04-26325 Federal Acquisition Regulation (FAR):

Agency information collection activities; proposals, submissions, and approvals, 69360-69361 04-26276 04-26277 Health Health and Human Services Department See Agency for Toxic Substances and Disease Registry See Centers for Disease Control and Prevention See Food and Drug Administration See Health Resources and Services Administration See National Institutes of Health See Substance Abuse and Mental Health Services Administration Health Health Resources and Services Administration NOTICES Grants and cooperative agreements; availability, etc.:

Pathways for Health Professions Program, 69375 04-26274 Homeland Homeland Security Department RULES Immigration: Aliens— Asylum claims made in transit and at land border ports-of-entry; U.S.-Canada agreement; implementation, 69479-69490 04-26239 Housing Housing and Urban Development Department NOTICES Privacy Act: Computer matching programs, 69383-69385 E4-3343 Interior Interior Department See Land Management Bureau See Surface Mining Reclamation and Enforcement Office NOTICES Agency information collection activities; proposals, submissions, and approvals, 69385-69388 04-26228 International International Trade Administration NOTICES Antidumping:

Honey from— China, 69350-69357 E4-3360 Stainless steel sheet and strip in coils from— France, 69357-69358 E4-3356 Italy, 69358 E4-3359 Export trade certificates of review, 69358-69359 E4-3351 International International Trade Commission NOTICES Import investigations: Digital image storage and retrieval devices, 69390-69391 04-26275 Justice Justice Department See Antitrust Division See Drug Enforcement Administration RULES Executive Office for Immigration Review: Asylum claims made by aliens arriving from Canada at land border ports-of-entry, 69490-69498 04-26238 Labor Labor Department See Employment and Training Administration See Mine Safety and Health Administration Land Land Management Bureau NOTICES Environmental statements; notice of intent:

Folsom Field Office, CA; resource management plan, 69388-69389 04-26324 Environmental statements; record of decision: National Petroleum Reserve, BLM-managed lands, AK; Alpine Satellite Development Plan, 69389 04-26321 Oil and gas leases: New Mexico, 69389 04-26322 Realty actions; sales, leases, etc.: Oregon, 69389-69390 04-26323 Library Library of Congress See Copyright Office, Library of Congress Mine Mine Safety and Health Administration NOTICES Petitions for safety standard modifications; summary of affirmative decisions, 69412-69414 04-26279 Safety standard petitions:

J&J Coal Co. et al., 69414-69415 04-26280 NASA National Aeronautics and Space Administration NOTICES Agency information collection activities; proposals, submissions, and approvals, 04-26313 69415-69416 04-26314 04-26315 Federal Acquisition Regulation (FAR): Agency information collection activities; proposals, submissions, and approvals, 69360-69361 04-26276 04-26277 Meetings: Return to Flight Task Group, 69416-69417 04-26303 National Credit National Credit Union Administration RULES Fair and Accurate Credit Transactions Act; implementation:

Consumer information disposal, 69269-69274 04-25995 NIH National Institutes of Health NOTICES Meetings: National Institute of Allergy and Infectious Diseases, 69377 04-26248 National Institute of Arthritis and Musculoskeletal and Skin Diseases, 04-26245 04-26246 04-26252 69376-69378 04-26253 04-26255 National Institute of General Medical Sciences, 69376 04-26247 National Institute of Neurological Disorders and Stroke, 69375-69376, 69378 04-26244 04-26254 National Institute on Drug Abuse, 69377 04-26249 Recombinant DNA Advisory Committee; correction, 69378 04-26257 Scientific Review Center, 04-26250 04-26251 69379-69382 04-26256 04-26258 04-26259 NOAA National Oceanic and Atmospheric Administration NOTICES Meetings:

Carribean Fishery Management Council, 69359 E4-3358 New England Fishery Management Council, 69359-69360 E4-3357 NRCS Natural Resources Conservation Service RULES Support activities: Technical service provide assistance, 69449-69478 04-25990 NOTICES Committees; establishment, renewal, termination, etc.: Agricultural Air Quality Task Force, 69349-69350 04-26302 Nuclear Nuclear Regulatory Commission NOTICES *Applications, hearings, determinations, etc.:* Armed Forces Radiobiology Research Institute, 69417 04-26242 Calvert Cliffs Nuclear Power Plant, Inc., 69417-69418 04-26243 University of Missouri-Rolla, 69418-69419 04-26241 Overseas Overseas Private Investment Corporation NOTICES Agency information collection activities; proposals, submissions, and approvals, 04-26298 69419-69420 04-26299 Presidential Presidential Documents PROCLAMATIONS *Special observances:* National Family Week (Proc. 7848), 69499-69502 04-26442 Thanksgiving Day (Proc. 7849), 69503-69504 04-26443 Railroad Railroad Retirement Board NOTICES Agency information collection activities; proposals, submissions, and approvals, 69420 04-26287 SEC Securities and Exchange Commission NOTICES Investment Company Act of 1940:

