3.2.7 IRS - Unauthorized Disclosure of Information


Chapter Federal Authority
Confidentiality and Safeguarding Information 26 U.S.C  § 6103  Confidentiality and disclosure of returns and return information
 26 U.S.C. § 7213 Unauthorized disclosure of information
45 CFR 303.21 Safeguarding and disclosure of confidential information
Subject State Authority
IRS – Unauthorized Disclosure Wyoming Child Support Enforcement Rules
            Chapter 13 Safeguarding and Disclosure of Confidential Information
Policy Number Effective Date
3.2.7 July 1, 2014

Overview

The Wyoming CSE Program receives federal tax information (FTI) from the Internal Revenue Service (IRS) to locate alleged fathers and non-custodial parents and establish and enforce child and medical support obligations. Access to the FTI comes with rights and obligations to manage, secure, protect and control the FTI.  Any unauthorized disclosure or improper inspection of FTI will be reported and may invoke federal civil and/or criminal penalties for such disclosures.

Terms and Definitions

Federal Tax Information (FTI): By definition: Federal tax information (“FTI”) is defined as returns and return information. 

 “Return” is defined under 26 USC § 6103(b)(1) as any tax or information return, declaration of 

estimated tax, or claim for refund required by, or provided or permitted under title 26 and filed 

with the IRS by or on the behalf of any person. This includes amendments, schedules, 

attachments, or lists that are supplemental to or part of the filed return. 


 “Return Information” is defined under 26 USC § 6103(b)(2) as the taxpayer’s identity, the 

nature, source or amount of his income, payments, receipts, deductions, exemptions, credits, 

tax liability, tax withheld, deficiencies, over-assessments, payments, etc… whether the return 

was, is being, or will be examined, or any other data received by, recorded by, prepared by, 

furnished to or collected by the IRS with respect to a return. This includes any information 

regarding the determination of the existence or possible existence of a liability for tax, penalty, 

interest, fine, forfeiture, other imposition or offense. 

For Wyoming Child Support purposes, FTI includes the following information received by the POSSE  from the IRS.
  1. The person’s name, mailing address, SSN, and refund amount received from the IRS 
  2. Any report or compilation including the above information is also considered FTI. 
Incident: A single or a series of unwanted or unexpected information security events (see definition of "information security event") that result in harm, or pose a significant threat of harm to information assets and require non-routine preventative or corrective action.

Incident Response Plan: Written document that states the approach to addressing and managing incidents.

Incident Response Policy:  A written document that defines organizational structure for incident response, defines roles and responsibilities, and lists the requirements for responding to and reporting incidents.

Incident Response Procedures: Written document(s) of the series of steps taken when responding to incidents.
Incident Response Program: Combination of incident response policy, plan, and procedures.

Information: Any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, including electronic, paper and verbal communication.

Information Security:  Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

Information Security Event:  An observable, measurable occurrence in respect to an information asset that is a deviation from normal operations.

Need to Know:  Is an underlying concept for disclosure, which is if you don't have a need to know federal tax information, then you shouldn't have access to it. 

Personally Identifiable Information (PII):  Any information about an individual maintained by an agency with respect to, but not limited to, education, financial transactions,  medical history, and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity (e.g., name, Social Security Number, date and place of birth, mother’s maiden name, biometric records) including any other personal information linked or linkable to an individual.

Threat:  A potential cause of an unwanted incident, which may result in harm to a system or the agency.

Unauthorized Access: Generally refers to the viewing or possession of something without legal authority.

Unauthorized Disclosure: Generally refers to the viewing or possession of something without legal authority. For example, in the context of medical records privacy, it means the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use.

