[Federal Register Volume 61, Number 251 (Monday, December 30, 1996)]
[Notices]
[Pages 68808-68810]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-33034]


=======================================================================
-----------------------------------------------------------------------

SOCIAL SECURITY ADMINISTRATION

Social Security Ruling SSR 96-10p


Electronic Service Delivery

AGENCY: Social Security Administration.

ACTION: Notice of Social Security Ruling.

-----------------------------------------------------------------------

SUMMARY: In accordance with 20 CFR 422.406(b)(1), the Commissioner of 
Social Security gives notice of Social Security Ruling SSR 96-10p. This 
Policy Interpretation Ruling represents the Social Security 
Administration's (SSA) policy for allowing our customers to communicate 
with us electronically by our acceptance of reports, requests, 
applications, and other information through access methods such as the 
Internet, video conferencing, and dial-up phone systems. By such 
methods, we will be able to accept reports, requests, applications, and 
other information. The Ruling also sets out our policy making 
electronic and digital signatures the functional equivalent of 
traditional handwritten signatures in certain situations which will be 
separately specified by SSA. We call these efforts to provide 
electronic service options to our customers electronic service delivery 
(ESD).
    This Ruling facilitates our attempts to better serve our customers 
through the use of electronic service delivery technologies. It is not 
our intention that customers must conduct business with us 
electronically. Rather, we are providing our customers with an optional 
way of doing business while ensuring that the information communicated 
through ESD methods is as secure and reliable as it is technologically 
possible and feasible to make it for SSA's activities.

EFFECTIVE DATE: December 30, 1996.

FOR FURTHER INFORMATION CONTACT: Joanne K. Castello, Division of 
Regulations and Rulings, Social Security Administration, 6401 Security 
Boulevard, Baltimore, MD 21235, (410) 965-1711.

SUPPLEMENTARY INFORMATION: Although we are not required to do so 
pursuant to 5 U.S.C. 552(a)(1) and (a)(2), we are publishing this 
Social Security Ruling in accordance with 20 CFR 422.406(b)(1).
    Social Security Rulings make available to the public precedential 
orders, opinions, and statements of policy and interpretations adopted 
by SSA relating to the Federal old-age, survivors, disability, 
supplemental security income, and black lung benefits programs. Social 
Security Rulings may be based on case decisions made at all 
administrative levels of adjudication,

[[Page 68809]]

Federal court decisions, Commissioner's decisions, opinions of the 
Office of the General Counsel, and other policy interpretations of the 
law and regulations.
    Although Social Security Rulings do not have the force and effect 
of the law or regulations, they are binding on all components of the 
Social Security Administration, in accordance with 20 CFR 
422.406(b)(1), and are to be relied upon as precedents in adjudicating 
cases.
    If this Social Security Ruling is later superseded, modified, or 
rescinded, we will publish a notice in the Federal Register to that 
effect.

(Catalog of Federal Domestic Assistance, Program Nos. 96.001 Social 
Security--Disability Insurance; 96.002 Social Security--Retirement 
Insurance; 96.003 Social Security--Special Benefits for Persons Aged 
72 and Over; 96.004 Social Security--Survivors Insurance; 96.005 
Special Benefits for Disabled Coal Miners; 96.006 Supplemental 
Security Income)

    Dated: December 19, 1996.
Shirley S. Chater,
Commissioner of Social Security.

Policy Interpretation Ruling Electronic Service Delivery

    Purpose: This Policy Interpretation Ruling represents the Social 
Security Administration's (SSA) policy for allowing our customers to 
communicate with us electronically through access methods such as the 
Internet, video conferencing, and dial-up phone systems. By such 
methods, we will be able to accept reports, requests, applications, and 
other information. The Ruling also sets out our policy making 
electronic and digital signatures the functional equivalent of 
traditional handwritten signatures in certain situations which will be 
separately specified by SSA. We call these efforts to provide 
electronic service options to our customers electronic service delivery 
(ESD).
    ESD includes the use of the specific technologies noted above, 
other current technologies, and future and as yet unidentified 
technologies which allow SSA's customers to transact business with us 
via Agency-approved methods. By expanding our service delivery options, 
we are continuing our efforts to provide world class service to our 
customers.
    Information submitted by our customers using ESD technologies which 
are consistent with the principles described below and meet:
     Accepted industry standards; and
     SSA privacy, security, fraud detection and prevention, and 
authentication standards will be considered by SSA to be the functional 
equivalent of information submitted using traditional paper-based 
methods.
    Determination of the appropriate ESD technologies for a given 
service will be based upon our evaluation of the sensitivity of the 
information, potential service impacts on our customers, and the risk 
factors including fraud detection, prevention, and prosecution, and 
cost/benefit considerations.