MuniInsured Fund, Inc., et al., 69431-69433 E4-3346 Self-regulatory organizations; proposed rule changes: American Stock Exchange LLC, 69433 E4-3347 Depository Trust Co., 69433-69435 E4-3348 Fixed Income Clearing Corp., 69435 E4-3350 National Association of Securities Dealers, Inc., 69435-69440 04-26304 National Stock Exchange, 69440-69441 E4-3349 Pacific Exchange, Inc., 69441-69444 E4-3354 *Applications, hearings, determinations, etc.:* ING Insurance Co. of America et al., 69421-69431 E4-3353 State State Department NOTICES Art objects; importation for exhibition:

Retratos: 2,000 Years of Latin American Portraits; correction, 69444 04-26293 Substance Substance Abuse and Mental Health Services Administration NOTICES Meetings: SAMHSA National Advisory Council, 69382-69383 04-26320 Surface Surface Mining Reclamation and Enforcement Office RULES Permanent program and abandoned mine land reclamation plan submissions: Indiana, 69280-69287 04-26196 PROPOSED RULES Abandoned mine land reclamation: Coal production fees and fee allocation Republication, 69348 04-26195 TVA Tennessee Valley Authority NOTICES Meetings;

Sunshine Act, 69444-69445 04-26423 Toxic Toxic Substances and Disease Registry Agency See Agency for Toxic Substances and Disease Registry Transportation Transportation Department See Federal Aviation Administration See Federal Highway Administration Treasury Treasury Department See Comptroller of the Currency NOTICES Agency information collection activities; proposals, submissions, and approvals, 04-26267 69446-69447 04-26268 Separate Parts In This Issue Part II Agriculture Department, Natural Resources Conservation Service, 69449-69478 04-25990 Part III Homeland Security Department, 69479-69490 04-26239 Justice Department, 69490-69498 04-26238 Part IV Executive Office of the President, Presidential Documents, 69499-69504 04-26442 04-26443 Reader Aids Consult the Reader Aids section at the end of this issue for phone numbers, online resources, finding aids, reminders, and notice of recently enacted public laws.

To subscribe to the Federal Register Table of Contents LISTSERV electronic mailing list, go to http://listserv.access.gpo.gov and select Online mailing list archives, FEDREGTOC-L, Join or leave the list (or change settings); then follow the instructions. 69 228 Monday, November 29, 2004 Rules and Regulations NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Parts 717 and 748 Fair Credit Reporting—Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003 AGENCY:

National Credit Union Administration (NCUA). ACTION: Final rule. SUMMARY: The NCUA Board is adopting a final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) by amending security program regulations and NCUA's Guidelines for Safeguarding Member Information and establishing a section in new part 717. The final rule generally requires federal credit unions

(FCUs)to develop, implement, and maintain appropriate measures to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft. FCUs are expected to implement these measures consistent with the provisions in NCUA's Guidelines for Safeguarding Member Information. DATES: Effective December 29, 2004. FOR FURTHER INFORMATION CONTACT: Chrisanthy J. Loizos, Staff Attorney, Office of General Counsel, National Credit Union Administration,

(703)518-6540. SUPPLEMENTARY INFORMATION: I. Introduction Section 216 of the FACT Act adds a new section 628 to the Fair Credit Reporting Act

(FCRA)that, in general, is designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report, such as fraud and identity theft. 15 U.S.C. 1681w. Section 216 of the FACT Act requires NCUA to adopt a rule requiring any FCU “that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.” Pub. L. 108-159, 117 Stat. 1985-86. The FACT Act mandates that the rule be consistent with the requirements issued pursuant to the Gramm-Leach-Bliley Act

