Book A, Supplement No. 77



Custom Federal Regulations Service™

This is supplemental material

for Book A of your set of

Federal Regulations

Title 38, Parts 0, 1, 2, 12,

14-16, 18–20, 25-26, 38-45, 48–49, 75

General

Veterans Benefits Administration

Supplement No. 77

Covering period of Federal Register issues

through July 3, 2007

Copyright © 2007 Jonathan Publishing

Need Assistance?

Questions concerning missing supplements, need for additional books, and other distribution list issues for this loose-leaf service should be directed to:

Department of Veterans Affairs

Veterans Benefits Administration

Administration

Mail Code: 20M33

810 Vermont Avenue, N.W.

Washington DC 20420

Telephone: 202/273-7588

Fax: 202/275-5947

E-mail: coarms@vba.

Questions concerning the filing instructions for this loose-leaf service,

or the reporting of substantive errors in the text,

may be directed to:

Jonathan Publishing

855 Yorks Crossing

Driftwood TX 78619

Telephone: 512/858-1225

Fax: 512/858-1230

E-mail: jonpub@austin.

Copyright © 2007 Jonathan Publishing

GENERAL INSTRUCTIONS

Custom Federal Regulations Service™

Supplemental Materials for Book A

Code of Federal Regulations

Title 38, Parts 0, 1, 2, 12, 14-16, 18–20, 25-26, 39-45, 48–49, 75

General

Veterans Benefits Administration

Supplement No. 77

5 July 2007

Covering the period of Federal Register issues

through July 3, 2007

When Book A was originally prepared, it was current through final regulations published in the Federal Register of 21 April 1992. These supplemental materials are designed to keep your regulations up to date. You should file the attached pages immediately, and record the fact that you did so on the Supplement Filing Record which begins on page A-8 of Book A, General.

To ensure accuracy and timeliness of your materials,

it is important that you follow these simple procedures:

1. Always file your supplemental materials immediately upon receipt.

2. Before filing, always check the Supplement Filing Record (page A-8) to be sure that all prior supplements have been filed. If you are missing any supplements, contact the Veterans Benefits Administration at the address listed on page A-2.

3. After filing, enter the relevant information on the Supplement Filing Record sheet (page A-8)—the date filed, name/initials of filer, and date through which the Federal Register is covered.

4. If as a result of a failure to file, or an undelivered supplement, you have more than one supplement to file at a time, be certain to file them in chronological order, lower number first.

5. Always retain the filing instructions (simply insert them at the back of the book) as a backup record of filing and for reference in case of a filing error.

6. Be certain that you permanently discard any pages indicated for removal in the filing instructions in order to avoid confusion later.

To execute the filing instructions, simply remove and throw away the pages listed under Remove These Old Pages, and replace them in each case with the corresponding pages from this supplement listed under Add These New Pages. Occasionally new pages will be added without removal of any old material (reflecting new regulations), and occasionally old pages will be removed without addition of any new material (reflecting rescinded regulations)—in these cases the word None will appear in the appropriate column.

FILING INSTRUCTIONS

Book A, Supplement No. 77

July 5, 2007

Remove these Add these Section(s)

old pages new pages Affected

Do not file this supplement until you confirm that

all prior supplements have been filed

Cover page and back Cover page and back Cover page

A-9 to A-10 A-9 to A-10 Index to Book A

A-55 to A-56 A-55 to A-56 Index to Book A

2.6-6 to 2.7-1 2.6-6 to 2.7-1 §2.6

None 75.Title to 75.119-1 New Part 75 (§§75.111–

75.119); insert after

page 49.AppA-2

Be sure to complete the

Supplement Filing Record (page A-8)

when you have finished filing this material.

HIGHLIGHTS

Book A, Supplement No. 77

July 5, 2007

Supplement Highlights references: Where substantive changes are made in the text of regulations, the paragraphs of Highlights sections are cited at the end of the relevant section of text. Thus, if you are reading §3.263, you will see a note at the end of that section which reads: “Supplement Highlights references—6(2).” This means that paragraph 2 of the Highlights section in Supplement No. 6 contains information about the changes made in §3.263. By keeping and filing the Highlights sections, you will have a reference source explaining all substantive changes in the text of the regulations.

