Cybersecurity Certifications Now Required to Access Death Master File

by Eversheds Sutherland (US) LLP
Contact

Sutherland Asbill & Brennan LLP

Tough cybersecurity certification requirements for parties seeking access to certain information in the Social Security Death Master File (DMF) take effect on November 28.

The final rule imposing the cybersecurity standards (the Rule), promulgated by the U.S. Department of Commerce’s National Technical Information Service (NTIS), will become effective amid continuing uncertainty about what measures will be sufficient for certification, who can provide the required attestation to those measures, and whether sufficient measures can be undertaken quickly enough to avoid a lapse in access to the DMF.

Perhaps the most significant change from the interim rule is the new requirement that an Accredited Conformity Assessment Body (ACAB) attest that the person seeking access to the DMF can actually safeguard DMF information in compliance with the Rule.

The Rule also includes serious enforcement provisions: NTIS can conduct both scheduled and unscheduled compliance audits, and levy fines for noncompliance as high as $250,000 per year, with even higher fines for willful violations.

Annual re-certification is required, though attestation by an ACAB will be effective for three years. For parties already certified under the interim rule, NTIS has provided for limited grandfathering, with existing certifications remaining in effect until expiration. Thereafter, maintaining certification requires submitting a new certification application, which is being drafted by NTIS, paying associated fees, and signing an amendment to the subscriber or license agreement.

History of the Rule

When the Rule takes effect on November 28, it will conclude a process that has been unfolding for over three years.

As we have previously reported (April 15, 2013 Legal Alert), proposals to limit access to the DMF based on cybersecurity standards were raised by the Obama Administration in early 2013, and the Senate Finance Committee held a hearing on the proposals soon after (April 19, 2013 Legal Alert). Later in 2013, Congress passed the Bipartisan Budget Act adopting proposals that directed the Department of Commerce to create a certification program limiting DMF access to persons who both had a legitimate purpose and could adequately safeguard the accessed information. 

NTIS released an interim final rule to meet Congress’s tight 90-day deadline in March 2014 (March 26, 2014 Legal Alert), and soon after proposed a final rule to replace the interim rule. Finally, and over 18 months after it was proposed, NTIS released its final rule on June 1, 2016; the Rule becomes effective on November 28, 2016.

The Rule’s Requirements

Scope of the Rule

The Rule does not restrict access to all information in the DMF. Rather, its scope is confined to the “Limited Access Death Master File” (LADMF), defined as DMF information relating to “any deceased individual at any time during the three-calendar-year period beginning on the date of the individual’s death.”1

However, unlike the interim rule, the final rule specifically excludes from the definition of LADMF any “individual element of information” obtained from an independent source. Therefore, information gathered by other means (e.g., a social security number obtained through an application, date of death learned through an obituary, etc.) is not information covered by the definition of LADMF.

Further, NTIS clarified that fact of death, distinguished from date of death, is not part of the definition of LADMF.2 That holds true even if the fact of death is learned through the DMF. This clarification is of particular interest to, for example, life insurance companies concerned that disclosing the fact of an insured’s death to a beneficiary could be considered a prohibited re-disclosure of LADMF information.

The Rule applies only to covered persons. The definition of “person” includes individuals, corporations, and other business entities. And, unlike the interim rule (and over objections state regulators raised in comments to NTIS), the Rule also includes state and local government agencies.3 Executive departments or agencies of the Federal government, however, are not covered persons, and hence need not comply with the Rule.4

For entities that fall within the scope of the Rule, the baseline requirements for certification are demonstrating: (1) a legitimate purpose for accessing LADMF; and (2) the ability to adequately safeguard the information gathered from LADMF.

Legitimate Purpose for Accessing LADMF

Any covered person seeking access to LADMF must demonstrate either a legitimate fraud prevention interest or a legitimate business purpose.5 This requirement is identical to the requirement found in the interim rule.