(GLBA)(Pub. L. 106-102), as well as other provisions of Federal law. The FACT Act also requires NCUA to consult and coordinate with the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), Federal Trade Commission (FTC), and Securities and Exchange Commission (collectively, the Agencies) so that, to the extent possible, NCUA's rule is consistent and comparable with the regulations issued by each of the other agencies. II. Background In 2001, NCUA amended the security program rule to establish standards for federally insured credit unions (FICUs) relating to administrative, technical, and physical safeguards to protect the security and confidentiality of member records and information, pursuant to section 501 of GLBA. 15 U.S.C. 6805(b). NCUA worked with the Agencies and state insurance authorities to develop appropriate standards. 66 FR 8152 (Jan. 30, 2001). The Federal banking agencies issued their standards as guidelines under section 39 of the Federal Deposit Insurance Act. 12 U.S.C. 1831p. 1 NCUA determined it could best meet the congressional directive to prescribe standards by amending the rule governing security programs and by providing guidance in an appendix to the rule. 12 CFR part 748, appendix A; 66 FR 8152 (Jan. 30, 2001). 1 12 CFR parts 30, app. B; 208, app. D-2 and 225, app. F; 364, app. B; 570, app. B. *See* 66 FR 8616 Feb. 1, 2001. Section 748.0 requires an FICU to develop a security program that implements safeguards designed to:

(1)Ensure the security and confidentiality of member records and information;

(2)protect against any anticipated threats or hazards to the security or integrity of such records; and

(3)protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to a member. 12 CFR 748.0(b)(2). Appendix A to part 748 sets forth NCUA's Guidelines for Safeguarding Member Information (Guidelines), which are substantially identical to the guidelines issued by the Agencies. 66 FR 8152 (Jan. 30, 2001). The Guidelines “are intended to outline industry best practices and assist credit unions to develop meaningful and effective security programs to ensure their compliance with the safeguards contained in the regulation.” *Id.* The Guidelines direct FICUs to assess the risks to their member information and member information systems and, in turn, implement appropriate security measures to control those risks. 12 CFR part 748, appendix A. For example, under the risk-assessment framework, FICUs should evaluate whether the controls the FICU has developed sufficiently protect its member information from unauthorized access, misuse, or alteration when the FICU disposes of the information. “[A] credit union's responsibility to safeguard member information continues through the disposal process.” 66 FR 8152, 8155. On May 28, 2004, the NCUA Board published a proposal to add a section to the new fair credit reporting rule and amend the security program rule and Guidelines for Safeguarding Member Information (Guidelines) to require FCUs to implement controls designed to ensure the proper disposal of consumer information within the meaning of section 216. 69 FR 30601 (May 28, 2004). NCUA's proposed regulation and the preamble were substantively similar to a joint notice of proposed rulemaking issued by the FRB, OCC, FDIC and OTS (the Federal banking agencies). 69 FR 31913 (June 8, 2004). In the proposal, NCUA noted that section 216 of the FACT Act requires NCUA to issue final regulations for entities under its enforcement authority under section 621 of the FCRA. Unlike the current provisions in the security program rule, which apply to all FICUs, the requirements in NCUA's final rule apply solely to FCUs. *See* 15 U.S.C. 1681s(b)(3). Federally insured state-chartered credit unions are subject to the enforcement jurisdiction of the FTC for purposes of the FCRA. *See* 15 U.S.C. 1681s(a). State charters, therefore, should refer to the final rule issued by the FTC regarding the proper disposal of consumer information under section 216. III. Summary of Comments NCUA received fourteen comment letters: One from a corporate credit union; four from natural person credit unions; five from credit union trades or leagues; one from a consumer; two from financial services trade organizations; and a joint letter from seven consumer rights organizations. The Agencies also received numerous letters from financial institutions, industry trade organizations, consumer advocacy groups, consumers, and trade associations from the information destruction industry. NCUA and the Agencies considered the comments and suggestions submitted. Of the letters received by NCUA, twelve commenters generally supported the proposed regulation requiring FCUs to properly dispose of consumer information. One commenter stated that the proposal balanced the concerns of consumers and the industry by providing reasonable protections from identity theft and the unintended disclosure of consumer information while giving FCUs sufficient latitude for the disposal of consumer information. One comment letter, submitted on behalf of seven consumer groups, found the proposed rule weak and inadequate to meet Congress' intended purpose of preventing identity theft and other fraud. IV. Analysis of Final Rule Section-by-Section Overview Section 717.83—Disposal of Consumer Information As set forth in the proposal, NCUA is establishing a new part 717 to house its fair credit reporting rules and adds a subpart setting forth the duties of users of consumer reports regarding identity theft. To implement section 216, NCUA is adding § 717.83 to require FCUs to develop and maintain, as part of their information security programs, appropriate controls designed to ensure that they properly dispose of consumer information. The final rule retains the statute's rule of construction as proposed stating that this requirement does not impose any requirements to maintain or destroy consumer records beyond those imposed by any other law. The final rule also does not affect any requirement to maintain or destroy consumer records imposed under any other provision of law. The only revisions to § 717.83 from the proposed rule incorporate examples of appropriate measures to properly dispose of consumer information and clarify “consumer information” in its definition and through examples. These additions required a renumbering of the section and are discussed in further detail below. The final rule also includes a general definitions section, § 717.3, to define the terms “you” and “consumer.” Although these definitions were not included in the proposed disposal rule, they were published in another FACT Act proposal. 2 The final rule refers to FCUs using the plain language term “you” because section 216 requires NCUA to adopt a final disposal rule for FCUs. The final rule also uses the term “consumer.” Paragraph

