[Federal Register Volume 61, Number 251 (Monday, December 30, 1996)]
[Notices]
[Pages 68808-68810]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-33034]
=======================================================================
-----------------------------------------------------------------------
SOCIAL SECURITY ADMINISTRATION
Social Security Ruling SSR 96-10p
Electronic Service Delivery
AGENCY: Social Security Administration.
ACTION: Notice of Social Security Ruling.
-----------------------------------------------------------------------
SUMMARY: In accordance with 20 CFR 422.406(b)(1), the Commissioner of
Social Security gives notice of Social Security Ruling SSR 96-10p. This
Policy Interpretation Ruling represents the Social Security
Administration's (SSA) policy for allowing our customers to communicate
with us electronically by our acceptance of reports, requests,
applications, and other information through access methods such as the
Internet, video conferencing, and dial-up phone systems. By such
methods, we will be able to accept reports, requests, applications, and
other information. The Ruling also sets out our policy making
electronic and digital signatures the functional equivalent of
traditional handwritten signatures in certain situations which will be
separately specified by SSA. We call these efforts to provide
electronic service options to our customers electronic service delivery
(ESD).
This Ruling facilitates our attempts to better serve our customers
through the use of electronic service delivery technologies. It is not
our intention that customers must conduct business with us
electronically. Rather, we are providing our customers with an optional
way of doing business while ensuring that the information communicated
through ESD methods is as secure and reliable as it is technologically
possible and feasible to make it for SSA's activities.
EFFECTIVE DATE: December 30, 1996.
FOR FURTHER INFORMATION CONTACT: Joanne K. Castello, Division of
Regulations and Rulings, Social Security Administration, 6401 Security
Boulevard, Baltimore, MD 21235, (410) 965-1711.
SUPPLEMENTARY INFORMATION: Although we are not required to do so
pursuant to 5 U.S.C. 552(a)(1) and (a)(2), we are publishing this
Social Security Ruling in accordance with 20 CFR 422.406(b)(1).
Social Security Rulings make available to the public precedential
orders, opinions, and statements of policy and interpretations adopted
by SSA relating to the Federal old-age, survivors, disability,
supplemental security income, and black lung benefits programs. Social
Security Rulings may be based on case decisions made at all
administrative levels of adjudication,
[[Page 68809]]
Federal court decisions, Commissioner's decisions, opinions of the
Office of the General Counsel, and other policy interpretations of the
law and regulations.
Although Social Security Rulings do not have the force and effect
of the law or regulations, they are binding on all components of the
Social Security Administration, in accordance with 20 CFR
422.406(b)(1), and are to be relied upon as precedents in adjudicating
cases.
If this Social Security Ruling is later superseded, modified, or
rescinded, we will publish a notice in the Federal Register to that
effect.
(Catalog of Federal Domestic Assistance, Program Nos. 96.001 Social
Security--Disability Insurance; 96.002 Social Security--Retirement
Insurance; 96.003 Social Security--Special Benefits for Persons Aged
72 and Over; 96.004 Social Security--Survivors Insurance; 96.005
Special Benefits for Disabled Coal Miners; 96.006 Supplemental
Security Income)
Dated: December 19, 1996.
Shirley S. Chater,
Commissioner of Social Security.
Policy Interpretation Ruling Electronic Service Delivery
Purpose: This Policy Interpretation Ruling represents the Social
Security Administration's (SSA) policy for allowing our customers to
communicate with us electronically through access methods such as the
Internet, video conferencing, and dial-up phone systems. By such
methods, we will be able to accept reports, requests, applications, and
other information. The Ruling also sets out our policy making
electronic and digital signatures the functional equivalent of
traditional handwritten signatures in certain situations which will be
separately specified by SSA. We call these efforts to provide
electronic service options to our customers electronic service delivery
(ESD).
ESD includes the use of the specific technologies noted above,
other current technologies, and future and as yet unidentified
technologies which allow SSA's customers to transact business with us
via Agency-approved methods. By expanding our service delivery options,
we are continuing our efforts to provide world class service to our
customers.
