CBSV Explanation of Non-Substantive Changes (0960-0760)

OMB No. 0960-0760

Consent-Based Social Security Number Verification

Explanation/Justification of Proposed Non-Substantive Changes

Proposed Change 1: We are removing the requirement for CBSV user companies to provide the Social Security Numbers (SSNs) of their employees who access CBSV. Specifically, we are removing the following question from Form SSA-88, the CBSV User Pre-Approval Registration form: “Question #5. SSN of Employee(s) Authorized to Use CBSV.” We will re-number the original remaining questions #6, 7, 8 to #5, 6, and 7.

Justification for Change 1: Several user companies told us they believed there could be privacy/security concerns if they submitted employee SSNs. After considering this feedback, SSA determined that it was possible and more prudent to issue User IDs to the user companies by using their Employer Identification Numbers (EINs) instead. Additionally, collecting SSNs would be redundant, because each user company must keep its own audit trail of its employees’ CBSV use.

Proposed Change 2: SSA will no longer ask CBSV user companies who have their own web service platform for access to CBSV to provide the names, phone numbers, and addresses of the individual employees who are authorized to access CBSV. Users will provide corresponding information only for the Responsible Company Official (also called the “Requesting Party”) representing the user company (paragraph 2 of the revised language below).

a) This change is reflected in the attached Amendment to the User Agreement. Specifically, we are removing the current second paragraph of Section VII, “Responsibilities,” in its entirety and replacing it with the following language:

“The Requesting Party agrees to complete Form SSA-88 (Pre-Approval Form for CBSV – Attachment C).

“If the Requesting Party elects to have its employees to access CBSV by using either (1) SSA Business Services Online (BSO) in batch mode format, or (2) SSA BSO single request for real-time response option, the Requesting Party’s Responsible Company Official shall provide on Form SSA-88 the name, phone number, and email address of each employee authorized to use CBSV (Authorized User). The Requesting Party agrees to notify SSA if there is any change to employment status (including, but not limited to, long-term absence, termination of employment, or change of duties related to CBSV) for any Authorized User. The Requesting Party’s Responsible Company Official will also notify SSA if they wish to revoke any employee’s authorization to use CBSV. The registration process will be completed by issuance of a unique access code by SSA to the Responsible Company Official. The Responsible Company Official is required to provide this code to each Authorized User as authentication of that Authorized User’s relationship to the Requesting Party and authorization to submit such requests to CBSV.

“If the Requesting Party elects to use the Requesting Party’s web service platform client application to access CBSV, the Requesting Party’s Responsible Company Official shall provide his or her name, phone number and email address on Form SSA-88. With this option, the Responsible Company Official will be the representative Authorized User for the Requesting Party, will be responsible for all access requests made through the Requesting Party’s web service platform client application, and will be responsible for complying with the requirement under this User Agreement to maintain an audit trail to track all CBSV activities of each company employee.”

b) This will also cause a change to Form SSA-88. Specifically, we will add the following language to the section heading “EMPLOYEE(S) AUTHORIZED TO USE CBSV”:

“*If your company will access CBSV solely through a web service platform, please provide corresponding information of the Responsible Company Official as the employee authorized to use CBSV.”

Justification for Change 2: Companies who use only the web service platform option to access CBSV will not be required to register each individual authorized employee with SSA; instead, SSA will issue a single access ID to the Responsible Company Official, and each employee within that company can use this ID. Employees of companies who use only the CBSV web service will access CBSV through the single access ID. This is another reason why we determined collecting the SSN was unnecessary. Employees of companies who access CBSV through the batch process and/or online will continue to register for access to CBSV. There will be a person who keys in the PIN of the company (however, the responsibility for maintaining an audit trail lies with the company; see further on in this document).

Proposed Change 3: SSA is expanding its guidance on the audit trail we require participating companies to keep of their employees’ access to CBSV. To ensure that companies are fully aware of our expectations, we are now being very specific about the need for companies to have a system in place that tracks and documents all of their CBSV transactions with us. We will add the following language to the Amendment to the CBSV User Agreement:

Section VIII, “Technical Specifications and Systems Security & Related Business Process Requirements:”

“If the Requesting Party accesses CBSV through the web service platform client application, the Requesting Party must maintain an automated audit trail record identifying either the individual user, or the system process, that initiated a request for information from SSA. Every request for information from SSA must be traceable to the individual or system process that initiated the transaction. At a minimum, individual audit trail records must contain the data needed to associate each query transaction to its initiator and relevant business purpose (i.e. the outside entity’s client record for which SSA data was requested), and each transaction must be time and date stamped. Each query transaction must be stored in the audit file as a separate record, not overlaid by subsequent query transactions.

“In all instances of access to CBSV, if SSA-supplied information is retained in the Requesting Party's system, or if certain data elements within the Requesting Party's system will indicate to users that the information has been verified by SSA, the Requesting Party's system also must capture an audit trail record of any user who views SSA information stored within the Requesting Party's system. The audit trail requirements for these inquiry transactions are the same as those outlined above for the Requesting Party’s access to CBSV through the web service platform client application.”

Attachment E – CBSV Compliance Review (Audit) – Criteria, after item number 16 under “Compliance Review Criteria,” the following language:

“17. Verify that the Requesting Party’s audit trail and retrieval capabilities by requesting a demonstration of the system’s tracking of the activity of Authorized Users who request information or view SSA-supplied information within Requesting Party’s system.”

Justification for Change 3: The current User Agreement does mention audit requirements for Requesting Parties. However, this language is more general and assumes that the user companies will know to track all individual cases of their employees accessing CBSV. After discussion with companies, we realize this may not be the case. Because of this feedback, and in light of our Proposed Changes 1 & 2, we believe it is important to provide more detailed guidance about the need for companies to track and document each employee’s use of CBSV.

Proposed Change 4: Clarify the language in Section XIII, Indemnification, of the User Agreement as follows:

“XIII. Indemnification

Notwithstanding any other provision of this User Agreement, the Requesting Party agrees to indemnify and hold SSA harmless from all claims, actions, causes of action, suits, debts, dues, controversies, restitutions, damages, losses, costs, fees, judgments, and any other liabilities caused by, arising out of, associated with, or resulting directly or indirectly from, any acts or omissions of the Requesting Party, including but not limited to the disclosure or use of such information by the Requesting Party or its Principal, or any errors in information provided to the Requesting Party under this User Agreement. SSA shall not be responsible for any financial loss or other loss incurred by the Requesting Party, whether directly or indirectly, through the use of any data furnished pursuant to this User Agreement. SSA shall not be responsible for reimbursing the Requesting Party any costs incurred by the Requesting Party pursuant to this User Agreement.

Justification for Change 4: The indemnification language in the current User Agreement is ambiguous and unclear (i.e., it does not identify whose actions give rise to indemnification). After closer examination of the language, SSA determined that a revised clarifying language is warranted.

Proposed Change 5: We are changing the URL provided in form SSA-89 (Authorization for the Social Security Administration (SSA) To Release Social Security Number (SSN) Verification), attached, from www.ssa.gov/bso/cbsvInstructions.html to http://www.ssa.gov/cbsvPDF/agreement.pdf.

Justification for Change 5: The previous URL did not work, so we changed it.

Proposed Change/Clarification 6: Because of our strict pre-planned timelines, we must start mailing out CBSV materials to enrolling companies now. For this reason, we are sending them the currently approved materials. However, we want them to be aware that we listened to their concerns about providing SSNs, so we are sending an email letting them know we will send an amended Form SSA-88 and User Agreement once OMB approves these documents. Attached to this ICR submission is a copy of the proposed email.