Supplement frequency: This Book A (General) was originally supplemented twice a year, in April and October. Beginning 1 August 1995, supplements will be issued every month during which a final rule addition or modification is made to the parts of Title 38 covered by this book. Supplements will be numbered consecutively as issued.

Modifications in this supplement include the following:

1. On 22 June 2007, the VA published a final rule, effective that same date, to amend the regulation containing delegations of authority to the Assistant to the Secretary for Regulation Policy and Management in order to reflect changes in delegations of authority and to comply with Executive Order 12866, as recently amended, which requires that the position of Regulatory Policy Officer in each agency be filled by a Presidential Appointee. Changes:

( In §2.6, revised paragraphs (l)(1) and (l)(3).

2. On 22 June 2007, the VA published an interim final rule, effective that same date, to establish regulations to address data breaches regarding sensitive personal information that is processed or maintained by the VA. Change:

( Added a new Part 75 (Information Security Matters) to Title 38 C.F.R. (§§75.111–75.119).

(

Veterans Benefits Administration

Department of Veterans Affairs

Custom Federal Regulations Service™

Book A—General

Code of Federal Regulations

Title 38

Parts 0, 1, 2, 12, 14, 15, 16,

18, 18a, 18b, 19, 20, 25, 26, 39,

40, 41, 42, 43, 44, 45, 48, 49, & 75

Jonathan Publishing

Copyright © 2007 Jonathan Publishing

Need Assistance?

Questions concerning missing supplements, need for additional books, and other distribution list issues for this loose-leaf service should be directed to:

Department of Veterans Affairs

Veterans Benefits Administration

Administration

Mail Code: 20M33

810 Vermont Avenue, N.W.

Washington DC 20420

Telephone: 202/273-7588

Fax: 202/275-5947

E-mail: coarms@vba.

Questions concerning the filing instructions for this loose-leaf service,

or the reporting of substantive errors in the text,

may be directed to:

Jonathan Publishing

855 Yorks Crossing

Driftwood TX 78619

Telephone: 512/858-1225

Fax: 512/858-1230

E-mail: jonpub@austin.

Internet:

Copyright © 2007 Jonathan Publishing

Supplement Date Name of Through

Number Filed Person Filing Fed. Reg. dated

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

Summary Table of Contents

Book A—General

Part 0 Standards of ethical conduct and related responsibilities

Part 1 General provisions

Part 2 Delegations of authority

Part 12 Disposition of veteran’s personal funds and effects

Part 14 Legal services, General Counsel

Part 15 Enforcement of nondiscrimination on the basis of handicap in programs or activities conducted by the Department of Veterans Affairs

Part 16 Protection of human subjects

Part 18 Nondiscrimination in federally-assisted programs of the

Department of Veterans Affairs—effectuation of Title VI of the Civil Rights Act of 1964

Part 18a Delegation of responsibility in connection with Title VI,

Civil Rights Act of 1964

Part 18b Practice and procedure under Title VI of the Civil Rights

Act of 1964 and Part 18 of this chapter

Part 19 Board of Veterans Appeals: Appeals regulations

Part 20 Board of Veterans Appeals: Rules of practice

Part 23 Non-Discrimination on the Basis of Sex in Education

Programs or Activities Receiving Federal Financial Assistance

Part 25 Uniform relocation assistance and real property acquisition

for Federal and federally assisted programs

Part 26 Environmental effects of the Department of Veterans Affairs

(VA) actions

Part 38 National Cemeteries of the Department of Veterans Affairs

Part 39 State cemetery grants

Part 40 Intergovernmental review of Department of Veterans Affairs

programs and activities

Part 41 Auditing requirements

Part 42 Standards implementing the Program Fraud Civil Remedies

Act

Part 43 Uniform administrative requirements for grants and

cooperative agreements to State and Local Governments

Part 44 Government-wide debarment and suspension (non-

procurement) and government-wide requirements for drug-free workplace (grants)

