';


Title 15 Part 1110

Title 15 → Subtitle B → Chapter XI → Part 1110

Electronic Code of Federal Regulations e-CFR

Title 15 Part 1110

e-CFR data is current as of June 15, 2018

Title 15Subtitle BChapter XI → Part 1110


Title 15: Commerce and Foreign Trade


PART 1110—CERTIFICATION PROGRAM FOR ACCESS TO THE DEATH MASTER FILE


Contents

Subpart A—General

§1110.1   Description of rule; applicability.

(a) The Bipartisan Budget Act of 2013 (Pub. L. 113-67), Section 203, provides for the establishment of a fee-based certification program for persons who seek access to the Death Master File (DMF), and prohibits disclosure of DMF information for an individual during the three-calendar-year period following the individual's death, unless the person requesting the information has been certified.

(b) This part is applicable to any Person seeking access to a Limited Access DMF, as defined in this part.

return arrow Back to Top

§1110.2   Definitions used in this part.

The following definitions are applicable to this part:

Act. The Bipartisan Budget Act of 2013 (Pub. L. 113-67).

Accredited Conformity Assessment Body. A third party conformity assessment body that is accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27006-2011, “Information technology—Security techniques—Requirements for bodies providing audit and certification of information security management systems,” to attest that a Person or Certified Person has systems, facilities and procedures in place to safeguard Limited Access DMF.

Certified Person. A Person who has been certified under the certification program established under this part and is eligible to access the Limited Access DMF.

DMF. Death Master File.

Death Master File. Information on the name, social security account number, date of birth, and date of death of deceased individuals maintained by the Commissioner of Social Security, other than information that was provided to such Commissioner under section 205(r) of the Social Security Act (42 U.S.C. 405(r)).

Limited Access DMF. The DMF product made available by NTIS which includes DMF with respect to any deceased individual at any time during the three-calendar-year period beginning on the date of the individual's death. As used in this part, Limited Access DMF does not include an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF. If a Person obtains, or a third party subsequently provides to such Person, death information (i.e., the name, social security account number, date of birth, or date of death) independently, such information in the possession of such Person is not part of the Limited Access DMF or subject to this part.

NTIS. The National Technical Information Service, United States Department of Commerce.

Open Access DMF. The DMF product made available by NTIS which does not include DMF with respect to any deceased individual at any time during the three-calendar-year period beginning on the date of the individual's death.

Person. Includes corporations, companies, associations, firms, partnerships, societies, joint stock companies, and other private organizations, and state and local government departments and agencies, as well as individuals.

[79 FR 16670, Mar. 26, 2014, as amended at 81 FR 34891, June 1, 2016]

return arrow Back to Top

Subpart B—Certification Program

§1110.100   Scope term.

(a) Any Person desiring access to the Limited Access DMF must certify in accordance with this part. Upon acceptance of a Person's certification by NTIS, such Person will be a Certified Person, will be entered into the publicly available list of Certified Persons maintained by NTIS, and will be eligible to access the Limited Access DMF made available by NTIS through subscription.

(b) Certification under this part is not required for any Person to access the Open Access DMF made available by NTIS; however, a Certified Person may also access the Open Access DMF.

return arrow Back to Top

§1110.101   Submission of certification; attestation.

(a) In order to become certified under the certification program established under this part, a Person must submit a completed certification statement and any required documentation, using the most current version of the Limited Access Death Master File Subscriber Certification Form, and its accompanying instructions at https://dmf.ntis.gov, together with the required fee.

(b) In addition to the requirements under paragraph (a) of this section, in order to become certified, a Person must submit a written attestation from an Accredited Conformity Assessment Body that such Person has systems, facilities, and procedures in place as required under §1110.102(a)(2). Such attestation must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's completed certification statement, but such review or assessment need not have been conducted specifically or solely for the purpose of submission under this part.

[81 FR 34891, June 1, 2016]

return arrow Back to Top

§1110.102   Certification.

In order to be certified to be eligible to access the Limited Access DMF under the certification program established under this part, a Person shall certify, in the manner set forth in this part and pursuant to section 1001 of title 18, United States Code, that

(a) Such Person's access to the Limited Access DMF is appropriate because:

(1) Such Person has a legitimate fraud prevention interest, or has a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty, and shall specify the basis for so certifying;

(2) Such Person has systems, facilities, and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security, and appropriate use of accessed information, pursuant to requirements reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986;

(3) Such Person agrees to satisfy such similar requirements; and

(4) Such Person shall not, with respect to Limited Access DMF of any deceased individual:

(i) Disclose such deceased individual's Limited Access DMF to any person other than a person who meets the requirements of paragraphs (a)(1) through (3) of this section;

(ii) Disclose such deceased individual's Limited Access DMF to any person who uses the information for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty;

(iii) Disclose such deceased individual's Limited Access DMF to any person who further discloses the information to any person other than a person who meets the requirements of paragraphs (a)(1) through (3) of this section; or

(iv) Use any such deceased individual's Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty.