Information submitted by our customers using ESD technologies which
are consistent with the principles described below and meet:
Accepted industry standards; and
SSA privacy, security, fraud detection and prevention, and
authentication standards will be considered by SSA to be the functional
equivalent of information submitted using traditional paper-based
methods.
Determination of the appropriate ESD technologies for a given
service will be based upon our evaluation of the sensitivity of the
information, potential service impacts on our customers, and the risk
factors including fraud detection, prevention, and prosecution, and
cost/benefit considerations.
Authority: This Ruling is published under the authority of the
Commissioner of Social Security in accordance with 20 CFR 422.406.
Part I
Introduction: As noted in the Agency's Strategic Plan 1 and
described in more detail in our Business Plan,2, SSA is expanding
the service options available to our customers in new and innovative
ways as technological advances allow. Agency ESD initiatives, based on
proven secure technology, will provide our customers with access to SSA
to conduct their business in new ways which are convenient for them and
efficient for both them and SSA.
---------------------------------------------------------------------------
\1\ SSA Pub. No. 01-001 (September 1991).
\2\ SSA Pub. No. 01-008 (April 1996).
---------------------------------------------------------------------------
SSA has historically relied upon paper-based systems of information
collection. Technological advances have reached the point where the use
of electronic information collection is efficient, cost-effective, and
frequently our customers' preferred method of doing business.
Paper-based information collection systems are perceived as being
secure largely because they are the only information collection systems
with which most individuals are familiar. The following excerpt from a
law journal article provides a historical perspective of the security
features of paper-based information collection:
Traditional paper-based communications accompanied by
handwritten signatures provide three essential security
characteristics: message integrity, originator authentication, and
non-repudiation. Depending on the nature of the communication, an
additional security characteristic, confidentiality, may be desired.
The efficacy of the various techniques used to ensure the desired
level of security in turn depends on the adequacy of the
administrative controls associated with their use.
Message integrity is the assurance that the content of
a communication is complete and has not been changed prior to
receipt.
Originator authentication provides assurance that the
communication originated from the named source. This is most
commonly provided by the handwritten signature, or historically, by
the seal of the author.
Non-repudiation is a stronger form of authentication
which relates to the ability of a disinterested third party to
reasonably conclude that the identified originator intended to be
bound by the substance of the communication. This function is most
commonly performed by the original autograph signature affixed to a
document having facially adequate message integrity.
Confidentiality is the ability to limit access to the
information contained in a communication. This has generally been
accomplished with some combination of security markings, envelopes,
seals, trusted messengers, and by the use of codes and
ciphers.3
\3\ Peter N. Weiss, Security Requirements and Evidentiary Issues
in the Interchange of Electronic Documents: Steps Toward Developing
a Security Policy, The John Marshall Journal of Computer &
Information Law, Vol. XII, No. 3, pp. 431-432 (October 1993).
---------------------------------------------------------------------------
The transfer of information in traditional paper-based systems is
known as ``writing.'' ESD technologies allow the transfer of
information by other than traditional paper-based methods. SSA is
adopting a definition of writing which is consistent with modern legal
usage and includes electronic information transfer. For example, the
U.S. Code includes a definition of writing which is consistent with
SSA's purposes:
``[W]riting'' includes printing and typewriting and
reproductions of visual symbols by photographing, multigraphing,
mimeographing, manifolding, or otherwise.4
\4\ 1 U.S.C. Sec. 1.
---------------------------------------------------------------------------
The Federal Rules of Evidence, which apply to many of the
proceedings in the Courts of the United States, define writing as
follows:
``Writings'' and ``recordings'' consist of letters, words, or
numbers, or their equivalent, set down by handwriting, typewriting,
printing, photostating, photographing, magnetic impulse, mechanical
or electronic recording, or other form of data compilation.5
\5\ Fed. R. Evid. 1001(1). The Advisory Committee notes to this
rule make it clear that writings can be created by mechanical or
electronic techniques or other forms of information compilation.
