Disclosure Awareness Training for State Human Services Agencies (Pub. 4713)
Miller: Hello, I'm Janet Miner, Acting Director for the IRS Office of Safeguards.
We are responsible for ensuring the protection of Federal Tax Information, or FTI, as you will hear it referred to, which the IRS provides to local, state, and Federal agencies.
While the IRS has the oversight role in protecting FTI, our partners receiving the data play the most important role.
Each of the more than 300 agencies who receive FTI from the IRS must build effective security controls into their processes, procedures, and systems to ensure that the information is protected appropriately from the time the agencies gain access until the FTI is destroyed or returned to the IRS.
You and I, your agency, and the IRS are all in this together.
We must be successful in our efforts to guard the security of FTI.
Neither of us can afford the fallout that comes from the unauthorized disclosure of Federal Tax Information.
The American public expects two things from both of us -- First, that we work together proactively to be as efficient as possible, and second, that if we're exchanging their financial information, we ensure that their personal data is not inappropriately shared with others.
A good security-awareness program is by far the most effective and least expensive method agencies can use to protect information. Part of the security-awareness program involves protocols like limiting access to the FTI or conducting internal inspections to ensure that the agencies' policies and procedures are being implemented properly.
Another large piece of an effective security-awareness program is employee awareness.
Employees of local, state, or Federal agencies with access to Federal Tax Information must certify that they understand the agency's security policy and procedures for safeguarding the IRS information.
In addition, these employees are required to maintain their authorization to access Federal Tax Information through an annual recertification process.
This video is designed to assist local, state, and Federal agencies with training their employees.
It will cover general disclosure restrictions and the penalties which apply, even after employment with the agency has ended.
In addition, the video will spend a few minutes focusing on unique situations or issues by agency type -- state child- support enforcement, state human services, and state tax administration and Federal agencies.
I hope you find this information helpful.
For many of you, this is simply a refresher on disclosure awareness, while for others, this video may be the first time you've been exposed to these concepts.
Before we move into the substance of our discussion regarding employee disclosure awareness, let me just say thank you for everything you do to protect the confidentiality of Federal Tax Information.
I truly appreciate it.
Webb: Hi, I'm Steve Webb, and I'll be the moderator for this discussion.
I am a Disclosure Enforcement Specialist, which means I conduct on-site safeguard reviews of Federal, state, and local agencies that receive Federal Tax Information to make sure that the agencies are compliant with their data-protection requirements.
Joining me on the panel today are three other Disclosure Enforcement Specialists -- Barbara Graham, John Sims, and Joyce Williams.
Today, we want to talk about several key concepts that are used in protecting the confidentiality of Federal Tax Information.
Okay, let's get started.
John, can you tell us what constitutes Federal Tax Information?
Sims: Sure, Steve. It's actually a great question.
It really involves two separate kinds of information.
It's the tax return, which is generally a tax or information return filed by a taxpayer, any schedules, attachments, or amendments to that.
And then it also involves return information, which is actually a much a broader category.
It involves anything that the IRS collects and that the IRS is going to use in order to determine a person's tax liability or potential tax liability.
Webb: Like a 1099?
Sims: That's one of the things.
Some of the other things can have to do with the taxpayer's identity -- For instance, their Social Security number or their Employer Identification Number.
It could also be anything about their account information, including and up to whether or not they filed a return or didn't file a return.
Webb: Barbara, our title says we're just Enforcement Specialists for Disclosure.
What does disclosure mean?
Graham: Steve, disclosure means the making known of Federal tax return or return information to any person.
Webb: There's a publication the IRS puts out -- 1075.
Can you tell us a little bit about that and its importance in the jobs that we do?
Graham: Publication 1075 is one of the greatest assets that an agency can have in their possession.
It outlines all the policies and guidelines for safeguarding Federal Tax Information within that agency.
Webb: John, in order to disclose Federal Tax records, they first have to be accessed.
Under what circumstances may Federal Tax Information be accessed?
Sims: The critical thing to know here is that access has to be on a need-to-know basis.
Sims: So, you have to have reason, agency business, in order to access the Federal Tax Information.
And good safeguarding practices require, more or less, that the access to Federal Tax Information is restricted to one or very few employees.