(e)of § 717.3 defines the term “consumer” to mean an individual, which follows the statutory definition in section 603(c) of the FCRA. 15 U.S.C. 1681a(c). NCUA will add more definitions to § 717.3 as the agency adopts other rules to implement provisions of the FCRA. 2 On April 8, 2004, NCUA issued its first proposal to add a new part 717, implementing section 411 of the FACT Act. *See* 69 FR 23380 (Apr. 28, 2004). This final disposal rule, however, will be the first section to establish the new part 717. Section 748.0—Security Program The final rule retains § 748.0(c) as proposed. Paragraph

(c)cross references the section 216 requirement in § 717.83, for ease of reference when FCUs adopt or modify their information security programs. Guidelines for Safeguarding Member Information The final rule amends the Guidelines to specifically address the disposal of consumer information by:

(1)Defining “consumer information” as defined in § 717.83;

(2)adding an objective regarding the proper disposal of member information and consumer information; and

(3)providing that an FCU should implement appropriate measures to properly dispose of member information and consumer information. NCUA discusses the final rule's slight variations from the proposal below. The changes to the Guidelines are intended to provide guidance to FCUs for compliance with § 717.83. As noted above, the requirements of this final rule only apply to FCUs, while federally insured state-chartered credit unions are subject to the jurisdiction of the FTC on this matter. NCUA believes, however, that federally insured state charters may find this guidance helpful in adopting meaningful and effective security programs that deal with the disposal of consumer information. In accordance with section 216, NCUA has consulted with the Agencies to ensure that, to the extent possible, the final rules issued by the respective agencies to implement section 216 are consistent and comparable. Proper Disposal of Consumer Information and Member Information Consumer Information Proposed § 717.83(c)(1) defined “consumer information” to mean “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose.” “Consumer information” was also defined to mean “a compilation of such records.” Commenters generally supported NCUA's proposed definition of this term, but argued that NCUA should include statements or illustrations to clarify the nature and scope of “consumer information.” Several commenters found the proposed phrase “about an individual” to be ambiguous and urged NCUA to adopt a definition expressly stating that “consumer information” only includes information that identifies a particular individual. Similarly, some commenters supported NCUA's explanation in the proposal that “consumer information” does not include information derived from a consumer report that does not identify any particular consumer, such as the mean credit score derived from a group of consumer reports. These commenters suggested that NCUA include this example or similar examples in the definition. In § 717.83(d)(1), the final rule defines “consumer information” as proposed but modifies the term to expressly exclude from the definition “any record that does not identify an individual.” NCUA believes that qualifying the term “consumer information” to cover only personally identifiable information appropriately focuses on the information derived from a consumer report that, if improperly disposed, could be used to commit fraud or identity theft against a consumer. NCUA believes that limiting this definition to information that identifies a consumer is consistent with the current law relating to the scope of the term “consumer report” under the FCRA and the purposes of section 216 of the FACT Act. Under the final rule, an FCU must implement measures to properly dispose of consumer information that identifies a consumer, such as the consumer's name and the credit score derived from a consumer report. This requirement, however, does not apply to aggregate information, such as the mean credit score that is derived from a group of consumer reports, or blind data, such as a series of credit scores that do not identify the subjects of consumer reports from which those scores are derived. The final rule includes examples of records that illustrate this aspect, but it does not rigidly define the nature and scope of personally identifiable information. These examples are found in § 717.83(d)(1)(i). NCUA notes that there are a variety of types of information apart from an individual's name, account number, or address that, depending on the circumstances or when used in combination, could identify the individual. As discussed in the proposal, NCUA notes that the scope of information covered by the terms “consumer information” and “member information” will sometimes overlap, but will not always coincide. The definition of “consumer information” is drawn from the term “consumer” in section 603(c) of the FCRA, which defines a “consumer” as an individual. 15 U.S.C. 1681a(c). By contrast, “member information” under the Guidelines, only covers nonpublic personal information about a “member,” as defined in § 716.3(n), namely, an individual who obtains a financial product or service to be used primarily for personal, family, or household purposes and who has a continuing relationship with the FCU. The relationship between consumer information and member information can be illustrated through the following examples. Payment history information from a consumer report about an individual, who is an FCU's member, will be *both* consumer information because it comes from a consumer report and member information because it is nonpublic personal information about a member. In some circumstances, member information will be broader than consumer information. For instance, information that an FCU maintains about its member's transactions with the FCU would be only member information because it does not come from a consumer report. In other circumstances, consumer information will be broader than member information. Consumer information would include information from a consumer report that an FCU obtains about an individual who guarantees a loan for a business entity or who has applied for employment with the FCU. In these instances, the consumer reports would not be member information because the information would not be about a “member” within the meaning of the Guidelines but would be consumer information. NCUA believes the phrase “derived from consumer reports” covers all of the information about a consumer that is taken from a consumer report, including information that results in whole or in part from manipulation of information from a consumer report or information from a consumer report that has been combined with other types of information. Consequently, an FCU that possesses any of this information must properly dispose of it. For example, any record about a consumer derived from a consumer report, such as the consumer's name and credit score, that is shared between an FCU and its credit union service organization

