Supporting Statement for Paperwork Reduction Act Submission
3133-0033
12 CFR Part 748, Security Program and Appendix B
May 2007
A. Justification
1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.
This collection is a notice requirement derived from a rule requiring federally insured credit unions to design their security programs to respond to incidents of unauthorized access to member information. The rule is accompanied by guidance, in the form of Appendix B, which describes NCUA’s expectations for credit unions to meet this obligation, and closely follows similar guidance published by the other federal banking agencies (Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the Office of Thrift Supervision).
In accordance with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. §§6801 et seq., federally-insured credit unions are required to implement information security programs designed to protect member information. Appendix B describes the components of a response program and establishes a standard for providing notice to members affected by unauthorized access to or use of member information that could result in substantial harm or inconvenience to those members, thereby reducing the risk of losses due to fraud or identity theft.
The guidance describes NCUA’s expectation that "a credit union should notify affected members when it becomes aware of unauthorized access to sensitive member information unless the credit union, after an appropriate investigation, reasonably concludes that misuse is unlikely to occur and takes appropriate steps to safeguard the interests of affected members, including monitoring affected members’ accounts for unusual or suspicious activity." This third party disclosure is considered a collection of information under the Paperwork Reduction Act.
2. Indicate how, and by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.
The collection helps federally insured credit unions to develop and implement administrative, technical, and physical safeguards to: (1) insure the security and confidentiality of member records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any member.
A response program, which this collection is a critical part, contains policies and procedures that enable the credit unions to: (A) assess the situation to determine the nature and scope of the incident, and identify the information systems and types of member information affected; (B) notify the credit union’s primary Federal regulator and, in accordance with applicable regulations and guidance, file a Suspicious Activity Report and notify appropriate law enforcement agencies; (C) take measures to contain and control the incident to prevent further unauthorized access to or misuse of member information, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls; and (D) address and mitigate harm to individual members.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.
Respondents may use any technology they wish to reduce the burden associated with this collection.
4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.
The information collection is unique to federally-insured credit unions and is not duplicated elsewhere.
5. If the collection of information impacts small business or other small entities (Item 5 of OMB Form 83-1), describe any methods used to minimize burden.
The collection applies to all institutions, regardless of size.
6. Describe the consequences to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.
NCUA believes that less frequent collection (i.e., a less comprehensive security program with diminished expectations as to the member response elements) would result in unacceptable harm to credit union members.
7. Explain any special circumstances that would cause an information collection to conducted in a manner inconsistent with 5 CFR § 1320.5(d) (2).
No special circumstances exist.
8. Describe efforts to consult with persons outside the agency.
Contact was made with a federal banking agency to discuss renewal of this collection.
9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.
There is no decision to provide any payment or gift to respondents.
10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.
Federally-insured credit unions, like all other regulated financial institutions, are required to preserve and maintain the confidentiality of member financial information. All collected information associated with this rule and Appendix B would be treated with the same degree of confidentiality as other disclosures of sensitive member information.
11. Provide any addition justification for a question of a sensitive nature.
The information covered by this collection is not of a “sensitive nature,” and would, in any case, be limited to the account holder(s).
12. Burden Estimates
It is estimated it will take federally-insured credit unions 20 hours (2.5 business days) to revise and produce the notices described in the Guidance and 24 hours per incident (three business days) to determine which members should receive the notice and to notify the members. For this analysis, it is estimated that two percent of federally- insured credit unions will experience an incident of unauthorized access to member information on an annual basis, resulting in member notification.
Thus, the burden associated for this collection of information may be summarized as follows:
Number of Respondents: 8,695
Estimated Time per Response:
Developing notices: 20 hrs. x 8,695 = 173,900 hours
Notifying members: 24 hrs. x 174 = 4,176 hours
Total Estimated Annual Burden: 178,076 hours
This burden estimate does not include time required for credit unions to adjust their contracts with third party service providers, if needed; nor for service providers to disclose information pursuant to the proposed guidance.
Estimate of annualized cost: 178,076 hours x $50/hour = $8,903,800.
13. Provide an estimate of the total annual cost burden to respondent or recordkeepers resulting from the collection of information.
It is not anticipated that federally insured credit unions will incur any significant third party costs or expenditures pursuant to this information collection, as credit unions should be able to use readily available equipment and procedures.
14. Provide estimates of annualized cost to the Federal government.
The cost to the federal government is negligible.
15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-1.
Item 13 was changed to reflect the decline in the number of federally-insured credit unions since the previous filing. Credit unions would have developed a response program, but would need to revise notices based on the type of unauthorized access. The reduction in the “Total annual hours requested” is directly related to the decline in the number of federally-insured credit unions since the previous filing.
16. For collections of information whose results will be published, outline plans for tabulation, and any publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.
There are no plans to publish results.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.
NCUA is not seeking approval to not display the expiration date.
18. Exceptions to Certification.
There are no exceptions to the certification statement.
B. Collections of Information Employing Statistical Methods
This question does not apply for this filing.
| File Type | application/msword |
| File Title | Supporting Statement for Paperwork Reduction Act Submission |
| Author | NCUA |
| Last Modified By | BasicXP |
| File Modified | 2007-05-26 |
| File Created | 2007-05-26 |