---------------------------------------------------------------------------
This SSA policy making electronic information collection and
distribution the functional equivalent of traditional handwritten
information collection and distribution is in accord with U.S. law and
the Federal Rules of Evidence as shown in these definitions.
Accordingly, as SSA approves the use of specific ESD technologies, the
products of those technologies will be considered writings by us.
Policy Interpretation: It is the policy of SSA to treat information
received and distributed via Agency-approved ESD technologies as the
functional equivalent of information received and
[[Page 68810]]
distributed using traditional paper-based methods.
SSA's approval of ESD technologies for use by our customers will
mean that the approved technologies provide a sufficient level of
security and reliability that they can be an acceptable substitute for
traditional paper-based information collection systems as described
above, for the purpose of conducting the business of the Agency.
Decisions about which ESD technologies are suitable for use with SSA
will be made with appropriate input from the SSA components involved in
the proposed activity.
Part II
This Policy Interpretation Ruling also addresses the use of
electronic and digital signatures. Electronic and digital signatures
are an integral factor in many ESD initiatives. Just as technology
makes possible the electronic transmission of information for which SSA
requires a signature, other technologies provide the means for a
document to be ``signed'' without a traditional handwritten signature.
SSA requires a handwritten signature in only a limited number of
situations (e.g., applications for benefits). The circumstances where a
signature is required is an issue that is beyond the scope of this
Ruling. We are expanding the meaning of the term ``signature'' to
include electronic and digital methods that serve the purpose of
originator identification, authentication, and non-repudiation to the
extent that is technologically possible and feasible for SSA's
activities.
Policy Interpretation: It is the policy of SSA that information for
which SSA requires a signature may be signed using SSA-approved
signature methods including handwritten, electronic, or digital
methods. Approved signature methods will reasonably ensure, to the
extent technologically possible and feasible for SSA's activities, that
the signer can be identified and that the signer cannot later repudiate
the submission of the information.
Conclusion: The early paragraphs of this Policy Interpretation
Ruling listed the four essential security characteristics of paper-
based information collection. These two policy interpretations were
developed to ensure that the four security characteristics described
earlier are maintained in all ESD technologies approved by SSA.
Originator authentication and non-repudiation are addressed as aspects
of the electronic and digital signature policy. Message integrity and
confidentiality, although not specifically described in the policy
statement endorsing ESD, are implicitly contained in the limitation
statement that all ESD technologies must be approved by SSA.6
---------------------------------------------------------------------------
\6\ For a detailed description of the security features of
electronic information transfers in general and digital signatures
in particular see generally, M. Baum, Federal Certification
Authority Liability and Policy (U.S. Dept. of Commerce, NIST-GCR-94-
654 (June 1994)).
---------------------------------------------------------------------------
SSA approval of a particular ESD technology will require assurance
that the technology is consistent with all appropriate laws and
directives. Since the appropriate technology and levels of security
will vary based upon the sensitivity of the business application, SSA's
selection of the appropriate technology or technologies for a given
usage will be based upon consideration of the service impacts on our
customers, a risk analysis including fraud detection, prevention, and
prosecution concerns, and an analysis of the costs and benefits related
to the technology.
In summation, it is SSA policy that all information received and
distributed via Agency-approved ESD technologies is the functional
equivalent of information received and distributed using traditional
paper-based methods. It is also the policy of SSA that information for
which a signature is required, can be signed using electronic or
digital technologies approved by SSA, provided that the electronic or
digital signature reasonably ensures that the signer can be identified
and that the signer cannot later repudiate the submission of the
information.
These two policy interpretations are being issued to facilitate the
Agency's attempts to better serve our customers through the use of ESD
technologies. It is not intended that our customers always must conduct
business with SSA electronically. Rather, we are providing our
customers with an optional way of doing business with us while ensuring
that the information provided to, or distributed by, SSA through
electronic methods is as secure and reliable as it must be for the
purpose for which it is used.
Effective Date: This Policy Interpretation Ruling is effective upon
publication in the Federal Register.
[FR Doc. 96-33034 Filed 12-27-96; 8:45 am]
BILLING CODE 4190-29-P