(b) The certification required in this section shall state whether such Person intends to disclose such deceased individual's DMF to any person, and if so, shall state the manner of such disclosure and how such Person will ensure compliance with paragraphs (a)(4)(i) through (iii) of this section.

[79 FR 16670, Mar. 26, 2014, as amended at 81 FR 34892, June 1, 2016]

return arrow Back to Top

§1110.103   Disclosure to a certified person.

Disclosure by a Person certified under this part of Limited Access DMF to another Person certified under this part shall be deemed to satisfy the disclosing Person's obligation to ensure compliance with §1110.102(a)(4)(i) through (iii).

[81 FR 34892, June 1, 2016]

return arrow Back to Top

§1110.104   Revocation of certification.

False certification as to any element of §1110.102(a)(1) through (4) shall be grounds for revocation of certification, in addition to any other penalties at law. A Person properly certified who thereafter becomes aware that the Person no longer satisfies one or more elements of §1110.102(a) shall promptly inform NTIS thereof in writing.

[81 FR 34892, June 1, 2016]

return arrow Back to Top

§1110.105   Renewal of certification.

(a) A Certified Person may renew its certification status by submitting, on or before the date of expiration of the term of its certification, a completed certification statement in accordance with §1110.101, together with the required fee, indicating on the form NTIS FM161 that it is a renewal, and also indicating whether or not there has been any change in any basis previously relied upon for certification.

(b) Except as may otherwise be required by NTIS, where a Certified Person seeking certification status renewal has, within a three-year period preceding submission under paragraph (a) of this section, previously submitted a written attestation under §1110.101(b), or has within such period been subject to a satisfactory audit under §1110.201, such Certified Person shall so indicate on the form NTIS FM161, and shall not be required to submit a written attestation under §1110.101(b).

(c) A Certified Person who submits a certification statement, attestation (if required) and fee pursuant to paragraph (a) of this section shall continue in Certified Person status pending notification of renewal or non-renewal from NTIS.

(d) A Person who is a Certified Person before November 28, 2016 shall be considered a Certified Person under this part, and shall continue in Certified Person status until the date which is one year from the date of acceptance of such Person's certification by NTIS under the Temporary Certification Program, provided that if such expiration date falls on a weekend or a federal holiday, the term of certification shall be considered to extend to the next business day.

[81 FR 34892, June 1, 2016]

return arrow Back to Top

Subpart C—Penalties and Audits

§1110.200   Imposition of penalty.

(a) General. (1) Any Person certified under this part who receives Limited Access DMF, and who:

(i) Discloses Limited Access DMF to any person other than a person who meets the requirements of §1110.102(a)(1) through (3);

(ii) Discloses Limited Access DMF to any person who uses the Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty;

(iii) Discloses Limited Access DMF to any person who further discloses the Limited Access DMF to any person other than a person who meets the requirements of §1110.102(a)(1) through (3); or

(iv) Uses any such Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; and

(2) Any Person to whom such Limited Access DMF is disclosed, whether or not such Person is certified under this part, who further discloses or uses such Limited Access DMF as described in paragraphs (a)(1)(i) through (iv) of this section, shall pay to the General Fund of the United States Department of the Treasury a penalty of $1,000 for each such disclosure or use, and, if such Person is certified, shall be subject to having such Person's certification revoked.

(b) Limitation on penalty. The total amount of the penalty imposed under this part on any Person for any calendar year shall not exceed $250,000, unless such Person's disclosure or use is determined to be willful or intentional. For the purposes of this part, a disclosure or use is willful when it is a “voluntary, intentional violation of a known legal duty.”

(c) Disclosure to a Certified Person. No penalty shall be imposed under paragraphs (a)(1)(i) through (iii) of this section on a first Certified Person who discloses, to a second Certified Person, Limited Access DMF, where the sole basis for imposition of penalty on such first Certified Person is that such second Certified Person has been determined to be subject to penalty under this part.

[81 FR 34892, June 1, 2016]

return arrow Back to Top

§1110.201   Audits.

Any Person certified under this part shall, as a condition of certification, agree to be subject to audit by NTIS, or, at the request of NTIS, by an Accredited Conformity Assessment Body, to determine the compliance by such Person with the requirements of this part. NTIS may conduct, or request that an Accredited Conformity Assessment Body conduct, periodic scheduled and unscheduled audits of the systems, facilities, and procedures of any Certified Person relating to such Certified Person's access to, and use and distribution of, the Limited Access DMF. NTIS may conduct, or request that an Accredited Conformity Assessment Body conduct, field audits (during regular business hours) or desk audits of a Certified Person. Failure of a Certified Person to submit to or cooperate fully with NTIS, or with an Accredited Conformity Assessment Body acting pursuant to this section, in its conduct of an audit, or to pay an audit fee to NTIS, will be grounds for revocation of certification.