Some commenters urged NTIS to designate certain specific activities as legitimate purposes, including health care research and insurance fraud investigation. However, NTIS declined to make specific designations, and will continue evaluating legitimacy of purpose on a case-by-case basis.

Adequate Safeguards

Meeting the substantive cybersecurity standards under the Rule will involve significantly more time and expense than was the case under the interim rule, because self-certification is no longer an option.

Under the Rule, a person seeking certification must have “systems, facilities, and procedures in place to safeguard [LADMF] information, and experience in maintaining the confidentiality, security, and appropriate use of [LADMF] information, pursuant to requirements reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986.”

NTIS has provided some guidance on what substantive cybersecurity measures would be sufficient to qualify as “reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986” in its Publication 100. However, in the release announcing the Rule, NTIS stressed that Publication 100 provides only “examples” of adequate safeguards and, further, states that it is a “living” document subject to revision. Therefore, adherence to the NTIS guidance in Publication 100 may be neither necessary nor sufficient for adequate safeguarding, depending on the circumstances. In response to comments, NTIS explicitly declined to include Publication 100, or any other specific cybersecurity standards (e.g., ISO 27001 or COBIT), as part of the Rule.

Perhaps the most significant change in the Rule is how persons seeking access to LADMF must be certified. The interim rule allowed for self-certification to the substantive standards.6 Now, however, and despite strong opposition by many commenters, attestation by an ACAB will be required for certification.7 To be qualified to attest, an ACAB must be “accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, ISO/IEC 27006.”8 NTIS emphasized that ISO/IEC 27006 is not the only acceptable accreditation standard, and that AICPA’s SOC2 standard, and other similar standards, may be acceptable.9

In any case, once a covered person accesses LADMF information, the Rule prohibits re-disclosure of that information except to other persons who have a legitimate purpose and adequate safeguards. This exception is bolstered by a safe harbor for disclosures from one certified person to another. Also, in response to some commenters, NTIS clarified that even if certain information is also contained in the LADMF, re-disclosure is not limited by the Rule when that information is obtained independently of LADMF. As discussed above, such information is not considered to be part of LADMF.

Implications

Persons required to access LADMF information are left asking several difficult questions as the effective date approaches. 

First, while the NTIS pointed to examples of certification standards that ACABs must meet, it declined to set a uniform standard, or even maintain a list of approved auditors. So, while it is clear enough that ACABs accredited to a standard such as ISO/IEC 27006 or SOC2 will pass muster, companies wishing to opt for ACABs certified to other standards have no guarantee that the attestation of such an ACAB will be acceptable to NIST and sufficient for the company to obtain certification.

Second, the lack of guidance on exactly what cybersecurity measures NTIS will consider to be “reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986” is particularly troubling. Especially where parties are already certified to one or more substantive standards (e.g., ISO 27001, COBIT, SOC2, PCI DSS, etc.) or already meet strict regulatory requirements for cybersecurity (e.g., for HIPAA, GLBA, state insurance regulations, etc.), it is not clear whether companies must undertake further measures, or undergo a fresh round of audits, before an ACAB could attest to the adequacy of a company’s cybersecurity measures for purposes of LADMF access.

These, and doubtless other, difficult questions still linger as the Rule takes effect at the end of this month. Considering the Rule together with new cybersecurity standards promulgated by the NY DFS (September 22, 2016 Legal Alert) and proposed by the federal bank regulators (OCC, FDIC, and the Federal Reserve), cybersecurity is sure to be front and center for compliance officers going forward.

                                             
 
1 81 Fed. Reg. 34891.
  
2See id. at 34883.
  
3Id. at 34891.
  
4Id. at 34883.
  
5Id. at 34892.
  
6See 79 Fed. Reg. 16671.
  
7See 81 Fed. Reg. 34893.
  
8Id. at 34885.
  
9See id.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP
Contact
more
less

Eversheds Sutherland (US) LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!