3.2.1 IRS- Safeguarding Requirements

Overview

Information received from the Internal Revenue Service (IRS) is subject to strict safeguards and record keeping. As a recipient of federal tax information (FTI), the Wyoming CSE Program will take specific steps to safeguard and protect FTI. The IRS audits the Wyoming CSE Program triennially for compliance with these safeguarding requirements. For the penalties associated with the unauthorized disclosure or release of FTI, see 3.2.7 IRS – Unauthorized Disclosure of Information and Appendix 3.E – IRC - SEC Non-Disclosure Oath and Certification of Need to Know Form.

Policy

Safeguard Information

The Wyoming CSE Program utilizes IRS information in order to locate non-custodial parents and alleged fathers to establish and enforce support obligations.

FTI is any return or return information received from the IRS or secondary source, such as SSA, Federal Office of Child Support Enforcement or Bureau of Fiscal Service, as defined by the IRS in IRS Publication 1075 – Tax Information Security Guidelines for Federal, State, and Local Agencies (Appendix 3.A). FTI contained in POSSE includes:

• Social security numbers,

• Addresses, and

• Federal tax intercepts (payments).

FTI may also include Personally Identifiable Information (PII). FTI may include the following PII elements:

• The name of a person with respect to whom a return is filed

• His or her mailing address

• His or her taxpayer identification number

• Email addresses

• Telephone numbers

• Social Security Numbers

• Bank account numbers

• Date and place of birth

• Mother’s maiden name

• Biometric data (e.g., height, weight, eye color, fingerprints)

• Any combination of the preceding

FTI does not include information provided directly by the taxpayer or third parties (third parties do not include the secondary sources identified in Section 1.4.1, Federal Tax Information). If the taxpayer or third party subsequently provides returns, return information, or other PII independently, the information is not FTI as long as the IRS source information is replaced with the newly provided information. Therefore, any FTI or PII provided by the IRS, SSA, Federal Office of Child Support Enforcement or Bureau of Fiscal Service, shall be verified by another source, called “Third Party Verification”, prior to using the information to further the mission of the IV-D child support program.

Safeguard Requirements

The IRS requires the Wyoming CSE Program safeguard FTI information in the following 4 ways:

1. Establish and maintain a standardized, permanent system of records for a disclosure request.

• Wyoming receives all FTI via CyberFusion. All FTI is stored on the Department of Family Services (DFS) servers and is accessible by child support staff via POSSE and Wyoming Enterprise Technology Services staff maintaining the child support system via POSSE, Windows and AIX.

• The State CSE Office, State Disbursement Unit, District CSE Offices, Clerks of District Court and Wyoming Enterprise Technology Services should not print POSSE screens containing FTI. For a more detailed discussion, see IRS – Screen Prints (3.2.3).

2. Establish and maintain a secure area or place to store FTI.

• Restricted areas within the office are for Wyoming CSE Program personnel only.

• Every office shall maintain a visitor log as described in Appendix 3.Q – Visitor Access Log, Appendix 3.Q2 – Agency Employee Authorized Access Log and/or Appendix 3.Q3 – Non-Agency and Contractor Authorized Access Log. Unauthorized individuals may not be in work areas unsupervised.

• During customer interviews, only case record information pertaining to that customer is visible on the desk or surrounding areas.

i. Lock the computer when not in use, and ensure that computer displays only the information relating to the customer during interviews.

ii. Sign off terminals when leaving for the day.

• Place all case records and customer information in locked file cabinets or other secure locations when not directly working on the contents.

• Do not leave case records on chairs, floors, the top of file cabinets, etc., when not specifically processing case information.

• At a minimum, ensure that all case records and customer Personally Identifiable Information (PII) are not accessible before leaving the work area, desk and/or office.

• Before leaving the work area and/or desk for a short time secure all case records, customer Personally Identifiable Information (PII) and log out of the computer application – POSSE.

• When leaving the work area and/or desk at the end of the work day, secure all case records, customer information and log out of the computer application – POSSE and log out of the network.

• Check mail trays for customer information regularly and do not leave this material in the mail trays overnight.

• Place IRS labels on case files and individual documents within the case file that contain IRS information. (Labels may be obtained from the State CSE Office).

• Do not leave printed documents on printer trays.

• The office building will be secured by doors with hinges on the inside or, if the hinges are on the outside, the hinges will have non-removable pins.

3. Restrict access to returns.

• District CSE Offices and Clerks of District Court have access only to needed FTI .

• Ensure after-hours cleaning services sign a General Services Contract approved by the IRS. See Appendix 3.B – Contract for General Services.

4. Provide any other safeguards as necessary.

• The source of any payment identified in POSSEl not be displayed on any reports.

• Implement annual disclosure awareness program (See IRS – Awareness and Training (3.2.2)).

• State CSE Office conducts internal inspections and safeguarding audits as required by IRS Publication 1075.

• Keys to sites that maintain or store IRS data are marked as Do Not Duplicate and monitored utilizing a key control log (Appendix 3.R –Key Control Log).

• Authorized POSSE users serving as a second barrier between FTI and unauthorized individuals shall wear a photo identification badge where it can be readily seen.

Safeguard Reviews

Every three years, the IRS visits Wyoming to audit the Wyoming CSE Program. During this audit, the IRS reviews Wyoming CSE Program policies and procedures and conducts site visits at the State CSE Office along with at least one District CSE Office and Clerk of District Court to ensure FTI is protected as discussed above.

In addition to the IRS audit, the State CSE Office is required to complete a random on-site audit of several locations annually. These locations include the State CSE office, the State Disbursement Unit, the District CSE offices, the Clerks of District Court offices, the State Central Mail office, the Wyoming Department of Enterprise Technology Services IT Operations locations, and the Wyoming Department of Enterprise Technology Services offices of programming staff with access to POSSE data. For more information on the IRS safeguarding visit conducted by the State CSE Office, see 17.4 Audits – IRS Safeguarding Visit.

The IRS Internal Inspection – CSE Office Report (Appendix 3.C) is to be completed annually by every District CSE Office Manager. The IRS Internal Inspection – CDC Office Report (Appendix 3.C2) is to be completed annually by every Clerk of District Court or designee and the State Disbursement Unit (SDU) Manager. . The Internal Inspections – IT Operations Report (Appendix 3.C3) is to be completed annually by the appropriate Wyoming Enterprise Technology Services Managers. The IRS Internal Inspection – Headquarters Office Report (Appendix 3.C4) is to be completed annually by the CSE State Staff. In addition, each User or IT staff member with access to POSSE data will complete the IRS Internal Inspection – User Questionnaire annually. (Appendix 3.C5 ).

Cross-References

Appendix 3.A - IRS Publication 1075 – Tax Information Security Guidelines for Federal, State, and Local Agencies

Appendix 3.B – Contract for General Services

Appendix 3.C – IRS Internal Inspection – CSE Office Report

Appendix 3.C.2 – IRS Internal Inspection – CDC Office Report

Appendix 3.C.3 – IRS Internal Inspection – IT Operations Report

Appendix 3.C.4 – IRS Internal Inspection – Headquarters Office Report

Appendix 3.C.5 – IRS Internal Inspection – User Questionnaire Report

Appendix 3.E – IRC SEC – Non-Disclosure Oath and Certification of Need to Know Form

Appendix 3.Q – Visitor Access Log

Appendix 3.Q2 – Agency Employee Authorized Access Log

Appendix 3.Q3 – Non-Agency and Contractor Authorized Access Log

Appendix 3.R – Key Control Log