[81 FR 24893, June 1, 2016]

return arrow Back to Top

Subpart D—Administrative Appeal

Source: 81 FR 34893, June 1. 2016, unless otherwise noted.

return arrow Back to Top

§1110.300   Appeal.

(a) General. Any Person adversely affected or aggrieved by reason of NTIS denying or revoking such Person's certification under this part, or imposing upon such Person under this part a penalty, may obtain review by filing, within 30 days (or such longer period as the Director of NTIS may, for good cause shown in writing, fix in any case) after receiving notice of such denial, revocation or imposition, an administrative appeal to the Director of NTIS.

(b) Form of appeal. An appeal shall be submitted in writing to Director, National Technical Information Service, at NTIS's current mailing address as found on its Web site: www.ntis.gov., ATTENTION DMF APPEAL, and shall include the following:

(1) The name, street address, email address and telephone number of the Person seeking review;

(2) A copy of the notice of denial or revocation of certification, or the imposition of penalty, from which appeal is taken;

(3) A statement of arguments, together with any supporting facts or information, concerning the basis upon which the denial or revocation of certification, or the imposition of penalty, should be reversed;

(4) A request for hearing of oral argument before the Director, if desired.

(c) Power of attorney. A Person may, but need not, retain an attorney to represent such Person in an appeal. A Person shall designate any such attorney by submitting to the Director of NTIS a written power of attorney.

(d) Hearing. If requested in the appeal, a date will be set for hearing of oral argument before a representative of the Director of NTIS, by the Person or the Person's designated attorney, and a representative of NTIS familiar with the notice from which appeal has been taken. Unless it shall be otherwise ordered before the hearing begins, oral argument will be limited to thirty minutes for each side. A Person need not retain an attorney or request an oral hearing to secure full consideration of the facts and the Person's arguments.

(e) Decision. After a hearing on the appeal, if a hearing was requested, the Director of NTIS shall issue a decision on the matter within 120 days, or, if no hearing was requested, within 90 days of receiving the appeal. The decision of the Director of NTIS shall be made after consideration of the arguments and statements of fact and information in the Person's appeal, and the hearing of oral argument if a hearing was requested, but the Director of NTIS at his or her discretion and with due respect for the rights and convenience of the Person and the agency, may call for further statements on specific questions of fact or may request additional evidence in the form of affidavits on specific facts in dispute. After the original decision is issued, an appellant shall have 30 days (or a date as may be set by the Director of NTIS before the original period expires) from the date of the decision to request a reconsideration of the matter. The Director's decision becomes final 30 days after being issued, if no request for reconsideration is filed, or on the date of final disposition of a decision on a petition for reconsideration.

return arrow Back to Top

Subpart E—Fees

Source: 79 FR 16670, Mar. 26, 2016, unless otherwise noted. Redesignated at 81 FR 34893, June 1, 2016.

return arrow Back to Top

§1110.400   Fees.

Fees sufficient to cover (but not to exceed) all costs to NTIS associated with evaluating Certification Forms and auditing, inspecting, and monitoring certified persons under the certification program established under this part, as well as appeals, will be published (as periodically reevaluated and updated by NTIS) and available at https://dmf.ntis.gov. NTIS will not set fees for attestations or audits by an Accredited Conformity Assessment Body.

return arrow Back to Top

Subpart F—Accredited Conformity Assessment Bodies

Source: 81 FR 34893, June 1. 2016, unless otherwise noted.

return arrow Back to Top

§1110.500   Accredited conformity assessment bodies.

This subpart describes Accredited Conformity Assessment Bodies and their accreditation for third party attestation and auditing of the information safeguarding requirement for certification of Persons under this part. NTIS will accept an attestation or audit of a Person or Certified Person from an Accredited Conformity Assessment Body that is:

(a) Independent of that Person or Certified Person; or

(b) Is firewalled from that Person or Certified Person, and that in either instance is itself accredited by a nationally or internationally recognized accreditation body.

return arrow Back to Top

§1110.501   Independent.

(a) An Accredited Conformity Assessment Body that is an independent third party conformity assessment body is one that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body.

(1) A Person or Certified Person is considered to own, manage, or control a third party conformity assessment body if any one of the following characteristics applies:

(i) The Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in the third party conformity assessment body. Indirect ownership interest is calculated by successive multiplication of the ownership percentages for each link in the ownership chain;

(ii) The third party conformity assessment body and the Person or Certified Person are owned by a common “parent” entity;

(iii) The Person or Certified Person has the ability to appoint a majority of the third party conformity assessment body's senior internal governing body (such as, but not limited to, a board of directors), the ability to appoint the presiding official (such as, but not limited to, the chair or president) of the third party conformity assessment body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party conformity assessment body personnel; or

(iv) The third party conformity assessment body is under a contract to the Person or Certified Person that explicitly limits the services the third party conformity assessment body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party conformity assessment body.