(CUSO)affiliate must be disposed of properly by each affiliate that possesses that information. Similarly, a consumer report that is shared among affiliates after the consumer has been given a notice and has elected not to opt out of that sharing, and therefore is no longer a “consumer report” under section 603(d)(2)(A)(iii) of the FCRA, would still be consumer information. Accordingly, an affiliate that receives consumer information under these circumstances must properly dispose of the information. NCUA notes that a CUSO affiliate subject to the jurisdiction of the FTC must properly dispose of consumer information in accordance with the FTC's final rule. The proposed definition of consumer information included the qualification “for a business purpose,” as set forth in section 216. NCUA believes that this phrase encompasses any commercial purpose for which an FCU might maintain or possess consumer information. Commenters did not raise concerns about this interpretation. Proper Disposal In the proposed rule, NCUA requested comment on the standard for proper disposal. Of the comment letters received by NCUA, five commenters thought that the concept was clear and sufficiently explained the nature and scope of an FCU's responsibilities under the rule, but two of those commenters welcomed additional clarification through guidance or examples. Four commenters believed “proper disposal” was not clear in the proposed rule and asked for either a definition or examples in the regulatory text like those used in the FTC's proposed rule. 69 FR 21388 (April 20, 2004). Some of these commenters stated that the rule should adopt a clear standard that requires FCUs to render paper and electronic data unreadable and incapable of being reconstructed. They also asked that the rule provide examples of proper disposal techniques consistent with the FTC's proposed regulatory text. NCUA believes that there is no need to adopt a definition of the term “disposal” because, in the context of the duty imposed under section 216, the ordinary meaning of that term applies. The final rule, however, includes examples of appropriate measures to properly dispose of consumer information as requested by the commenters in renumbered paragraph