Part 45 New restrictions on lobbying

Part 48 Governmentwide requirements for drug-free workplace (financial

assistance)

Part 49 Uniform administrative requirements for grants and agreements

with institutions of higher education, hospitals, and

other non-profit organizations

Part 75 Information Security Matters

49.15 Metric system of measurement 49.15-1

49.16 Resource Conservation and Recovery Act 49.16-1

49.17 Certifications and representations 49.17-1

Subpart C—Post-Award Requirements

Financial and Program Management

49.20 Purpose of financial and program management 49.20-1

49.21 Standards for financial management systems 49.21-1

49.22 Payment 49.22-1

49.23 Cost sharing or matching 49.23-1

49.24 Program income 49.24-1

49.25 Revision of budget and program plans 49.25-1

49.26 Non-Federal audits 49.26-1

49.27 Allowable costs 49.27-1

49.28 Period of availability of funds 49.28-1

49.29 Conditional exemptions 49.29-1

Property Standards

49.30 Purpose of property standards 49.30-1

49.31 Insurance coverage 49.31-1

49.32 Real property 49.32-1

49.33 Federally-owned and exempt property 49.33-1

49.34 Equipment 49.34-1

49.35 Supplies and other expendable property 49.35-1

49.36 Intangible property 49.36-1

49.37 Property trust relationship 49.37-1

Procurement Standards

49.40 Purpose of procurement standards 49.40-1

49.41 Recipient responsibilities 49.41-1

49.42 Codes of conduct 49.42-1

49.43 Competition 49.43-1

49.44 Procurement procedures 49.44-1

49.45 Cost and price analysis 49.45-1

49.46 Procurement records 49.46-1

49.47 Contract administration 49.47-1

49.48 Contract provisions 49.48-1

Reports and Records

49.50 Purpose of reports and records 49.50-1

49.51 Monitoring and reporting program performance 49.51-1

49.52 Financial reporting 49.52-1

49.53 Retention and access requirements for records 49.53-1

Termination and Enforcement

49.60 Purpose of termination and enforcement 49.60-1

49.61 Termination 49.61-1

49.62 Enforcement 49.62-1

Subpart D—After-the-Award Requirements

49.70 Purpose 49.70-1

49.71 Closeout procedures 49.71-1

49.72 Subsequent adjustments and continuing responsibilities 49.72-1

49.73 Collection of amounts due 49.73-1

Appendix A to Part 49—Contract Provisions 49.AppA-1

Part 75

Information Security Matters

Subpart A—[Reserved]

Subpart B—Data Breaches

75.111 Purpose and scope 75.111-1

75.112 Definitions and terms 75.112-1

75.113 Data breach 75.113-1

75.114 Accelerated response 75.114-1

75.115 Risk analysis 75.115-1

75.116 Secretary determination 75.116-1

75.117 Notification 75.117-1

75.118 Other credit protection services 75.118-1

75.119 Finality of Secretary determination 75.119-1

(

These officials may not redelegate this authority. (Authority: 5 U.S.C. 552a)

(h) Delegations to Office Resolution Management Officials (ORM).

(1) The Deputy Assistant Secretary for Resolution Management is delegated authority to supervise and control the operation of the administrative EEO Discrimination Complaint Processing System within the Department.

(2) The Deputy Assistant Secretary for Resolution Management, the Chief Operating Officer, and all Regional EEO Officers/Field Managers are delegated authority to make procedural agency decisions to either accept or dismiss, in whole or in part, EEO discrimination complaints based upon race, color, national origin, sex, religion, age, disability, or reprisal filed by employees, former employees, or applicants for employment.

(3) The Deputy Assistant Secretary for Resolution Management, the Chief Operating Officer, and the Chief, Policy and Compliance are delegated authority to make agency decisions on all breach of settlement claims raised by employees, former employees, and applicants for employment.

