In June, the National Technical Information Service (NTIS) promulgated a final rule setting out the requirements to become certified to access the Death Master File (DMF). The final rule amends the DMF certification program found in 15 CFR 1110, and was promulgated by NTIS, as delegee of the Secretary of Commerce, under Section 203 of the Bipartisan Budget Act of 2013. It supersedes and replaces an interim rule.
The DMF is a Social Security Administration database, which contains names, social security numbers, and dates of birth and death for U.S. citizens who have died since 1936.
The final rule states that companies that wish to access the DMF must submit a written attestation from an accredited conformity assessment body (ACAB), as that term is defined in the rule, stating that the company has proper information security systems, facilities, and procedures in place to protect the security of the DMF. The final rule also authorizes the ACAB to conduct periodic audits of companies with access to the DMF. NTIS stated in supplemental information accompanying the announcement of the final rule, however, that companies subject to privacy security requirements laws such as the GLBA, FCRA, and HIPAA, should not be expected to incur the burden of a DMF-specific audit when they have had or will have an appropriate independent assessment or audit performed for other purposes.
The final rule enumerates possible penalties for unauthorized disclosures or use of the DMF. Penalties can include a $1,000 fee payable to the U.S. general fund for each unauthorized disclosure to a non-certified person. The rule takes effect November 28, 2016. Any person or corporation previously certified under the interim rule will need to become recertified in conformity with the final rule’s requirements.