SOC 2 Meets Death Master File Certification Requirements

Posted on December 14, 2022March 11, 2024

The System and Organization Controls (SOC) framework may be mapped to achieve requirements of the National Technical Information Service’s (NTIS) Limited Access Death Master File (LADMF) certification. When choosing SOC 2 to achieve your LADMF certification, businesses may also benefit from the marketing value of their SOC 2 attestation, which demonstrates your commitment to access and process client data in a secure manner.

The LADMF certification has many practical uses that span across industries, such as insurance, banking, health care, public sector, and investment management. Access to the data is commonly used by organizations to help prevent fraud and validate certain financial transactions (e.g., to stop payment of annuities or retirement benefits upon death, validate death claims, and research unclaimed property). Given its sensitivity, the requirements of the NTIS are intended to keep safe personally identifiable information of deceased citizens.

Death Master File Attestation

Organizations seeking access to the LADMF are required annually by NTIS to self-certify that they have designed and implemented controls in place for receipt and maintenance of the LADMF. These organizations must undergo an independent assessment by an Accredited Conformity Assessment Body (ACAB) every three years to ensure that the controls are adequate to secure LADMF information. Further, these organizations are subject to scheduled and unscheduled audits from the NTIS with steep penalties levied for violation of the rule.

Get Started with Your SOC Report

SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The framework is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

The standards in SOC 2 may be mapped to the assessments required by NTIS, which provides entities with the benefit of being SOC 2 compliant while simultaneously meeting the requirements for access to the LADMF.

Choosing the SOC 2 compliance framework helps organizations meet their Death Master File requirements and adds value when marketing to new customers. Customers often require a SOC 2 from organizations with whom they work, especially for cloud-based services, to ensure their data is protected.

AAFCPAs is an ACAB with extensive experience assisting those seeking certification and access to the LADMF.

If you have questions about your DMF assessment or a SOC 2 attestation, please contact Andrew Mathieson at 774.512.9089, amathieson@nullaafcpa.com; or your AAFCPAs Partner.

About the Author

Andrew Mathieson, CISA, CDPSE, CCSFP, HITRUST, CISRCP, CCSK

Andrew is a seasoned IT risk & cybersecurity advisor and a leader in AAFCPAs’ Business Process & IT Consulting Practice responsible for providing information risk management, cybersecurity, and special IT attestation solutions. He helps clients—and those charged with governance and risk management—navigate their digital ecosystem with confidence. This confidence enables further innovation through technology! Andrew has extensive experience providing direction, supervision, performance, and review of audit engagements, including SOC 1, SOC 2, SOC for Cyber security, …

Related Insights

SOC Report 2022 Revised Points of Focus

In late 2022, the AICPA updated its guidance on performing System and Organization Controls (SOC) attestations with revised points of focus that offer enhanced context for meeting the criteria in your report. Organizations and their auditors should be aware of the updates and go through an exercise to actively incorporate these revised points of focus […]

A Startup’s First Steps to SOC Readiness

Early-stage companies have a lot to contend with, including funding, staffing, infrastructure, product development, and marketing, which can create a chaotic environment. Those that collect personal identifiable information or health information as part of their business model also must add earning their SOC (System and Organization Control) certification to the list. The SOC Report has […]

SOC Report: Why are our Sales & Marketing Teams Insisting we have one?

Prospects may ask for a SOC report as a way to assess the controls and processes in place at an organization before doing business with them. Many organizations, particularly in regulated industries or those that handle sensitive information, are required to demonstrate compliance with relevant regulations and industry standards. A SOC report can be an […]