Certification Program for Access to the Death Master File

 

Comments are due on or before 5:00 p.m. Eastern time March 18, 2014. The public meeting will take place on Tuesday, March 4, 2014, from 9:00 a.m. to 12:00 p.m. Eastern time at the place noted under ADDRESSES, and comments made orally during the public comment portion of the public meeting will be recorded and transcribed.

Written comments must be submitted to John Hounsell by email at jhounsell@ntis.gov, or in paper form at NTIS, 5301 Shawnee Road, Alexandria, VA 22312. The public meeting will take place at the United States Patent and Trademark Office, Madison Building West, 600 Dulany Street, Alexandria, VA 22314. The public meeting will also be webcast.

John Hounsell at jhounsell@ntis.gov or 703-605-6184.

This Request for Information (RFI) seeks comments from the public regarding the establishment by the National Technical Information Service (NTIS) of the new certification program for persons who seek access to the Social Security Administration's Public Death Master File (DMF) at any time within the three-calendar-year period following an individual's death, as required by Section 203 of the Bipartisan Budget Act of 2013 (Pub. L. 113-67) (Act). The Act prohibits disclosure of DMF information during the three-calendar-year period following death unless the person requesting the information has been certified under a program established by the Secretary of Commerce. The Act directs the Secretary of Commerce to establish a certification program for such access to the DMF. Section 203, “Restriction on Access to the Death Master File,” requires a fee-based certification program for allowable uses of DMF data for any deceased individual within three calendar years of the individual's death. Authority to carry out Section 203 has been delegated by the Secretary of Commerce to the National Technical Information Service (NTIS).

NTIS will establish the certification program in a manner consistent with the Act and its mission, to promote American innovation and economic growth by collecting and disseminating scientific, technical and engineering information to the public and industry, by providing information management solutions to other Federal agencies, and by doing all without appropriated funding. A summary of the provisions of Section 203 is provided below.

Section 203(a) of the Act directs that the Secretary of Commerce (Secretary) “shall not disclose to any person information contained on the Death Master File with respect to any deceased individual at any time during the 3-calendar-year period beginning on the date of the individual's death, unless such person is certified under the program established under subsection (b)” of Section 203.

Section 203(b)(1) of the Act directs the Secretary to “establish a program (A) to certify persons who are eligible to access the information described in subsection (a) contained on the Death Master File, and (B) to perform periodic and unscheduled audits of certified persons to determine the compliance by such certified persons with the requirements of the program.”

Under Section 203(b)(2) of the Act, a person “shall not be certified under the program established under paragraph (1) unless such person certifies that access to the information described in subsection (a) is appropriate because such person (A) has (i) a legitimate fraud prevention interest, or (ii) a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty, and (B) has systems, facilities, and procedures in place to safeguard such information, and experience in maintaining the confidentiality, security, and appropriate use of such information, pursuant to requirements similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986 (IRC), and (C) agrees to satisfy the requirements of such section 6103(p)(4) as if such section applied to such person.”

Section 203(b)(3)(A) of the Act directs the Secretary to “establish under section 9701 of title 31, United States Code, a program for the charge of fees sufficient to cover (but not to exceed) all costs associated with evaluating applications for certification and auditing, inspecting, and monitoring certified persons under the program. Any fees so collected shall be deposited and credited as offsetting collections to the accounts from which such costs are paid.” Section 203(b)(3)(B) of the Act requires the Secretary to report annually to the Congress “on the total fees collected during the preceding year and the cost of administering the certification program under this subsection for such year.”

Section 203(c)(1) of the Act provides that any person “certified under the program established under subsection (b), who receives information described in subsection (a), and who during the period of time described in subsection (a)(A) discloses such information to any person other than a person who meets the requirements of subparagraphs (A), (B), and (C) of subsection (b)(2), (B) discloses such information to any person who uses the information for any purpose not listed under subsection (b)(2)(A) or who further discloses the information to a person who does not meet such requirements, or (C) uses any such information for any purpose not listed under subsection (b)(2)(A), and any person to whom such information is disclosed who further discloses or uses such information as described in the preceding subparagraphs, shall pay a penalty of $1,000 for each such disclosure or use. Under Section 203(c)(2), the total penalty imposed on any person for any calendar year “shall not exceed $250,000,” unless the Secretary determines the violations to have been “willful or intentional.”

Section 203(d) of the Act defines the term “Death Master File” to mean “information on the name, social security account number, date of birth, and date of death of deceased individuals maintained by the Commissioner of Social Security, other than information that was provided to such Commissioner under section 205(r) of the Social Security Act (42 U.S.C. 405(r)).”

Under Section 203(e)(1) of the Act, no Federal agency “shall be compelled to disclose,” to any person “not certified,” information contained on the Death Master File with respect to any deceased individual at any time during the 3-calendar-year period beginning on the date of the individual's death. Section 203(e)(2) of the Act provides that Section 203 shall be considered a statute described in subsection (b)(3) of section 552 of title 5, United States Code (the Freedom of Information Act (FOIA)).