It's not necessary that those employees are the only ones who see it, but anyone else who's given it as a part of their job-processing duties should not receive any more information than they need in order to do those duties.
Webb: Just what they need to know in order to perform their particular job.
Sims: Yes, that's accurate.
Webb: Okay, great.
Barbara, what can you tell us about secure storage?
Graham: Secure storage is one of the key components to securing Federal Tax Information.
By meeting the minimum protection standards, which means two barriers surrounding all Federal Tax Information within the agency, you're going to ensure that that information is secure as required by publication 1075.
Webb: Okay, so two barriers is the key to secure storage.
Graham: That's correct.
Webb: Hand in hand with secure storage is also standardized record keeping.
Can you elaborate a little bit on that?
Standardized record keeping is a key component in safeguarding Federal Tax Information.
An agency should always log the Federal Tax Information from the time that it's received until the destruction of that information.
Webb: And everything in between.
Graham: And everything in between.
Webb: Okay. Joyce, I'm finally gonna get to you.
Can you tell us a little bit about internal inspections -- What they are, who should be conducting them, why we need to conduct them?
Williams: Yes, Steve.
Well, internal inspections are inspections that are done by the agency.
They should be done by a function other than the function that is used in the Federal tax return.
It gives the agencies the head up of what's going on in their program.
Webb: How often should they be conducted?
Williams: They should be done every three years for local offices and 18 months for a computer facility and the headquarter offices.
At some point in time, an agency determines they no longer need the information.
They've done whatever they need to do with it.
Now what happens with it?
Williams: Okay, well, an agency should never maintain Federal Tax Information when it's not needed or being used, so one of the most popular methods of destruction of paper is by shredding.
We do recommend that you use a shredder that is 5/16 of an inch or smaller.
And you also -- It's strange sometimes to think about it, but you should shred perpendicular to the cutting line.
Williams: This way, it makes it totally undisclosable and unreadable.
You'd be surprised how many people will not shred that way, and you can actually still read the information on the paper after it has been shredded.
Williams: Another thing is, we have methods that are not acceptable, and that's hand tearing.
People sometimes believe that they can hand tear smaller than the shredder -- that that's acceptable.
No, it's not.
So, no hand tearing is acceptable.
Recycling only can be done after it's shredded, and then you cannot use it or bury it in landfills.
Webb: John, you referenced and talked about what Federal Tax Information is.
If an employee makes an authorized access, doing what they're supposed to do with that information, we talk about need and use.
Can you give us a little more insight into what need and use is, what it's about?
Sims: When agencies ask the IRS for information, they describe what their need is for having the information and how they intend to use it.
And so, when agency employees are making accesses -- authorized accesses, they have a need for the information and they're using it for the authorized or specified purpose by the agency.
If, however, they are making accesses and using it for something other than the need or use specified by the agency, or if that's their intention, then the agency needs to come back to us and give us a new request that describes that need and use.
That's really necessary so that unauthorized accesses and unauthorized need and use of the information don't occur.
Because if that occurs, then the agency could lose access to the information, and there could be civil or criminal penalties associated with unauthorized accesses to that information.
Webb: You just mentioned penalties.
Webb: Can you give me some more insight?
Is this something that I'm gonna get slapped on the wrist, or is it something more serious?
Sims: Actually, it's quite serious.
There are two criminal penalties associated with unauthorized access and/or unauthorized disclosure of Federal Tax Information.
The most severe is the unauthorized disclosure, and that means that you're giving it to someone who's not entitled to have it.
That particular penalty is five years or a $5,000 fine or both, plus the cost of prosecuting the case against you.
The unauthorized access is one year or a $1,000 fine or both, again with the cost of prosecuting you for that offense.
You can actually be guilty of both offenses and prosecuted for both.
In addition to that, there is a civil penalty or civil recourse that the taxpayer who's harmed by the unauthorized access or unauthorized disclosure.
And what that says is that that taxpayer can actually sue, and in the case of a state employee, the employee is personally liable as opposed to the agency.
The minimum that that taxpayer can receive is $1,000 per unauthorized access or unauthorized disclosure.
However, if that taxpayer can show that they had actual damages greater than $1,000, they can receive that as well as punitive damages if the unauthorized access or disclosure was due to gross negligence.