(4) The Deputy Assistant Secretary for Resolution Management, the Chief Operating Officer, and the Chief, Policy and Compliance are delegated authority to consider and resolve all claims raised by employees, former employees, and applicants for employment that allege dissatisfaction with the processing of a previously filed EEO discrimination complaint.

(5) The Deputy Assistant Secretary for Resolution Management, the Chief Operating Officer, and the Chief, Policy and Compliance are delegated authority to monitor compliance by Department organizational components with orders and decisions of the OEDCA and the EEOC.

(i) Delegations to officials of the Office of Employment Discrimination Complaint Adjudication (OEDCA).

(1) The Director and Associate Director, OEDCA, are delegated authority to make procedural decisions to dismiss, in whole or in part, any EEO discrimination complaint filed by any employee, former employee, or applicant for employment that may be pending before OEDCA, where administrative complaint processing efficiency may be best served by doing so.

(2) The Director and Associate Director, OEDCA, are delegated authority to dismiss, in whole or in part any EEO discrimination complaint based upon race, color, religion, sex, national origin, age, disability, or reprisal filed by any ORM employee, former employee, or applicant for employment.

(3) The Director and Associate Director, OEDCA, are delegated authority to make the agency decision on all breach of settlement claims raised by ORM employees, former employees, and applicants for employment.

(4) The Director and Associate Director, OEDCA, are delegated authority to consider and resolve all claims raised by ORM employees, former employees, and applicants for employment that allege dissatisfaction with the processing of a previously filed EEO discrimination complaint.

(5) The Director and Associate Director, OEDCA, are delegated authority to make procedural agency decisions to either accept or dismiss, in whole or in part, EEO discrimination complaints filed by employees, former employees, or applicants for employment where the ORM must recuse itself from a case due to an actual, apparent, or potential conflict of interest.

(j) Delegation to the Chairman, Board of Veterans’ Appeals. In cases where OEDCA has recused itself from a case due to an actual, apparent, or potential conflict of interest, the Chairman, Board of Veterans’ Appeals, is delegated authority to make procedural agency decisions to dismiss, in whole or in part, EEO discrimination complaints filed by agency employees, former employees, and applicants for employment; to make substantive final agency decisions where complainants do not request an EEOC hearing; to take final agency action following a decision by an EEOC Administrative Judge; and to make final agency decisions ordering appropriate remedies and relief where there is a finding of discrimination.

(k) Processing complaints involving certain officials. A complaint alleging that the Secretary or the Deputy Secretary personally made a decision directly related to matters in dispute, or are otherwise personally involved in such matters, will be referred for procedural acceptability review, investigation, and substantive decisionmaking to another Federal agency (e.g., The Department of Justice) pursuant to a cost reimbursement agreement. Referral will not be made when the action complained of relates merely to ministerial involvement in such matters (e.g., ministerial approval of selection recommendations submitted to the Secretary by the Under Secretary for Health, the Under Secretary for Benefits, the Under Secretary for Memorial Affairs, assistant secretaries, or staff office heads).

(l) Assistant to the Secretary, Office of Regulation Policy and Management. The Assistant to the Secretary for Regulation Policy and Management (ASRPM) is delegated authority:

(1) To act on all matters assigned to the Office of Regulation Policy and Management, except such matters as require the personal attention or action of the Secretary, the Deputy Secretary, or the Secretary’s Regulatory Policy Council.

(2) To manage and coordinate the Department’s rulemaking activities, including the revision and reorganization of regulations.

(3) To serve as the Deputy Regulatory Policy Officer, to perform staff functions under the Regulatory Policy Officer, and to perform other delegated functions in accordance with Executive Order 12866.

[25 FR 11095, Nov. 23, 1960, as amended at 58 FR 32442, June 10, 1993; 58 FR 39152, July 22, 1993; 61 FR 7216, Feb. 27, 1996; 61 FR 26107, May 24, 1996; 61 FR 27784, June 3, 1996; 61 FR 56449, Nov. 1, 1996; 63 FR 11122, Mar. 6, 1998; 64 FR 30244, June 7, 1999; 64 FR 47111, Aug. 30, 1999; 66 FR 44053, Aug. 22, 2001; 67 FR 3434, Jan. 24, 2002; 68 FR 25504, May 13, 2003; 69 FR 62203, Oct. 25, 2004; 72 FR 12565, Mar. 16, 2007; 72 FR 27247, May 15, 2007; 72 FR 34395, June 22, 2007]

Editorial note: For Federal Register citations affecting §2.6, see the List of CFR Sections Affected in the Finding Aids section of the Code of Federal Regulations.