(b)of § 717.83. NCUA believes these examples will be helpful as illustrative guidance for compliance with the rule. NCUA notes that any sale, lease, or other transfer of any medium containing consumer information constitutes disposal of the information insofar as the information itself is not the subject of the sale, lease or other transfer between the parties. By contrast, the sale, lease, or other transfer of consumer information from an FCU to another party can be distinguished from the act of throwing out or getting rid of consumer information, and accordingly, does not constitute disposal subject to NCUA's rule. New Objective for an Information Security Program NCUA proposed to add a new objective regarding the proper disposal of consumer information in paragraph II.B. of the Guidelines. A few commenters expressed objections to this aspect of the proposal primarily as it relates to service providers. The final rule slightly revises the proposal to add a new objective in the Guidelines providing that an FCU should design its information security program to “[e]nsure the proper disposal of member information and consumer information.” With this revision from the proposal, NCUA omitted the proposed provision stating that an FCU should ensure proper disposal of consumer information “in a manner consistent with the disposal of member information.” By making this change and adding the reference to “member information” in paragraph II.B., the Guidelines more clearly and fully state an FCU's information security objectives with respect to disposing of information. As noted in the proposal, a credit union should properly dispose of member information as part of designing and maintaining its information security program under the Guidelines. The inclusion of “member information” in the objective, therefore, does not establish a new objective in the Guidelines. NCUA continues to believe that including this additional objective in paragraph II.B. of the Guidelines is important because section 216's disposal requirement applies to an FCU's consumer information maintained or otherwise in the possession of the FCU's service providers. NCUA notes that, under current paragraph III.D.2., an FCU is expected to “[r]equire its service providers by contract to implement appropriate measures designed to meet the objectives” of the Guidelines. By expressly incorporating a provision in paragraph II.B. of the Guidelines, FCUs should contractually require service providers to develop appropriate measures for the proper disposal of consumer information and, where warranted, monitor service providers to confirm that they have satisfied their contractual obligations. As some commenters observed, the particular contractual arrangement that an FCU may negotiate with a service provider may take varied forms or use general terms. As a result, some credit unions already may have existing contracts that are sufficiently broad to cover the proper disposal of member information and consumer information, and therefore they would not have to be amended. NCUA continues to believe that the parties should have substantial latitude in negotiating the contractual terms appropriate to their arrangement in any manner that satisfies the objectives of the Guidelines. NCUA, therefore, has not prescribed any particular standards that relate to these service provider contracts. The final rule also amends paragraph III.G.4. of the Guidelines to allow an FCU a reasonable period of time, after the final rule is issued, to amend its contracts with its service providers to incorporate the necessary requirements in connection with the proper disposal of consumer information. After reviewing the varying comments on this provision of the proposal, NCUA has determined that FCUs should modify contracts that will be affected by the final rule's requirements, if necessary, no later than July 1, 2006. New Provision To Implement Measures to Properly Dispose of Consumer Information NCUA has amended paragraph III.C. of the Guidelines by adding a new provision stating that an FCU, as part of its information security program, should develop, implement, and maintain, appropriate measures to properly dispose of consumer information and member information. Like the proposal, this new provision also provides that FCUs should implement these measures “in accordance with the provisions in paragraph III.” of the Guidelines. Paragraph III. of the Guidelines presently states that an FCU should undertake measures to design, implement, and maintain its information security program to protect member information and member information systems. Because “member information systems” is defined to include any methods used to dispose of member information, an FCU presently must use risk-based measures to protect member information. Building on this provision in the Guidelines, NCUA proposed a provision in paragraph III.C.4. stating that FCUs should develop controls “in a manner consistent with the disposal of member information.” Commenters generally supported this provision because FCUs could develop and implement risk-based protections, rather than be subject to a prescriptive standard that required them to adopt particular methods for disposing of consumer information. In the final rule, NCUA has revised the proposed provision in paragraph III.C.4. by omitting “in a manner consistent with the disposal of member information.” In its place, the Guidelines now provide a more direct and general statement that FCUs should develop and maintain risk-based measures to properly dispose of consumer information and member information. Under this final amendment to the Guidelines, an FCU is expected to properly dispose of both classes of information, which is consistent with the Guidelines and the FACT Act. An FCU should broaden the scope of its risk assessment to include an assessment of the reasonably foreseeable internal and external threats associated with the methods it uses to dispose of consumer information, and adjust its risk assessment in light of the relevant changes relating to such threats. By expressly referencing the disposal requirement in § 748.0(c) and the Guidelines, NCUA expects FCUs to integrate into their information security programs the risk-based measures in paragraph III of the Guidelines for the disposal of consumer information. After reviewing the comments, NCUA continues to believe that it is not necessary to propose a prescriptive rule describing proper methods of disposal. Nonetheless, consistent with interagency guidance previously issued through the Federal Financial Institutions Examination Council (FFIEC), 3 NCUA expects FCUs to have appropriate disposal procedures for records maintained in paper-based or electronic form. In addition, as noted above, the final rule includes illustrative examples of appropriate measures to properly dispose of consumer information in § 717.83(b). An FCU's information security program should ensure that paper records containing either member or consumer information should be rendered unreadable as indicated by the FCU's risk assessment, such as by shredding or any other means. FCUs also should recognize that computer-based records present unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, FCUs should apply additional disposal techniques to sensitive electronic data. 4 3 *See* FFIEC Information Security Booklet, page 63 at: *http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf.* 4 *See* footnote 3, *supra.* Compliance The final rule requires FCUs to implement the appropriate measures to properly dispose of consumer information by July 1, 2005. NCUA believes that any changes to an FCU's existing information security program likely will be minimal because many of the measures that an FCU already uses to dispose of member information can be adapted to properly dispose of consumer information. Several commenters agreed with NCUA's assessment and noted that they already have appropriate disposal policies in place. Nevertheless, a comment on behalf of small credit unions and a few comments to the Federal banking agencies noted the proposed period for compliance would be relatively short in light of the work required to amend policies and locate and track consumer information in an institution's existing information system. Accordingly, NCUA has determined that the final rule should afford FCUs a six-month period to adjust their systems and controls. V. Regulatory Procedures Regulatory Flexibility Act The Regulatory Flexibility Act requires NCUA to prepare an analysis to describe any significant economic impact any proposed regulation may have on a substantial number of small entities (those under $10 million in assets). The NCUA Board has determined and certifies that the final rule will not have a significant economic impact on a substantial number of small credit unions. Accordingly, a regulatory flexibility analysis is not required. The rule requires an FCU to implement appropriate controls designed to ensure the proper disposal of consumer information. An FCU must develop and maintain these controls as part of implementing its existing information security program as required by § 748.0. Any modifications to an FCU's information security program needed to address the proper disposal of consumer information could be incorporated through the process the FCU presently uses to adjust its program under paragraph III.E. of the Guidelines, particularly because of the similarities between the consumer and member information and the measures commonly used to properly dispose of both types of information. To the extent the rule imposes new requirements for certain types of consumer information, developing appropriate measures to properly dispose of that information likely would require only a minor modification of an FCU's existing information security program. Because some consumer information will be member information and because segregating particular records for special treatment may entail considerable costs, NCUA believes that many FCUs, including small entities, already are likely to have implemented measures to properly dispose of both member and consumer information. In addition, NCUA and the Federal banking agencies, through the Federal Financial Institutions Examination Council (FFIEC), already have issued guidance regarding their expectations concerning the proper disposal of *all* of an institution's paper and electronic records. *See* FFIEC Information Security Booklet, December 2002, p. 63. 5 Therefore, the rule does not require any significant changes for FCUs that currently have procedures and systems designed to comply with this guidance. 5 *See* footnote 3, *supra.* NCUA anticipates that, in light of current practices relating to the disposal of information in accordance with § 748.0, the Guidelines, and the guidance issued by the FFIEC, the final rule would not impose undue costs on FCUs. NCUA believes that the controls that small FCUs would need to develop and implement, if any, to comply with the rule likely pose a minimal economic impact on those entities. Paperwork Reduction Act NCUA has determined that the final rule does not increase paperwork requirements under the Paperwork Reduction Act of 1995 and regulations of the Office of Management and Budget. Executive Order 13132 Executive Order 13132 encourages independent regulatory agencies to consider the impact of their regulatory actions on State and local interests. In adherence to fundamental federalism principles, NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. This final rule will not have substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government. NCUA has determined that the final rule does not constitute a policy that has federalism implications for purposes of the executive order. Small Business Regulatory Enforcement Fairness Act The Small Business Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104-121) provides generally for congressional review of agency rules. A reporting requirement is triggered in instances where NCUA issues a final rule as defined by section 551 of the Administrative Procedures Act. 5 U.S.C. 551. The Office of Management and Budget