Webb: And that's coming from the agency employee themselves.
Sims: That's correct.
And, in fact, the taxpayer who's suing can also recover their costs to file the suit.
Could you highlight code sections of those penalties for us real quick?
The unauthorized disclosure is 7213.
The unauthorized access is 7213 capital "A," and then the civil-penalty section is 7431.
So, all these are described in the Internal Revenue Code along with IRC 6103 that sets out the general prohibition on disclosure.
Webb: And it's my understanding all those are also included as exhibits in the publication 1075.
Sims: That's correct.
Webb: Great, great.
And, Joyce, along that same line, some people may be seeing this for the first time, their first encounter with employee awareness dealing with Federal Tax Information.
How often should they be reminded about the consequences of protecting Federal Tax Information?
Williams: Well, there always should be reminders around to remind you of unauthorized disclosures.
You can use bulletin boards.
You can use flyers in the office.
In addition, we do require at least annually that you recertify that you understand the penalties that are associated with the unauthorized disclosure and inspection of Federal tax return.
By reminding you constantly that this is a once-a-year reminder, this will stay with employees longer than just doing it just one time.
Webb: And you as an IRS employee don't have to go through that, though.
Williams: Oh, yes, we do.
Webb: You still deal with it?
Williams: We are not exempt from that, either.
We do sign an annual certification, and we go through trainings just like we expect our customers to do.
So, no one gets away with that -- just doing it one time.
Barbara, I know from my experience, one of the difficult things I run into is what we refer to as commingling.
Can you give us some insight as to what that is?
Is it okay to do it?
What do you have to do when it happens?
These kind of things of commingling.
Graham: Commingling is an acceptable practice.
Once an agency has blended their information with Federal Tax Information, it now meets the definition and requirements of commingling of Federal Tax Information, and as such, the agency is required to ensure that that information is secure and documented as such by putting on the actual folder that the information is in, by identifying it as Federal Tax Information, along with the actual information itself within that folder.
Webb: Is there a specific language that has to be on this or does it just say, "here's FTI"?
Graham: What we recommend to agencies is that they use the disclosure limitation that's found on our label 129a, which advises anyone who would have access to that file what the penalty provisions are and what the requirements are for safeguarding that Federal Tax Information.
Webb: And that's the penalties that John referenced a moment ago.
Graham: That's correct.
Webb: Okay, very good. Thank you.
Agency employees have an obligation to protect the information.
What are specific things that employees can do to help ensure that they are adequately protecting Federal Tax Information?
Graham: One of the greatest things that employees can do personally is to ensure that they have a clean-desk policy in place, making sure that their desk is locked if there's Federal Tax Information in there, their personal cabinets that may be outside of their work station.
Also, ensuring that even if you're just going to go down the hall for a soft drink that you lock your terminal down so that no one can have access to any Federal Tax Information that may reside on that system.
The agency itself may also wish to ensure that every evening, there's a lock-down policy, that the desks are clean, that all areas that contain sensitive Federal Tax Information is secure.
Does seem to make sense.
John, in this day and age, electronics, everything is changing.
Most of the Federal Tax Information that the Internal Revenue Service shares with state agencies is done electronically.
What can you tell us about computer security and what agencies should know about that?
Sims: Okay, That's a great question.
Computer security is one of the things that has recently been modified, or the standards for computer security, in the publication 1075, and those are the standards that the agencies are expected to live up in order to adequately protect the Federal Tax Information.
The changes are based on the National Institute of Standards and Technology's special publication 830 and 853.
And basically what they did was they went through and selected some controls that would ensure the integrity of Federal Tax Information.
The IRS has created some SCSEMS, which are Safeguard Computer Security Evaluation Matrices.
These are available on the irs.gov website, and the keyword to search for those is "safeguards."
If you go there, you'll find one to several of the applicable technologies that agencies may employ to store, transmit, or process Federal Tax Information.
They can use these as tools to check to see whether or not, first of all, they're living up to the standards that we expect.
And this is particularly important if the agency does software upgrades or things of that nature, because ofttimes, that will change settings within their technologies, so you want to make sure that you've gotten them back to where they need to be.
