[Federal Register Volume 73, Number 71 (Friday, April 11, 2008)]
[Rules and Regulations]
[Pages 19747-19748]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-7726]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS

38 CFR Part 75

RIN 2900-AM63


Data Breaches

AGENCY: Department of Veterans Affairs.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This document adopts, without change, the interim final rule 
that was published in the Federal Register on June 22, 2007, addressing 
data breaches of sensitive personal information that is processed or 
maintained by the Department of Veterans Affairs (VA). This final rule 
implements certain provisions of the Veterans Benefits, Health Care, 
and Information Technology Act of 2006. The regulations prescribe the 
mechanisms for taking action in response to a data breach of sensitive 
personal information.

DATES: Effective Date: April 11, 2008.

FOR FURTHER INFORMATION CONTACT: Jonelle Lewis, Office of Information 
Protection and Risk Management (005R), U.S. Department of Veterans 
Affairs, 810 Vermont Avenue, NW., Washington, DC 20420. Telephone: 
(202) 461-6400. This is not a toll-free number.

SUPPLEMENTARY INFORMATION: On June 22, 2007, VA published an interim 
final rule in the Federal Register (72 FR 34395). The interim final 
rule addressed data breaches of sensitive personal information that is 
processed or maintained by VA. This final rule implements 38 U.S.C. 
5724 and 5727, which were enacted as part of Title IX of Public Law 
109-461, the Veterans Benefits, Health Care, and Information Technology 
Act of 2006.
    We provided a 60-day comment period that ended August 21, 2007. We 
received no comments. Based on the rationale set forth in the interim 
final rule, we adopt the provisions of the interim final rule as a 
final rule without any changes.

Administrative Procedure Act

    This document, without change, affirms the amendment made by the 
interim final rule that is already in effect. The Secretary of Veterans 
Affairs concluded that, under 5 U.S.C. 553, there was good cause to 
dispense with the opportunity for prior comment with respect to this 
rule. The Secretary found that it was unnecessary to delay this 
regulation for the purpose of soliciting prior public comment based on 
the statutory mandate in 38 U.S.C. 5724 to publish the amendment as an 
interim final rule. Nevertheless, the Secretary invited public comment 
on the interim final rule but did not receive any comments.

Executive Order 12866

    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, when regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety, 
and other advantages; distributive impacts; and equity). The Executive 
Order classifies a ``significant regulatory action,'' requiring review 
by the Office of Management and Budget (OMB), as any regulatory action 
that is likely to result in a rule that may: (1) Have an annual effect 
on the economy of $100 million or more or adversely affect in a 
material way the economy, a sector of the economy, productivity, 
competition, jobs, the environment, public health or safety, or State, 
local, or tribal governments or communities; (2) create a serious 
inconsistency or otherwise interfere with an action taken or planned by 
another agency; (3) materially alter the budgetary impact of 
entitlements, grants, user fees, or loan programs or the rights and 
obligations of recipients thereof; or (4) raise novel legal or policy 
issues arising out of legal mandates, the President's priorities, or 
the principles set forth in the Executive Order.
    The economic, interagency, budgetary, legal, and policy 
implications of this rule have been examined and it has been determined 
to be a significant regulatory action under the Executive Order because 
it is likely to result in a rule that may raise novel legal or policy 
issues arising out of legal mandates, the President's priorities, or 
the principles set forth in the Executive Order.

Unfunded Mandates

    The Unfunded Mandates Reform Act of 1995 requires, at 2 U.S.C. 
1532, that agencies prepare an assessment of anticipated costs and 
benefits before issuing any rule that may result in expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100 million or more (adjusted annually for 
inflation) in any

[[Page 19748]]

given year. This rule would have no such effect on State, local, and 
tribal governments or the private sector.

Paperwork Reduction Act

    This document contains no provisions constituting a collection of 
information under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-
3521).

Regulatory Flexibility Act

    The provisions of the Regulatory Flexibility Act (5 U.S.C. 601-612) 
do not apply to this interim final rule because the provisions of 38 
U.S.C. 5724 require that this document be promulgated as an interim 
final rule, and, consequently, a notice of proposed rulemaking was not 
required for the rule. 5 U.S.C. 603-604.

Catalog of Federal Domestic Assistance Numbers

    There are no Catalog of Federal Domestic Assistance numbers and 
titles for this rule.

List of Subjects in 38 CFR Part 75

    Administrative practice and procedure, Credit monitoring, Data 
breach, Data breach analysis, Data mining, Fraud alerts, Identity theft 
insurance, Information, Notification, Risk analysis, Security measures.

    Approved: April 4, 2008.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.

PART 75--INFORMATION SECURITY MATTERS

    Accordingly, the interim final rule establishing 38 CFR part 75 
that was published in the Federal Register at 72 FR 34395 on June 22, 
2007, is adopted as a final rule without changes.

[FR Doc. E8-7726 Filed 4-10-08; 8:45 am]
BILLING CODE 8320-01-P