Tough cybersecurity certification requirements for parties seeking access to certain information in the Social Security Death Master File (DMF) take effect on November 28.
The final rule imposing the cybersecurity standards (the Rule), promulgated by the U.S. Department of Commerce’s National Technical Information Service (NTIS), will become effective amid continuing uncertainty about what measures will be sufficient for certification, who can provide the required attestation to those measures, and whether sufficient measures can be undertaken quickly enough to avoid a lapse in access to the DMF.
Perhaps the most significant change from the interim rule is the new requirement that an Accredited Conformity Assessment Body (ACAB) attest that the person seeking access to the DMF can actually safeguard DMF information in compliance with the Rule.
The Rule also includes serious enforcement provisions: NTIS can conduct both scheduled and unscheduled compliance audits, and levy fines for noncompliance as high as $250,000 per year, with even higher fines for willful violations.
Annual re-certification is required, though attestation by an ACAB will be effective for three years. For parties already certified under the interim rule, NTIS has provided for limited grandfathering, with existing certifications remaining in effect until expiration. Thereafter, maintaining certification requires submitting a new certification application, which is being drafted by NTIS, paying associated fees, and signing an amendment to the subscriber or license agreement.
History of the Rule
When the Rule takes effect on November 28, it will conclude a process that has been unfolding for over three years.
As we have previously reported (April 15, 2013 Legal Alert), proposals to limit access to the DMF based on cybersecurity standards were raised by the Obama Administration in early 2013, and the Senate Finance Committee held a hearing on the proposals soon after (April 19, 2013 Legal Alert). Later in 2013, Congress passed the Bipartisan Budget Act adopting proposals that directed the Department of Commerce to create a certification program limiting DMF access to persons who both had a legitimate purpose and could adequately safeguard the accessed information.
NTIS released an interim final rule to meet Congress’s tight 90-day deadline in March 2014 (March 26, 2014 Legal Alert), and soon after proposed a final rule to replace the interim rule. Finally, and over 18 months after it was proposed, NTIS released its final rule on June 1, 2016; the Rule becomes effective on November 28, 2016.
The Rule’s Requirements
Scope of the Rule
The Rule does not restrict access to all information in the DMF. Rather, its scope is confined to the “Limited Access Death Master File” (LADMF), defined as DMF information relating to “any deceased individual at any time during the three-calendar-year period beginning on the date of the individual’s death.”1
However, unlike the interim rule, the final rule specifically excludes from the definition of LADMF any “individual element of information” obtained from an independent source. Therefore, information gathered by other means (e.g., a social security number obtained through an application, date of death learned through an obituary, etc.) is not information covered by the definition of LADMF.
Further, NTIS clarified that fact of death, distinguished from date of death, is not part of the definition of LADMF.2 That holds true even if the fact of death is learned through the DMF. This clarification is of particular interest to, for example, life insurance companies concerned that disclosing the fact of an insured’s death to a beneficiary could be considered a prohibited re-disclosure of LADMF information.
The Rule applies only to covered persons. The definition of “person” includes individuals, corporations, and other business entities. And, unlike the interim rule (and over objections state regulators raised in comments to NTIS), the Rule also includes state and local government agencies.3 Executive departments or agencies of the Federal government, however, are not covered persons, and hence need not comply with the Rule.4
For entities that fall within the scope of the Rule, the baseline requirements for certification are demonstrating: (1) a legitimate purpose for accessing LADMF; and (2) the ability to adequately safeguard the information gathered from LADMF.
Legitimate Purpose for Accessing LADMF
Any covered person seeking access to LADMF must demonstrate either a legitimate fraud prevention interest or a legitimate business purpose.5 This requirement is identical to the requirement found in the interim rule.
Some commenters urged NTIS to designate certain specific activities as legitimate purposes, including health care research and insurance fraud investigation. However, NTIS declined to make specific designations, and will continue evaluating legitimacy of purpose on a case-by-case basis.
Meeting the substantive cybersecurity standards under the Rule will involve significantly more time and expense than was the case under the interim rule, because self-certification is no longer an option.
Under the Rule, a person seeking certification must have “systems, facilities, and procedures in place to safeguard [LADMF] information, and experience in maintaining the confidentiality, security, and appropriate use of [LADMF] information, pursuant to requirements reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986.”
NTIS has provided some guidance on what substantive cybersecurity measures would be sufficient to qualify as “reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986” in its Publication 100. However, in the release announcing the Rule, NTIS stressed that Publication 100 provides only “examples” of adequate safeguards and, further, states that it is a “living” document subject to revision. Therefore, adherence to the NTIS guidance in Publication 100 may be neither necessary nor sufficient for adequate safeguarding, depending on the circumstances. In response to comments, NTIS explicitly declined to include Publication 100, or any other specific cybersecurity standards (e.g., ISO 27001 or COBIT), as part of the Rule.
Perhaps the most significant change in the Rule is how persons seeking access to LADMF must be certified. The interim rule allowed for self-certification to the substantive standards.6 Now, however, and despite strong opposition by many commenters, attestation by an ACAB will be required for certification.7 To be qualified to attest, an ACAB must be “accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, ISO/IEC 27006.”8 NTIS emphasized that ISO/IEC 27006 is not the only acceptable accreditation standard, and that AICPA’s SOC2 standard, and other similar standards, may be acceptable.9
In any case, once a covered person accesses LADMF information, the Rule prohibits re-disclosure of that information except to other persons who have a legitimate purpose and adequate safeguards. This exception is bolstered by a safe harbor for disclosures from one certified person to another. Also, in response to some commenters, NTIS clarified that even if certain information is also contained in the LADMF, re-disclosure is not limited by the Rule when that information is obtained independently of LADMF. As discussed above, such information is not considered to be part of LADMF.
Persons required to access LADMF information are left asking several difficult questions as the effective date approaches.
First, while the NTIS pointed to examples of certification standards that ACABs must meet, it declined to set a uniform standard, or even maintain a list of approved auditors. So, while it is clear enough that ACABs accredited to a standard such as ISO/IEC 27006 or SOC2 will pass muster, companies wishing to opt for ACABs certified to other standards have no guarantee that the attestation of such an ACAB will be acceptable to NIST and sufficient for the company to obtain certification.
Second, the lack of guidance on exactly what cybersecurity measures NTIS will consider to be “reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986” is particularly troubling. Especially where parties are already certified to one or more substantive standards (e.g., ISO 27001, COBIT, SOC2, PCI DSS, etc.) or already meet strict regulatory requirements for cybersecurity (e.g., for HIPAA, GLBA, state insurance regulations, etc.), it is not clear whether companies must undertake further measures, or undergo a fresh round of audits, before an ACAB could attest to the adequacy of a company’s cybersecurity measures for purposes of LADMF access.
These, and doubtless other, difficult questions still linger as the Rule takes effect at the end of this month. Considering the Rule together with new cybersecurity standards promulgated by the NY DFS (September 22, 2016 Legal Alert) and proposed by the federal bank regulators (OCC, FDIC, and the Federal Reserve), cybersecurity is sure to be front and center for compliance officers going forward.