Webb: And again, these NIST references that you made are included in the publication 1075.
Sims: That's correct, yes.
John, continue on again dealing with technology.
Different agencies use different technologies to communicate, which may include the use of Federal Tax Information.
What should agencies know about these different communication techniques and what they should and shouldn't be doing with Federal Tax Information?
Sims: And that's, again, another great question.
The communication technologies that are employed today, e-mail being a prime example, are not often the most secure methods of communication.
Unless e-mail is encrypted, it's not secure for transmitting Federal Tax Information.
Sims: And when I say that, that means that if you're including Federal Tax Information in the body of an e-mail and the e-mail's not encrypted, it could be read by anyone who intercepts that e-mail or to whom that e-mail is misdirected.
Sims: So, if agencies do decide that they need to employ e-mail to transmit Federal Tax Information, there are a couple of things they need to do.
One, they need to make sure they put the Federal Tax Information in an attachment and encrypt the attachment.
They can then attach that to the e-mail, and if the e-mail happens to end up in the wrong person's hands, they still can't read the Federal Tax Information, nor can anyone, if they were to intercept it, read the Federal Tax Information unless they have the capability of unencrypting the file.
Sims: Certainly, they never should put any Federal Tax Information in the subject line of the e-mail, because even in encrypted e-mails, that is still not encrypted, so that could be read by anyone who can access that e-mail traffic.
Webb: So, you don't want to put a taxpayer or client's name in the subject matter.
Webb: Okay, okay.
Sims: One of the other methods of communicating information these days is by facsimile.
Again, most of the transmission lines for facsimile communications are not encrypted, so if an agency, again, determines that they need to employ facsimile transmissions to transmit Federal Tax Information, there are a couple of things they need to do.
Number one, they need to make sure that the sender and receiver locations have a trusted member at both places so that the tax information doesn't lay around or be picked up by someone who shouldn't receive it.
Number two, the fax machine itself should actually be in a secure location.
And then finally, they should make sure that they employ the use of a cover sheet.
The cover sheet's going to serve two purposes.
First of all, it's going to notify the recipient of the fax that the information is confidential and must be protected.
Number two, it's going to notify the recipient that if they're not the intended recipient, that they need call the sender immediately, collect, if necessary, to advise that it's been received and to advise that it's been disposed of.
Webb: Barbara, IRS goes to great lengths, as do state agencies, to protect Federal Tax Information.
Our job is to go through there and try to make sure that they're doing it up to the adequate standards.
But if an unauthorized disclosure or unauthorized access does happen, what should, A, the employee do, B, what should the agency do?
Graham: As soon as an agency becomes aware of an unauthorized disclosure or access of Federal Tax Information, they should immediately contact the special agent in charge at TIGTA, the Treasury Inspector General's Office.
Within publication 1075, section 10.0, it lists out each state and a phone number for agencies to contact that special agent in charge.
Joyce, is there a preferred method to submitting reports that have to come to the Office of Safeguards?
Williams: Well, just like everywhere, the Office of Safeguards has gone electronic, too.
We're no longer accepting paper.
Williams: No, you have to send in your report by a encrypted -- use an approved method by the Internal Revenue Service.
Your Safeguard and Activity Report or Safeguard Procedures Report also must be on a template, on our current template.
This current template can be found on our website at SafeguardReports@irs.gov.
Webb: Can you repeat that for me?
Williams: Again, that's SafeguardReports@irs.gov.
And one of the reports that's required is called a Safeguard Procedures Report, or "SPR" as we call it.
How often is that to be submitted?
Williams: Safeguard Procedures Report, or SPR, comes into the office every six years.
This is one that the agencies do not have to try to worry about every year submitting just like the SARS.
The Safeguard Procedures Report -- if it's not due in six years and there has been significant changes in your program, in your safeguard program, then you must submit a new Safeguard Procedure Report.
Williams: By significant changes, we mean anything like computer systems, a new facility, or just a different way of handling Federal Tax Information.
Also, for new agencies who are just coming in requesting Federal Tax Information, we do ask that they do submit a Safeguard Procedure Report within 45 days of receiving their Federal Tax Information.