Supplement Highlights references: 3(3, 5, 6), 15(2, 5), 18(1), 26(2), 34(2), 36(1), 47(2), 56(1), 66(1), 75(1), 76(1), 77(1).

§2.7 Delegation of authority to provide relief on account of administrative error.

(a) Section 503(a) of title 38 U.S.C., provides that if the Secretary determines that benefits administered by the Department of Veterans Affairs have not been provided by reason of administrative error on the part of the Federal Government or any of its employees, the Secretary is authorized to provide such relief on account of such error as the Secretary determines equitable, including the payment of moneys to any person whom he determines equitably entitled thereto.

(b) Section 503(b) of title 38 U.S.C., provides that if the Secretary determines that any veteran, surviving spouse, child of a veteran, or other person, has suffered loss, as a consequence of reliance upon a determination by the Department of Veterans Affairs of eligibility or entitlement to benefits, without knowledge that it was erroneously made, the Secretary is authorized to provide such relief as the Secretary determines equitable, including the payment of moneys to any person equitably entitled thereto. The Secretary is also required to submit an annual report to the Congress, containing a brief summary of each recommendation for relief and its disposition. Preparation of the report shall be the responsibility of the General Counsel.

(c) The authority to grant the equitable relief, referred to in paragraphs (a) and (b) of this section, has not been delegated and is reserved to the Secretary. Recommendation for the correction of administrative error and for appropriate equitable relief therefrom will be submitted to the Secretary, through the General Counsel. Such recommendation may be initiated by the head of the administration having responsibility for the benefit, or of any concerned staff office, or by the Chairman, Board of Veterans Appeals. When a recommendation for relief under paragraph (a) or (b) of this section is initiated by the head of a staff office, or the Chairman, Board of Veterans Appeals, the views of the head of the administration having responsibility for the benefit will be obtained and transmitted with the recommendation of the initiating office. (Authority: 38 U.S.C. 503, 512)

[37 FR 22864, Oct. 26, 1972, as amended at 49 FR 30693, Aug. 1, 1984; 54 FR 34981, Aug. 23, 1989; 68 FR 25504, May 13, 2003]

Part 75

Information Security Matters

(

Part 75

Information Security Matters

Authority: 38 U.S.C. 501, 5724, 5727, 7906.

Source: 72 Fed. Reg. 34399, June 22, 2007, unless otherwise noted.

— Section Title Index —

Purpose and scope 75.111-1

Definitions and terms 75.112-1

Data breach 75.113-1

Accelerated response 75.114-1

Risk analysis 75.115-1

Secretary determination 75.116-1

Notification 75.117-1

Other credit protection services 75.118-1

Finality of Secretary determination 75.119-1

(

Reserved

Part 75

Information Security Matters

Authority: 38 U.S.C. 501, 5724, 5727, 7906.

Source: 72 Fed. Reg. 34399, June 22, 2007, unless otherwise noted.

Supplement Highlights Reference: 77(2), and as indicated in specific sections.

Subpart A — [Reserved]

Subpart B — Data Breaches

§75.111 Purpose and scope.

This subpart implements provisions of 38 U.S.C. 5724 and 5727, which are set forth in Title IX of the Veterans Benefits, Health Care, and Information Technology Act of 2006. It only concerns actions to address a data breach regarding sensitive personal information that is processed or maintained by VA. This subpart does not supersede the requirements imposed by other laws, such as the Privacy Act of 1974, the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, the Fair Credit Reporting Act, and implementing regulations of such Acts. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.112 Definitions and terms.