(OMB)has determined that this rule is not a major rule for the purposes of the Small Business Regulatory Enforcement Fairness Act of 1996. The Treasury and General Government Appropriations Act, 1999—-Assessment of Federal Regulations and Policies on Families NCUA has determined that this rule will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998). List of Subjects 12 CFR Part 717 Consumer protection, Credit unions, Information, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 748 Credit unions, Crime, Currency, Reporting and recordkeeping requirements, and Security measures. By the National Credit Union Administration Board on November 18, 2004. Mary F. Rupp, Secretary of the Board. For the reasons stated in the preamble, NCUA amends 12 CFR chapter VII as set forth below: 1. Part 717 is added to read as follows: PART 717—FAIR CREDIT REPORTING Subpart A—General Provisions Sec. 717.1-717.2 [Reserved] 717.3 Definitions. Subparts B-H [Reserved] Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft 717.80-717.82 [Reserved] 717.83 Disposal of consumer information. Authority: 15 U.S.C. 1681a, 1681s, 1681w, 6801 and 6805(b). Subpart A— General Provisions § 717.1-717.2 [Reserved] § 717.3 Definitions. As used in this part, unless the context requires otherwise:

(a)[Reserved]

(b)[Reserved]

(c)[Reserved]

(d)[Reserved]

(e)*Consumer* means an individual.