Webb: John, I understand there's been a great deal of work recently on a questionnaire that is going to be used by Disclosure Enforcement Specialists when they're conducing reviews.
Can you give us some insight as to what that's all about and why we're gonna be using them?
This questionnaire is really a tool to ensure the conformity of the security controls that an agency employs -- the evaluation of those, meaning everyone's asked the same questions about the same controls to make sure that we're covering all of the information with each agency and not leaving some things out for some and holding others to a different standard.
Webb: More consistency.
Sims: That's correct.
And it's really gonna be a tool that agencies themselves can use.
And we ask that they fill it out before we arrive on site for a safeguard review for two reasons.
Number one, it'll preview the agency to the things that we need to see in terms of processes and documentation when we're on site.
It'll give them the opportunity to make the arrangements so that we can see those things or to have that documentation on hand as opposed to try and gather that during the review process.
It's also going to allow the agencies the opportunity to self-identify any potential weaknesses they may have.
They may, in fact, come up with solutions to those proactively that they can discuss with us when we're on site.
So, again, overall, the process is meant to make it a more efficient and effective review for both the agency and for the IRS.
Webb: Okay, great. Thank you.
I'd like to thank the panel for participating today.
Our next segment will focus on agency-specific issues.
There are four types of agencies that receive Federal Tax Information and are thus subject to safeguarding requirements.
These include state child-support enforcement, state human services, state tax, and Federal Agencies.
While generally the provisions of the disclosure statutes in publication 1075 are consistent across all categories of agencies, there are some areas where there are differences.
In this segment, we will highlight key technical components specific to Federal, state, and local human resources or welfare agencies.
So, Barbara, let's start with you.
The use of contractors is becoming more prevalent in government today.
Can you tell us what we need to know about the use of contractors for welfare agencies?
Graham: Federal, state, and local welfare agencies are not permitted to make further redisclosure of Federal Tax Information.
Form 1099 and W-2s are not permitted by statute to be redisclosed to contractors.
Joyce, we get a lot of questions when we're doing reviews for welfare agencies about eligibility letters.
Can you give us some background information about what we should and shouldn't do with eligibility letters?
Williams: Right, Steve.
Well, the eligibility letters that the welfare sends out is to gather information from a third party -- for example, a bank.
And what they're trying to do is verify some of the information they received from the Federal Tax -- the IRS.
So, what they do is put this information on the verification letter and send it to the third party.
The third party then -- he may fill out this letter and return it back to the welfare agency.
At that point, that information is still Federal Tax Information.
Webb: So, it cannot be disclosed.
Williams: Right, so it cannot be disclosed.
So it still must be safeguarded when it comes back to the agency.
And then if the agency puts the Federal Tax Information on the letter and the third party verifies that letter and adds some information of their own, it's called "commingling."
They are still adding Federal Tax Information to this letter, because the letter contained Federal Tax Information from the beginning.
So, the best way to do it for a welfare agency to send out verification letters is to include a separate document.
And this separate document gives the third party a chance to fill it out separately.
That way, it does not create Federal Tax Information, and this document can stand alone as third-party documentation.
Webb: So, if I'm understanding this correctly, if the third party writes the information on there from their own records, the source now is the third party, not Federal Tax Information, thus it's not subject to safeguarding requirements, is that correct?
Webb: Very good. Okay.
I hope this was helpful for you.
If your agency has technical questions, we encourage you to check our website, which is at irs.gov, for additional guidance.
For topics not covered on the website, you can e-mail your technical questions to the safeguards mailbox at SafeguardReports@irs.gov.
Thank you very much.
Good security protocols are founded on the idea of continued vigilance, such as completing disclosure awareness training, conducting routine reviews of the agency's policies and processes, and reviewing information-technology systems to ensure access and password protocols are up to the appropriate standards.
This concludes the IRS Disclosure Awareness Training video.
I hope that you found the information informative.
If nothing else, perhaps it reminded you of a specific aspect of disclosure awareness.
Your own agency may have other methods for highlighting disclosure awareness, such as discussions at team meetings, security articles in employee newsletters, and warning banners.
I encourage you to avail yourself to the security information within your agency and to learn the security requirements.
Again, thank you for your attention and for your efforts to protect the confidentiality of Federal Tax information.