For purposes of this subpart:

Confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Data breach means the loss or theft of, or other unauthorized access to, other than an unauthorized access incidental to the scope of employment, data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.

Data breach analysis means the process used to determine if a data breach has resulted in the misuse of sensitive personal information.

Fraud resolution services means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.

Identity theft has the meaning given such term under section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a).

Identity theft insurance means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.

Individual means a single human being who is a citizen of the United States, an alien admitted to permanent residence in the United States, a present or former member of the Armed Forces, or any dependent of a present or former member of the Armed Forces.

Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual.

Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Logical data access means the ability of a person to translate the data for misuse. This can lead to inappropriate access to lost, stolen or improperly obtained data.

Person means an individual; partnership; corporation; Federal, State, or local government agency; or any other legal entity.

Processed or maintained by VA means created, stored, transmitted, or manipulated by VA personnel or by a person acting on behalf of VA, including a contractor or other organization or any level of subcontractor or other suborganization.

Secretary means the Secretary of Veterans Affairs or designee.

Sensitive personal information, with respect to an individual, means any information about the individual maintained by an agency, including the following:

(1) Education, financial transactions, medical history, and criminal or employment history.

(2) Information that can be used to distinguish or trace the individual’s identity, including name, Social Security number, date and place of birth, mother’s maiden name, or biometric records.

Unauthorized access incidental to the scope of employment means access, in accordance with VA data security and confidentiality policies and practices, that is a by-product or result of a permitted use of the data, that is inadvertent and cannot reasonably be prevented, and that is limited in nature.

VA means the Department of Veterans Affairs. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.113 Data breach.

Consistent with the definition of data breach in §75.112 of this subpart, a data breach occurs under this subpart if there is a loss or theft of, or other unauthorized access to, other than an unauthorized access incidental to the scope of employment, data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. The term “unauthorized access” used in the definition of “data breach” includes access to an electronic information system and includes, but is not limited to, viewing, obtaining, or using data containing sensitive personal information in any form or in any VA information system. The phrase “unauthorized access incidental to the scope of employment” includes instances when employees of contractors and other entities need access to VA sensitive information in order to perform a contract or agreement with VA but incidentally obtain access to other VA sensitive information. Accordingly, an unauthorized access, other than an unauthorized access incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data, constitutes a data breach. In addition to these circumstances, VA also interprets data breach to include circumstances in which a user misuses sensitive personal information to which he or she has authorized access. The following circumstances do not constitute a data breach and, consequently, are not subject to the provisions of this subpart:

(a) An unauthorized access to data containing sensitive personal information that was determined by the Secretary to be incidental to the scope of employment, such as an inadvertent unauthorized viewing of sensitive personal information by a VA employee or a person acting on behalf of VA.

(b) A loss, theft, or other unauthorized access to data containing sensitive personal information that the Secretary determined to have no possibility of compromising the confidentiality or integrity of the data, such as the inability of compromising the confidentiality or integrity of the data because of encryption or the inadvertent disclosure to another entity that is required to provide the same or a similar level of protection for the data under statutory or regulatory authority. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.114 Accelerated response.

(a) The Secretary, in the exercise of his or her discretion, may provide notice to records subjects of a data breach and/or offer them other credit protection services prior to the completion of a risk analysis if:

(1) The Secretary determines, based on the information available to the agency when it learns of the data breach, that there is an immediate, substantial risk of identity theft of the individuals whose data was the subject of the data breach, and providing timely notice may enable the record subjects to promptly take steps to protect themselves, and/or the offer of other credit protection services will assist in timely mitigation of possible harm to individuals from the data breach; or

(2) Private entities would be required to provide notice under Federal law if they experienced a data breach involving the same or similar information.

(3) In situations described in paragraphs (a)(1) or (a)(2) of this section, the Secretary may provide notice of the breach prior to completion of a risk analysis, and subsequently advise individuals whether the agency will offer additional credit protection services upon completion, and consideration of the results, of the risk analysis, if the Secretary directs that one be completed.