Under Section 203(f) of the Act, Section 203 takes effect 90 days after the date of the enactment, while Section 203(e) (the FOIA provision) takes effect upon enactment.

During Congressional debate on the Joint Resolution, H. J. Res. 59, which, upon being passed by Congress and signed into law by the President, became the Bipartisan Budget Act of 2013, several Members of Congress described their understanding of the purpose and meaning of Section 203. Members offering statements included Representatives Johnson, [1] Bachus [2] and Neal, [3] and Senators Nelson, [4] Murray, [5] Casey [6] and Hatch. [7]

The Social Security Administration (SSA) compiles the DMF from certain deaths reported to the agency. SSA receives death reports from many sources, including family members, funeral homes, hospitals, States, Federal agencies, postal authorities and financial institutions. The DMF is not a complete file of all deaths, and does not include State death records. (Section 205(r) of the Social Security Act prohibits SSA from disclosing this information to the public on the DMF.) In addition, SSA cannot guarantee the accuracy of the DMF. The absence of a particular person on this file is not proof that the individual is alive. Further, in rare instances it is possible for the record of a person who is not deceased to be included erroneously in the DMF.

SSA makes the DMF available to the public through an agreement with NTIS. NTIS offers the DMF to the public through an online search application, as well as through raw data file download products. DMF subscribers have the option of subscribing to an online search application or maintaining a raw data version of the file at their location. The online service is updated on a weekly basis, and raw data file weekly and monthly updates are offered electronically via https, as well as via secure FTP.

The Death Master File is an important tool which has been used for many purposes. It is used by pension funds, insurance organizations, Federal, State and Local government entities and others responsible for verifying deceased person(s) in support of fulfillment of benefits to their beneficiaries. By methodically running financial, credit, payment and other applications against the Death Master File, the financial community, insurance companies, security firms and State and Local governments are better able to identify and prevent identity fraud, and identify customers who are deceased. Other current users include clinicians and medical researchers tracking former patients and study subjects, law enforcement and genealogists.

While the DMF unquestionably plays an important role in preventing identity fraud, concern about misuse of publicly available DMF information, as noted in the statements of several Members of Congress cited above, led to the inclusion of Section 203 in the Act, signed into law by President Obama. NTIS seeks comments from the public on how best to implement the certification program mandated under Section 203.

The following questions cover the major areas for which NTIS seeks comment. The questions are not intended to limit topics that may be addressed through this Request for Information, and commenters may address any topic they believe has implications for the establishment of a certification program for access to the DMF, regardless of whether this document mentions it. NTIS will consider all timely comments received.

Comments containing references, studies, research, and other empirical data that are not widely published should include copies of the referenced materials. No confidential or proprietary comments, information or materials are to be submitted, and all submitted comments will be made available publically at http://dmf.ntis.gov/.

In the questions that follow, references to “you” are intended to include individual persons as well as organizations unless otherwise indicated, and submitted comments should distinguish between individuals and organizations as necessary or desirable for context.

Certification Program

NTIS solicits information on implementation of the certification program mandated under Section 203. In particular, NTIS seeks to understand how persons would characterize the basis for their use of DMF information as it relates to the certification criteria of Section 203. In addition, NTIS seeks to understand how persons who seek certification would comply with the requirements set forth under Section 203 to safeguard DMF information. NTIS also seeks information regarding how to best ensure the safeguarding of released DMF information.

1. Do you think that you have a legitimate fraud prevention interest in accessing DMF information, as described in the Act? If so, explain in detail the basis of that interest.

2. If you have a legitimate business purpose pursuant to a law, explain in detail the basis of that legitimate business purpose and cite the relevant law.

3. If you have a legitimate business purpose pursuant to a governmental rule, explain in detail the basis of that legitimate business purpose and cite the relevant governmental rule.

4. If you have a legitimate business purpose pursuant to a regulation, explain in detail the basis of that legitimate business purpose and cite the relevant regulation.

5. If you have a legitimate business purpose pursuant to a fiduciary duty, explain in detail the basis of that legitimate business purpose and cite the relevant fiduciary duty.

6. Do you have systems, facilities, and procedures in place to safeguard DMF information, and experience in maintaining the confidentiality, security, and appropriate use of such information? If so, explain in detail.

7. If you have systems, facilities, and procedures in place to safeguard DMF information, or to safeguard sensitive information other than DMF information, explain whether and how your systems, facilities, and procedures are audited, inspected or monitored.

8. If you have systems, facilities, and procedures in place to safeguard DMF information, or to safeguard sensitive information other than DMF information, and if your systems, facilities, and procedures are audited, inspected or monitored, explain whether that is voluntary, or whether it is required by law, governmental rule, regulation, fiduciary duty, or other reason and cite such.