(f)[Reserved]

(g)[Reserved]

(h)[Reserved]

(i)[Reserved]

(j)[Reserved]

(k)[Reserved]

(l)[Reserved]

(m)[Reserved]

(n)[Reserved]

(o)*You* means a Federal credit union. Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft § 717.80-717.82 [Reserved] § 717.83 Disposal of consumer information.

(a)*In general.* You must properly dispose of any consumer information that you maintain or otherwise possess in a manner consistent with the Guidelines for Safeguarding Member Information, in appendix A to part 748 of this chapter.

(b)*Examples.* Appropriate measures to properly dispose of consumer information include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with this section.

(1)Burning, pulverizing, or shredding papers containing consumer information so that the information cannot practicably be read or reconstructed.

(2)Destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed.

(c)*Rule of construction.* This section does not:

(1)Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or

(2)Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.

(d)*Definitions.* As used in this section:

(1)*Consumer information* means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.

(i)*Consumer information* includes:

(A)A consumer report that you obtain;

(B)Information from a consumer report that you obtain from your affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;

(C)Information from a consumer report that you obtain about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;

(D)Information from a consumer report that you obtain about an individual who guarantees a loan (including a loan to a business entity); or

(E)Information from a consumer report that you obtain about an employee or prospective employee.

(ii)*Consumer information* does not include:

(A)Aggregate information, such as the mean credit score, derived from a group of consumer reports; or

(B)Blind data, such as payment history on accounts that are not personally identifiable, you use for developing credit scoring models or for other purposes.

(2)*Consumer report* has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer report is broad and subject to various definitions, conditions and exceptions in the Fair Credit Reporting Act. It includes written or oral communications from a consumer reporting agency to a third party of information used or collected for use in establishing eligibility for credit or insurance used primarily for personal, family or household purposes, and eligibility for employment purposes. Examples include credit reports, bad check lists, and tenant screening reports. PART 748—SECURITY PROGRAM, REPORT OF CRIME AND CATASTROPHIC ACT AND BANK SECRECY ACT COMPLIANCE 2. The authority citation for part 748 is revised to read as follows: Authority: 12 U.S.C. 1766(a), 1786(q); 15 U.S.C. 1681s, 1681w, 6801, and 6805(b); 31 U.S.C. 5311 and 5318. 3. Amend § 748.0 by adding paragraph

(c)to read as follows: § 748.0 Security program. *

(c)Each Federal credit union, as part of its information security program, must properly dispose of any consumer information the Federal credit union maintains or otherwise possesses, as required under § 717.83 of this chapter. 4. Amend appendix A to part 748 as follows: a. Add the following sentence at the end of paragraph I.: “These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b) and 1681w).”; b. Add the following sentence as the end of paragraph I.A.: “These Guidelines also apply to the proper disposal of consumer information by such entities.”; c. Redesignate paragraphs I.B.2.a. through d. as I.B.2.c. through f.; d. Add new paragraphs I.B.2.a. and b., III.C.4., and III.G.3. and III.G.4. to read as set forth below; and e. Amend paragraph II.B. by removing the word “and” after the word “information;” and adding the following phrase after the word “member” at the end of the sentence: “; and ensure the proper disposal of member information and consumer information”. Appendix A to Part 748—Guidelines for Safeguarding Member Information I. * * * B. * * * 2. * * * *a. Consumer information* means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual. *b. Consumer report* has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer report is broad and subject to various definitions, conditions and exceptions in the Fair Credit Reporting Act. It includes written or oral communications from a consumer reporting agency to a third party of information used or collected for use in establishing eligibility for credit or insurance used primarily for personal, family or household purposes, and eligibility for employment purposes. Examples include credit reports, bad check lists, and tenant screening reports. III. * * * C. * * * 4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of member information and consumer information in accordance with the provisions in paragraph III. G. * * * 3. *Effective date for measures relating to the disposal of consumer information.* Each Federal credit union must properly dispose of consumer information in a manner consistent with these Guidelines by July 1, 2005. 4. *Exception for existing agreements with service providers relating to the disposal of consumer information.* Notwithstanding the requirement in paragraph III.G.3., a Federal credit union's existing contracts with its service providers with regard to any service involving the disposal of consumer information should implement the objectives of these Guidelines by July 1, 2006. [FR Doc. 04-25995 Filed 11-26-04; 8:45 am]

Connectionstraces to 12

Traces to 12 documents

U.S. Code