(b) In determining whether to promptly notify individuals and/or offer them other credit protection services under paragraph (a)(1) of this section, the Secretary shall make the decision based upon the totality of the circumstances and information available to the Secretary at the time of the decision, including whether providing notice and offering other credit protection services would be likely to assist record subjects in preventing, or mitigating the results of, identity theft based on the compromised VA sensitive personal information. The Secretary’s exercise of this discretion will be based on good cause, including consideration of the following factors:

(1) The nature and content of the lost, stolen or improperly accessed data, e.g., the data elements involved, such as name, social security number, date of birth;

(2) The ability of an unauthorized party to use the lost, stolen or improperly accessed data, either by itself or with data or applications generally available, to commit identity theft or otherwise misuse the data to the disadvantage of the record subjects, if able to access and use the data;

(3) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;

(4) Ease of physical access to the lost, stolen or improperly accessed data, e.g., the degree to which the data is readily available to unauthorized access, such as being in a dumpster readily accessible by members of the general public;

(5) The format of the lost, stolen or improperly accessed data, e.g., in a standard electronic format, such as ASCII, or in paper;

(6) Evidence indicating that the lost, stolen or improperly accessed data may have been the target of unlawful acquisition; and

(7) Evidence that the same or similar data had been acquired from other sources improperly and used for identity theft.

(c) VA will provide notice and/or other credit protection services under this section as provided in §§75.117 and 75.118. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.115 Risk analysis.

If a data breach involving sensitive personal information that is processed or maintained by VA occurs and the Secretary has not determined under §75.114 that an accelerated response is appropriate, the Secretary shall ensure that, as soon as possible after the data breach, a non-VA entity with relevant expertise in data breach assessment and risk analysis or VA’s Office of Inspector General conducts an independent risk analysis of the data breach. The preparation of the risk analysis may include data mining if necessary for the development of relevant information. The risk analysis shall include a finding with supporting rationale concerning whether the circumstances create a reasonable risk that sensitive personal information potentially may be misused. If the risk analysis concludes that the data breach presents a reasonable risk for the potential misuse of sensitive personal information, the risk analysis must also contain operational recommendations for responding to the data breach. Each risk analysis, regardless of findings and operational recommendations, shall also address all relevant information concerning the data breach, including the following:

(a) Nature of the event (loss, theft, unauthorized access).

(b) Description of the event, including:

(1) Date of occurrence;

(2) Data elements involved, including any personally identifiable information, such as full name, social security number, date of birth, home address, account number, disability code;

(3) Number of individuals affected or potentially affected;

(4) Individuals or groups affected or potentially affected;

(5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;

(6) Time the data has been out of VA control;

(7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); and

(8) Known misuses of data containing sensitive personal information, if any.

(c) Assessment of the potential harm to the affected individuals.

(d) Data breach analysis, as appropriate. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.116 Secretary determination.

(a)Upon receipt of a risk analysis prepared under this subpart, the Secretary will consider the findings and other information contained in the risk analysis to determine whether the data breach caused a reasonable risk for the potential misuse of sensitive personal information. If the Secretary finds that such a reasonable risk does not exist, the Secretary will take no further action under this subpart. However, if the Secretary finds that such a reasonable risk exists, the Secretary will take responsive action as specified in this subpart based on the potential harms to individuals subject to a data breach.

(b) In determining whether the data breach resulted in a reasonable risk for the potential misuse of the compromised sensitive personal information, the Secretary shall consider all factors that the Secretary, in his or her discretion, considers relevant to the decision, including:

(1) The likelihood that the sensitive personal information will be or has

been made accessible to and usable by unauthorized persons;

(2) Known misuses, if any, of the same or similar sensitive personal

information;

(3) Any assessment of the potential harm to the affected individuals

provided in the risk analysis;

(4) Whether the credit protection services that VA may offer under 38

U.S.C. 5724 may assist record subjects in avoiding or mitigating the results of identity theft based on the VA sensitive personal information that had been compromised;

(5) Whether private entities are required under Federal law to offer credit

protection services to individuals if the same or similar data of the private entities had been similarly compromised; and

(6) The recommendations, if any, concerning the offer of, or benefits to be

derived from, credit protection services in this case that are in the risk analysis report. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.117 Notification.