(2) A state or local government office of Inspector General or Auditor General and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under paragraph (a)(1)(ii) of this section.

(b) [Reserved]

return arrow Back to Top

§1110.502   Firewalled.

(a) A third party conformity assessment body must apply to NTIS for firewalled status if it is owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, applying the characteristics set forth under §1110.501(a)(1).

(b) The application for firewalled status of a third party conformity assessment body under paragraph (a) of this section will be accepted by NTIS where NTIS finds that:

(1) Acceptance of the third party conformity assessment body for firewalled status would provide equal or greater assurance that the Person or Certified Person has information security systems, facilities, and procedures in place to protect the security of the Limited Access DMF than would the Person's or Certified Person's use of an independent third party third party conformity assessment body; and

(2) The third party conformity assessment body has established procedures to ensure that:

(i) Its attestations and audits are protected from undue influence by the Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, or by any other interested party;

(ii) NTIS is notified promptly of any attempt by the Person or Certified Person that is the subject of attestation or audit by the third party conformity assessment body, or by any other interested party, to hide or exert undue influence over an attestation, assessment or audit; and

(iii) Allegations of undue influence may be reported confidentially to NTIS. To the extent permitted by Federal law, NTIS will undertake to protect the confidentiality of witnesses reporting allegations of undue influence.

(c) NTIS will review each application and may contact the third party conformity assessment body with questions or to request submission of missing information, and will communicate its decision on each application in writing to the applicant, which may be by electronic mail.

return arrow Back to Top

§1110.503   Attestation by accredited conformity assessment body.

(a) In any attestation or audit of a Person or Certified Person that will be submitted to NTIS under this part, an Accredited Conformity Assessment Body must attest that it is independent of that Person or Certified Person. The Accredited Conformity Assessment Body also must attest that it has read, understood, and agrees to the regulations in this part. The Accredited Conformity Assessment Body must also attest that it is accredited to a nationally or internationally recognized standard such as the ISO/IEC Standard 27006-2011 “Information technology—Security techniques—Requirements for bodies providing audit and certification of information security management systems,” or any other similar nationally or internationally recognized standard for bodies providing audit and certification of information security management systems. The Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in this part.

(b) Where a Person seeks certification, or where a Certified Person seeks renewal of certification or is audited under this part, an Accredited Conformity Assessment Body may provide written attestation that such Person or Certified Person has systems, facilities, and procedures in place as required under §1110.102(a)(2). Such attestation must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's or Certified Person's completed certification statement, and, if an audit of a Certified Person by an Accredited Conformity Assessment Body is required by NTIS, no more than three years prior to the date upon which NTIS notifies the Certified Person of NTIS's requirement for audit, but such review or assessment or audit need not have been conducted specifically or solely for the purpose of submission under this part.

(c) Where review or assessment or audit by an Accredited Conformity Assessment Body was not conducted specifically or solely for the purpose of submission under this part, the written attestation or assessment report (if an audit) shall describe the nature of that review or assessment or audit, and the Accredited Conformity Assessment Body shall attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place as required under §1110.102(a)(2).

(d) Notwithstanding paragraphs (a) through (c) of this section, NTIS may, in its sole discretion, require that review or assessment or audit by an Accredited Conformity Assessment Body be conducted specifically or solely for the purpose of submission under this part.

return arrow Back to Top

§1110.504   Acceptance of accredited conformity assessment bodies.

(a) NTIS will accept written attestations and assessment reports from an Accredited Conformity Assessment Body that attests, to the satisfaction of NTIS, as provided in §1110.503.

(b) NTIS may decline to accept written attestations or assessment reports from an Accredited Conformity Assessment Body, whether or not it has attested as provided in §1110.503, for any of the following reasons:

(1) When it is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of this part;

(2) Submission of false or misleading information concerning a material fact(s) in an Accredited Conformity Assessment Body's attestation under §1110.503;

(3) Knowing submission of false or misleading information concerning a material fact(s) in an attestation or assessment report by an Accredited Conformity Assessment Body of a Person or Certified Person;

(4) Failure of an Accredited Conformity Assessment Body to cooperate in response to a request from NTIS to verify the accuracy, veracity, and/or completeness of information received in connection with an attestation under §1110.503 or an attestation or assessment report by that Body of a Person or Certified Person. An Accredited Conformity Assessment Body “fails to cooperate” when it does not respond to NTIS inquiries or requests, or it responds in a manner that is unresponsive, evasive, deceptive, or substantially incomplete; or

(5) Where NTIS is unable for any reason to verify the accuracy of the Accredited Conformity Assessment Body's attestation.

return arrow Back to Top