Data Breaches

Federal Register: April 11, 2008 (Volume 73, Number 71)

Rules and Regulations

Page 19747-19748

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

DOCID:fr11ap08-4

DEPARTMENT OF VETERANS AFFAIRS 38 CFR Part 75

RIN 2900-AM63

Data Breaches

AGENCY: Department of Veterans Affairs.

ACTION: Final rule.

SUMMARY: This document adopts, without change, the interim final rule that was published in the Federal Register on June 22, 2007, addressing data breaches of sensitive personal information that is processed or maintained by the Department of Veterans Affairs (VA). This final rule implements certain provisions of the Veterans Benefits, Health Care, and Information Technology Act of 2006. The regulations prescribe the mechanisms for taking action in response to a data breach of sensitive personal information.

DATES: Effective Date: April 11, 2008.

FOR FURTHER INFORMATION CONTACT: Jonelle Lewis, Office of Information

Protection and Risk Management (005R), U.S. Department of Veterans

Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Telephone:

(202) 461-6400. This is not a toll-free number.

SUPPLEMENTARY INFORMATION: On June 22, 2007, VA published an interim final rule in the Federal Register (72 FR 34395). The interim final rule addressed data breaches of sensitive personal information that is processed or maintained by VA. This final rule implements 38 U.S.C. 5724 and 5727, which were enacted as part of Title IX of Public Law 109-461, the Veterans Benefits, Health Care, and Information Technology

Act of 2006.

We provided a 60-day comment period that ended August 21, 2007. We received no comments. Based on the rationale set forth in the interim final rule, we adopt the provisions of the interim final rule as a final rule without any changes.

Administrative Procedure Act

This document, without change, affirms the amendment made by the interim final rule that is already in effect. The Secretary of Veterans

Affairs concluded that, under 5 U.S.C. 553, there was good cause to dispense with the opportunity for prior comment with respect to this rule. The Secretary found that it was unnecessary to delay this regulation for the purpose of soliciting prior public comment based on the statutory mandate in 38 U.S.C. 5724 to publish the amendment as an interim final rule. Nevertheless, the Secretary invited public comment on the interim final rule but did not receive any comments.

Executive Order 12866

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits

(including potential economic, environmental, public health and safety, and other advantages; distributive impacts; and equity). The Executive

Order classifies a ``significant regulatory action,'' requiring review by the Office of Management and Budget (OMB), as any regulatory action that is likely to result in a rule that may: (1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

The economic, interagency, budgetary, legal, and policy implications of this rule have been examined and it has been determined to be a significant regulatory action under the Executive Order because it is likely to result in a rule that may raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

Unfunded Mandates

The Unfunded Mandates Reform Act of 1995 requires, at 2 U.S.C. 1532, that agencies prepare an assessment of anticipated costs and benefits before issuing any rule that may result in expenditure by

State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more (adjusted annually for inflation) in any

Page 19748

given year. This rule would have no such effect on State, local, and tribal governments or the private sector.

Paperwork Reduction Act

This document contains no provisions constituting a collection of information under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501- 3521).

Regulatory Flexibility Act

The provisions of the Regulatory Flexibility Act (5 U.S.C. 601-612) do not apply to this interim final rule because the provisions of 38

U.S.C. 5724 require that this document be promulgated as an interim final rule, and, consequently, a notice of proposed rulemaking was not required for the rule. 5 U.S.C. 603-604.

Catalog of Federal Domestic Assistance Numbers

There are no Catalog of Federal Domestic Assistance numbers and titles for this rule.

List of Subjects in 38 CFR Part 75

Administrative practice and procedure, Credit monitoring, Data breach, Data breach analysis, Data mining, Fraud alerts, Identity theft insurance, Information, Notification, Risk analysis, Security measures.

Approved: April 4, 2008.

Gordon H. Mansfield,

Deputy Secretary of Veterans Affairs.

PART 75--INFORMATION SECURITY MATTERS

Accordingly, the interim final rule establishing 38 CFR part 75 that was published in the Federal Register at 72 FR 34395 on June 22, 2007, is adopted as a final rule without changes.

FR Doc. E8-7726 Filed 4-10-08; 8:45 am

BILLING CODE 8320-01-P