9. If you have systems, facilities, and procedures in place to safeguard DMF information, or to safeguard sensitive information other than DMF information, and if your systems, facilities, and procedures are audited, inspected or monitored, explain whether any of these reviews would reveal (1) how such information was used by you, (2) whether such information had been disclosed to a third person, and (3) how such information, if disclosed to a third person, was used by that person, or was further disclosed by that person to a fourth person.

10. If you have systems, facilities, and procedures in place to safeguard DMF information, and experience in maintaining the confidentiality, security, and appropriate use of such information, explain in detail the extent to which these satisfy the requirements of section 6103(p)(4) of the IRC, or satisfy requirements “similar” to the requirements of section 6103(p)(4) of the IRC.

11. If you do not currently have systems, facilities, and procedures in place to safeguard DMF information, explain how you would anticipate putting such systems, facilities, and procedures in place in order to become certified to access DMF information.

12. Under the Act, you are required to certify that you have systems, facilities, and procedures in place to safeguard DMF information, and experience in maintaining the confidentiality, security, and appropriate use of such information, pursuant to requirements “similar” to the requirements of section 6103(p)(4) of the IRC. Please explain in detail how your systems, etc., and experience might be “similar” but not identical to the requirements of section 6103(p)(4) of the IRC, and how any differences from the requirements of section 6103(p)(4) of the IRC would nevertheless permit achieving the objective of safeguarding DMF information.

13. What systems, facilities, and procedures do you believe are necessary to safeguard DMF information provided under the Act, including audit, inspection and monitoring procedures?

14. Identify laws or regulations that require the safeguarding of released DMF information, and summarize the procedures required by such laws or regulations.

Fees and Penalties

NTIS solicits information on the fees and penalties mandated under Section 203. In particular, because Section 203 mandates the charge of fees to cover, but not to exceed, all costs associated with evaluating applications for certification and auditing, inspecting, and monitoring certified persons under the program, NTIS seeks to understand whether persons desiring to access DMF information during the initial three-calendar-year period, including persons currently accessing DMF information, would participate in a fee-based certification program in order to obtain or maintain access to the DMF. NTIS also seeks to understand how persons certified under the certification program would avoid disclosing such information to any person not authorized to obtain such information because they are not certified or, if certified, would use such information for a purpose not listed under Section 203(b)(2)(A).

15. Would the imposition of a single, presumably larger, fee at the time of certification be preferable to the charge of multiple, presumably smaller, fees, such as annual fees?

16. In order to become certified to have access to DMF information, how would you prevent disclosure of such information to any person other than a person who was also certified, or who, if not certified, would meet the requirements of certification?

Death Master File Information

NTIS solicits comments on the term “Death Master File,” as that term is defined in Section 203: “information on the name, social security account number, date of birth, and date of death of deceased individuals maintained by the Commissioner of Social Security, other than information that was provided to such Commissioner under section 205(r) of the Social Security Act (42 U.S.C. 405(r)).” In particular, NTIS seeks to understand whether persons currently accessing the DMF, or who might wish to access the DMF in the future, during the initial three-calendar-year period, need access to all the types of information included within the definition of that term in order to make use of DMF information. If access to all the types of information included within the definition of the term “Death Master File” is not needed for persons to make use of DMF information, NTIS seeks to understand which type(s) of information is not needed.

17. If you currently access DMF information, does your use of that information include or require the name, social security account number, date of birth, and date of death of deceased individuals? If not, explain which type(s) of DMF information you do not use.

18. Would you find it useful to access DMF information that included information for a deceased individual during the 3-calendar-year period beginning on the date of the individual's death, but did not include one or more of the name, social security account number, date of birth, and date of death of the deceased individual? If so, explain which type(s) of DMF information could be excluded.

NTIS will hold a public meeting at which members of the public may provide comments on the establishment of the certification program for access to the DMF in person on Tuesday, March 4, 2014, from 9:00 a.m. to 12:00 p.m. Eastern time at the United States Patent and Trademark Office, Madison Building West, 600 Dulany Street, Alexandria, VA 22341. As with written comments, comments made orally at the public meeting should not include confidential or proprietary information, and all comments from attendees will be will be recorded and transcribed, and will made available publically along with written comments at http://dmf.ntis.gov/.

Seating at the public meeting will be limited, and attendance will be “first-come, first-served,” on a space-available basis. The public meeting will also be webcast for those who are unable to participate in person. Details about the public meeting, including how to register, will be posted at the NTIS DMF Web page, http://dmf.ntis.gov/. The NTIS DMF Web page also has information about how to subscribe to the NTIS email distribution list to receive announcements from NTIS about the progress of the establishment of the certification program. To subscribe to this free service, you may provide an email address to jhounsell@ntis.gov.

Dated: February 25, 2014.

Bruce Borzino,

Director.

[FR Doc. 2014-04584 Filed 2-28-14; 8:45 am]

BILLING CODE 3510-04-P

https://www.federalregister.gov/articles/2014/03/03/2014-04584/certification-program-for-access-to-the-death-master-file