(a) With respect to individuals found under this subpart by the Secretary to be subject to a reasonable risk for the potential misuse of any sensitive personal information, the Secretary will promptly provide written notification by first-class mail to the individual (or the next of kin if the individual is deceased) at the last known address of the individual. The notification may be sent in one or more mailings as information is available and will include the following:

(1) A brief description of what happened, including the date[s] of the data breach and of its discovery if known;

(2) To the extent possible, a description of the types of personal information that were involved in the data breach (e.g., full name, Social Security number, date of birth, home address, account number, disability code);

(3) A brief description of what the agency is doing to investigate the breach, to mitigate losses, and to protect against any further breach of the data;

(4) Contact procedures for those wishing to ask questions or learn additional information, which will include a toll-free telephone number, an e-mail address, Web site, and/or postal address;

(5) Steps individuals should take to protect themselves from the risk of identity theft, including steps to obtain fraud alerts (alerts of any key changes to such reports and on demand personal access to credit reports and scores), if appropriate, and instruction for obtaining other credit protection services offered under this subpart; and

(6) A statement whether the information was encrypted or protected by other means, when determined such information would be beneficial and would not compromise the security of the system.

(b) In those instances where there is insufficient, or out-of-date contact information that precludes direct written notification to an individual subject to a data breach, a substitute form of notice may be provided, such as a conspicuous posting on the home page of VA’s Web site and notification in major print and broadcast media, including major media in geographic areas where the affected individuals likely reside. Such a notice in media will include a toll-free phone number where an individual can learn whether or not his or her personal information is possibly included in the data breach.

(c) In those cases deemed by the Secretary to require urgency because of possible imminent misuse of sensitive personal information, the Secretary, in addition to notification under paragraph (a) of this section, may provide information to individuals by telephone or other means, as appropriate.

(d) Notwithstanding other provisions in this section, notifications may be delayed upon lawful requests, from other Federal agencies, for the delay of notifications in order to protect data or computer resources from further compromise or to prevent interference with the conduct of an investigation or efforts to recover the data. A lawful request is one made in writing by the entity or VA component responsible for the investigation or data recovery efforts that may be adversely affected by providing notification. Any lawful request for delay in notification must state an estimated date after which the requesting entity believes that notification will not adversely affect the conduct of the investigation or efforts to recover the data. However, any delay should not exacerbate risk or harm to any affected individual(s). Decisions to delay notification should be made by the Secretary. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.118 Other credit protection services.

(a) With respect to individuals found under this subpart by the Secretary to be subject to a reasonable risk for the potential misuse of any sensitive personal information under this subpart, the Secretary may offer one or more of the following as warranted based on considerations specified in paragraph (b) of this section:

(1) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;

(2) Data breach analysis;

(3) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; and/or

(4) One year of identity theft insurance with $20,000.00 coverage at $0 deductible.

(b) Consistent with the requirements of the Fair Credit Reporting Act (15 U.S.C. 1681, et seq.) as interpreted and applied by the Federal Trade Commission, the notice to the individual offering other credit protection services will explain how the individual may obtain the services, including the information required to be submitted by the individual to obtain the services, and the time period within which the individual must act to take advantage of the credit protection services offered.

(c) In determining whether any or all of the credit protection services specified in paragraph (a) of this section will be offered to individuals subject to a data breach, the Secretary will consider the following:

(1) The data elements involved;

(2) The number of individuals affected or potentially affected;

(3) The likelihood the sensitive personal information will be or has been made accessible to and usable by unauthorized persons;

(4) The risk of potential harm to the affected individuals; and

(5) The ability to mitigate the risk of harm.

(d) The Secretary will take action to obtain data mining and data breach analyses services, as appropriate, to obtain information relevant for making determinations under this subpart. (Authority: 38 U.S.C. 501, 5724, 5727)

§75.119 Finality of Secretary determination.

A determination made by the Secretary under this subpart will be a final agency decision.

End of Part 75

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download