    Authority: This Ruling is published under the authority of the 
Commissioner of Social Security in accordance with 20 CFR 422.406.

Part I

    Introduction: As noted in the Agency's Strategic Plan 1 and 
described in more detail in our Business Plan,2, SSA is expanding 
the service options available to our customers in new and innovative 
ways as technological advances allow. Agency ESD initiatives, based on 
proven secure technology, will provide our customers with access to SSA 
to conduct their business in new ways which are convenient for them and 
efficient for both them and SSA.
---------------------------------------------------------------------------

    \1\ SSA Pub. No. 01-001 (September 1991).
    \2\ SSA Pub. No. 01-008 (April 1996).
---------------------------------------------------------------------------

    SSA has historically relied upon paper-based systems of information 
collection. Technological advances have reached the point where the use 
of electronic information collection is efficient, cost-effective, and 
frequently our customers' preferred method of doing business.
    Paper-based information collection systems are perceived as being 
secure largely because they are the only information collection systems 
with which most individuals are familiar. The following excerpt from a 
law journal article provides a historical perspective of the security 
features of paper-based information collection:

    Traditional paper-based communications accompanied by 
handwritten signatures provide three essential security 
characteristics: message integrity, originator authentication, and 
non-repudiation. Depending on the nature of the communication, an 
additional security characteristic, confidentiality, may be desired. 
The efficacy of the various techniques used to ensure the desired 
level of security in turn depends on the adequacy of the 
administrative controls associated with their use.
     Message integrity is the assurance that the content of 
a communication is complete and has not been changed prior to 
receipt.
     Originator authentication provides assurance that the 
communication originated from the named source. This is most 
commonly provided by the handwritten signature, or historically, by 
the seal of the author.
     Non-repudiation is a stronger form of authentication 
which relates to the ability of a disinterested third party to 
reasonably conclude that the identified originator intended to be 
bound by the substance of the communication. This function is most 
commonly performed by the original autograph signature affixed to a 
document having facially adequate message integrity.
     Confidentiality is the ability to limit access to the 
information contained in a communication. This has generally been 
accomplished with some combination of security markings, envelopes, 
seals, trusted messengers, and by the use of codes and 
ciphers.3

    \3\ Peter N. Weiss, Security Requirements and Evidentiary Issues 
in the Interchange of Electronic Documents: Steps Toward Developing 
a Security Policy, The John Marshall Journal of Computer & 
Information Law, Vol. XII, No. 3, pp. 431-432 (October 1993).
---------------------------------------------------------------------------

    The transfer of information in traditional paper-based systems is 
known as ``writing.'' ESD technologies allow the transfer of 
information by other than traditional paper-based methods. SSA is 
adopting a definition of writing which is consistent with modern legal 
usage and includes electronic information transfer. For example, the 
U.S. Code includes a definition of writing which is consistent with 
SSA's purposes:

    ``[W]riting'' includes printing and typewriting and 
reproductions of visual symbols by photographing, multigraphing, 
mimeographing, manifolding, or otherwise.4

    \4\ 1 U.S.C. Sec. 1.
---------------------------------------------------------------------------

    The Federal Rules of Evidence, which apply to many of the 
proceedings in the Courts of the United States, define writing as 
follows:

    ``Writings'' and ``recordings'' consist of letters, words, or 
numbers, or their equivalent, set down by handwriting, typewriting, 
printing, photostating, photographing, magnetic impulse, mechanical 
or electronic recording, or other form of data compilation.5

    \5\ Fed. R. Evid. 1001(1). The Advisory Committee notes to this 
rule make it clear that writings can be created by mechanical or 
electronic techniques or other forms of information compilation.
---------------------------------------------------------------------------

