As many are now aware, the administration recently passed legislation that will delay access to current death data on the Social Security Administration’s Death Master File (SSA DMF) for three years. This legislation provides for a certification process that will allow qualified entities to (continue to) receive more timely access, provided that they can demonstrate both a legitimate need and also ensure proper controls regarding the secure storage, distribution and usage of the death data.
I was fortunate to be able to attend the public meeting hosted by the NTIS on March 4th. In addition to a small turnout in Alexandria VA that included representatives from both NAIC and ACLI, there were 111 participants that attended via WebEx. The objective was to solicit public comments regarding the “establishment and implementation of a certification program for access to the DMF.” As such, the NTIS was not specifically responding to participant questions and concerns in this forum. A copy of the notice & RFI can be found here: http://www.ntis.gov/products/ssa-dmf.aspx.
Comments are due on or before March 18, 2014. On a positive note, I can now reaffirm my belief that the NTIS will be taking steps to provide a path to certification for insurers and service providers that use the SSA DMF for the purpose of identifying deceased insureds. The question remains as to what that process will look like and how onerous it will be.
In order to help provide guidance, our formal input to the NTIS will include the following:
- As written, section 203(C)(1) of the Act essentially states that Certified Users not only have to ensure their own compliance, but also the compliance of those that the DMF data is passed along to, even in the regular and proper course of doing business. Our recommendation is that the NTIS must provide all users with access to a central repository of Certified Users to confirm verification, or must rely on an ‘honor system’ where third parties provide written assurance that they are certified. Ideally, certain businesses such as insurers would have a ‘blanket’ pre-approved certification and we strongly encourage our insurance clients to formally echo this request.
- Beyond the above, our position is that Certified Users will not have a reasonable ability to ensure more specific compliance from those that they deliver output to, or certainly any distribution further down the line. Similarly, Certified Users cannot reasonably be expected to conduct IT Security audits on all third parties. In many scenarios, such rights to inspect/audit are unlikely to be granted and in any event would be cost prohibitive. Our belief is that allowing the exchange of data between two Certified Users (including those with any ‘blanket’ approval) should be sufficient.
- We also encourage the NTIS to set reasonable standards regarding record retention and documentation requirements. To demonstrate reasonable compliance, this could be done in aggregate by maintaining project logs containing the certified recipient’s name, transfer date and number of records returned. In contrast, we do not believe it makes sense to maintain confidential data at the record level any longer than a client (or traditional Disaster Recovery plan) may reasonably deem appropriate, particularly given the size of the data sets in question. The NTIS must also consider that storing large volumes of data for auditing purposes has its own inherent cost and security considerations.
- We are also requesting that if a certification process is introduced, that State Protected Records and additional descriptive fields such as State & Zip Code be added back in. While we understand the hurdles that this would entail, we believe that making this request sends an important message representing the strong beliefs of the majority of legitimate SSA DMF users. Our belief is that this will also reduce the potential for fraud for a host of reasons that I will refrain from delineating again here.
- Importantly, a point that another participant raised is that the NTIS must include a suitable grace period that will allow all (timely) applicants to be able to complete the certification process before any restrictions are imposed. This will allow companies to continue to provide services, and end users to continue to comply with regulations and best practices, throughout the certification process. This will also prevent those that ‘go first’ from having an undue competitive advantage.
- Finally, there is another nuance worth considering. Let’s assume for a moment that an insurer did not have an insured’s valid Social Security Number (SSN) in their books and records. If, as a byproduct of a match to the SSA DMF, the insurer then adds an SSN to their records does this one single piece of data then have to be controlled in some manner different than all of the other controls the insurer already has in place? Put aside the SSN for a moment and consider Date of Death as that is certainly a data element the insurer will often not have prior to the DMF process. If the insurer then adds this field (sourced from the DMF) to their records and then in turn provides that to a partner who does beneficiary outreach and separately also eventually provides that same record to any other party as part of their normal claims process, is that then subject to some additional regulatory oversight in connection with this certification process? Remember, in this example, the insurer already owned the customer relationship and simply incorporated one single additional piece of data. In considering this, I would suggest that the NTIS should not require additional oversight or rights to inspect in such circumstances.
In conclusion, I applaud the NTIS for seeking comments in order to implement a certification process that safe guards confidential data in a manner that can be reasonably and cost effectively implemented within the complex marketplace that we all operate on a daily basis. I also urge our clients and readers to submit these and any additional comments to the NTIS on or before March 18th.
For more information on Cross Country Computer’s APEARS® death matching capabilities and to stay informed about other relevant insurance legislation, please contact Thomas Berger at (631) 220-6947 or via email to TBerger@crosscountrycomputer.com.