Roles and Responsibilities

 Agency Director Responsible for information security in the agency, for reducing risk exposure, and for ensuring the agency’s activities do not introduce undue risk to the enterprise. The director also is responsible for ensuring compliance with state enterprise security policies, standards, and security initiatives, and with state and federal regulations.
 IV-D Director Responsible for information security in the IV-D program, for reducing risk exposure, and for ensuring the agency’s activities do not introduce undue risk to the enterprise. The IV-D Director also is responsible for ensuring compliance with state enterprise security policies, standards, and security initiatives, and with state and federal regulations.
 IV-D Program Manager Responsible for information security in the IV-D program, for reducing risk exposure, and for ensuring the agency’s activities do not introduce undue risk to the enterprise. The IV-D Program Manager also is responsible for ensuring compliance with state enterprise security policies, standards, and security initiatives, and with state and federal regulations
 IRS/FPLS Security Liaison Responsible for communicating with IV-D Director and Program Manager and coordinating agency actions with the CSE district manager, Clerk of District Court, the SDU manager or ETS Supervisor in response to an information security incident
 Information Owner Responsible for creating initial information classification, approving decisions regarding controls and access privileges, performing periodic reclassification, and ensuring regular reviews for value and updates to manage changes to risk.  For Wyoming this is the Wyoming Child Support Enforcement Program – POSSE.
 User Responsible for complying with the provisions of policies, procedures and practices.  Users include but are not limited to the following:
  • Wyoming Child Support District Workers
  • Wyoming State Disbursement Workers
  • Wyoming State Child Support Workers
  • Wyoming Enterprise Technology Services Workers with access to the POSSE system and/or  information

Policy

Unauthorized Access
Unauthorized access of FTI may occur in a number of different ways.  The following is not an all inclusive list; rather, it demonstrates the most common examples of improper inspection or unauthorized disclosure.
  • Accessing data which the individual has no need to access. 
    • EXAMPLE: Reading the files of friends, neighbors, acquaintances or relatives.
  • Enabling unauthorized individuals to access data. 
    • EXAMPLES: Authorized user allows a non-authorized person to access POSSE; printouts (verification letters, IRS reports, etc.) containing confidential data are left unprotected and unattended in open areas where they could be compromised; or file cabinet containing confidential information is left unlocked after hours, thereby compromising its contents.

Unauthorized Disclosure
Unauthorized disclosure of FTI may occur in a number of different ways.  The following is not an all inclusive list; rather, it demonstrates the most common examples of improper inspection or unauthorized disclosure.
  • Revealing information to a person, business or organization that has no authority to receive the information. 
    • EXAMPLE:  Sally from XYZ law office has a relative who works in a District CSE Office.  She calls that relative at work to ask for information on a client.  The child support case worker gives her the information. 
  • Unauthorized use of information for commercial gain or malicious purposes.  
    • EXAMPLE: Data copied for personal use.
  • Inappropriately modifying or destroying data. 
    • EXAMPLE:  Changing or deleting payment or person information so that it either profits or harms one or both parties on the case. 
  • Loss of documents and case files containing FTI will in transit
    • EXAMPLE:  A case file is sent, via USPS, Fed EX, United Parcel Service, or any other means of transport, from one CSE office to another CSE office, instate or intergovernmental and the case file does not reach it’s intended destination.
Unauthorized Access or Disclosure Incident Reporting
While unauthorized access and disclosure incidents will be handled at the local level by the local management team, any unauthorized access or disclosure of FTI, whether committed intentionally or unintentionally, will be reported to the State CSE - IRS/FPLS Security Liaison by the District CSE Office, Clerk of District Court, State Disbursement Unit (SDU) or ETS Supervisor using the Information Security Incident Report (WYCSE-ISR-2014):

The form will be signed by the District CSE Manager, Clerk of District Court, SDU Manager or ETS Supervisor and mailed to the State CSE Office with “Confidential” marked on the envelope.

Upon notification of a possible improper inspection or unauthorized disclosure of FTI by the State CSE - IRS/FPLS Security Liaison, the IV-D Director will contact the appropriate Treasury Inspector General for Tax Administration (TIGTA).  The IV-D Director will advise the person reporting the incident that it has been reported to TIGTA.

Unauthorized Access or Disclosure Penalties
In addition to any employment based disciplinary action, the IRS penalties for unauthorized disclosure of FTI include both civil and criminal penalties.  Penalties include but are not limited to the following:

  • Disclosure of Return Information – Felony with a fine not to exceed $5,000 or 5 years in prison or both.
  • Unauthorized Inspection of Return Information – Fine not to exceed $1,000 or 1 year in prison or both.
  • Under certain circumstances, the taxpayer may bring a civil action based upon the disclosure or unauthorized inspection of return information.  The civil penalties will be the greater of $1,000 per unauthorized act or the sum of actual damages along with the costs of the action.
For the detailed civil and criminal penalties, please see IRC SEC – Non-Disclosure Oath and Certification of Need to Know.

Cross Reference

Body

Version Number Last Revised Date
3 July 1, 2014