    This SSA policy making electronic information collection and 
distribution the functional equivalent of traditional handwritten 
information collection and distribution is in accord with U.S. law and 
the Federal Rules of Evidence as shown in these definitions. 
Accordingly, as SSA approves the use of specific ESD technologies, the 
products of those technologies will be considered writings by us.
    Policy Interpretation: It is the policy of SSA to treat information 
received and distributed via Agency-approved ESD technologies as the 
functional equivalent of information received and

[[Page 68810]]

distributed using traditional paper-based methods.
    SSA's approval of ESD technologies for use by our customers will 
mean that the approved technologies provide a sufficient level of 
security and reliability that they can be an acceptable substitute for 
traditional paper-based information collection systems as described 
above, for the purpose of conducting the business of the Agency. 
Decisions about which ESD technologies are suitable for use with SSA 
will be made with appropriate input from the SSA components involved in 
the proposed activity.

Part II

    This Policy Interpretation Ruling also addresses the use of 
electronic and digital signatures. Electronic and digital signatures 
are an integral factor in many ESD initiatives. Just as technology 
makes possible the electronic transmission of information for which SSA 
requires a signature, other technologies provide the means for a 
document to be ``signed'' without a traditional handwritten signature.
    SSA requires a handwritten signature in only a limited number of 
situations (e.g., applications for benefits). The circumstances where a 
signature is required is an issue that is beyond the scope of this 
Ruling. We are expanding the meaning of the term ``signature'' to 
include electronic and digital methods that serve the purpose of 
originator identification, authentication, and non-repudiation to the 
extent that is technologically possible and feasible for SSA's 
activities.
    Policy Interpretation: It is the policy of SSA that information for 
which SSA requires a signature may be signed using SSA-approved 
signature methods including handwritten, electronic, or digital 
methods. Approved signature methods will reasonably ensure, to the 
extent technologically possible and feasible for SSA's activities, that 
the signer can be identified and that the signer cannot later repudiate 
the submission of the information.
    Conclusion: The early paragraphs of this Policy Interpretation 
Ruling listed the four essential security characteristics of paper-
based information collection. These two policy interpretations were 
developed to ensure that the four security characteristics described 
earlier are maintained in all ESD technologies approved by SSA. 
Originator authentication and non-repudiation are addressed as aspects 
of the electronic and digital signature policy. Message integrity and 
confidentiality, although not specifically described in the policy 
statement endorsing ESD, are implicitly contained in the limitation 
statement that all ESD technologies must be approved by SSA.6
---------------------------------------------------------------------------

    \6\ For a detailed description of the security features of 
electronic information transfers in general and digital signatures 
in particular see generally, M. Baum, Federal Certification 
Authority Liability and Policy (U.S. Dept. of Commerce, NIST-GCR-94-
654 (June 1994)).
---------------------------------------------------------------------------

    SSA approval of a particular ESD technology will require assurance 
that the technology is consistent with all appropriate laws and 
directives. Since the appropriate technology and levels of security 
will vary based upon the sensitivity of the business application, SSA's 
selection of the appropriate technology or technologies for a given 
usage will be based upon consideration of the service impacts on our 
customers, a risk analysis including fraud detection, prevention, and 
prosecution concerns, and an analysis of the costs and benefits related 
to the technology.
    In summation, it is SSA policy that all information received and 
distributed via Agency-approved ESD technologies is the functional 
equivalent of information received and distributed using traditional 
paper-based methods. It is also the policy of SSA that information for 
which a signature is required, can be signed using electronic or 
digital technologies approved by SSA, provided that the electronic or 
digital signature reasonably ensures that the signer can be identified 
and that the signer cannot later repudiate the submission of the 
information.
    These two policy interpretations are being issued to facilitate the 
Agency's attempts to better serve our customers through the use of ESD 
technologies. It is not intended that our customers always must conduct 
business with SSA electronically. Rather, we are providing our 
customers with an optional way of doing business with us while ensuring 
that the information provided to, or distributed by, SSA through 
electronic methods is as secure and reliable as it must be for the 
purpose for which it is used.
    Effective Date: This Policy Interpretation Ruling is effective upon 
publication in the Federal Register.

[FR Doc. 96-33034 Filed 12-27-96; 8:45 am]
BILLING CODE 4190-29-P