11/16/18
Action Memo
Summary:
- Information on earnings obtained through data exchanges with the Internal Revenue Service, National Directory of New Hires, or the Social Security Administration is confidential.
- There are penalties for unauthorized disclosure or inspection of confidential earnings information.
Earnings Records Subject to Confidentiality Requirements
Employees with access to confidential earnings records must be advised annually of the penalties for unauthorized disclosure of information provided through federal data exchanges. Notification is provided in this memorandum. In addition, this same information will be provided via e-mail notification to all DHS employees who have computer access. Procedures for protecting confidentiality, and penalties for unauthorized disclosure or inspection apply to:
- IRS 1099 Account Data provided through data exchanges with the Internal Revenue Service (IRS); and
- Beneficiary Earnings Exchange Record (BEER) data provided through data exchanges with the Social Security Administration (SSA); and
- National New Hire, Unemployment Benefits, and Quarterly Wage information provided through data exchanges with the National Directory of New Hires (NDNH).
Procedures for Protecting Confidentiality
During non-work hours, the FCRC Administrator or Financial Recovery Coordinator (FRC) shall place confidential earnings information (both unverified and verified) in a locked desk, room, file cabinet, or safe.
Staff must take measures to guard against unauthorized disclosure of confidential earnings information. Unauthorized disclosure is defined as using or allowing anyone to use or see the information for any purpose other than the administration of DHS programs. Staff may share the information (or the source of the information) with the client to determine its accuracy.
It is the policy of the Illinois Department of Human Services and the Internal Revenue Service that no Federal Tax Information (FTI) or National Directory of New Hires (NDNH) Information may ever be sent to anyone by means of e-mail or fax machine.
Procedures for Breach of FTI or NDNH Confidentiality Information
In accordance with IDHS Security Incident Procedures, immediately upon discovery of an unauthorized disclosure, use or access of FTI or NDNH data, the individual reporting the incident, in all cases, must report the incident to:
- Bureau of Performance Management (BPM) at (217) 782-1128; and/or
- IDHS Information Security Office at (217) 524-2405; and/or
- Division Director, and/or his or her designee
In addition, the individual reporting the incident, CPO, CISO or BPM must report the data incident within 24 hours to the following agencies:
- FTI: Special Agent-in-Charge, Treasury Inspector General for Tax Administration (TIGTA) in Chicago at (312) 554-8751; and
- NDNH: Administration for Children and Families, Office of Child Support Enforcement, FPLS Information Security Officer by telephone at (202) 401-5410 or email at linda.boyer@acf.hhs.gov.
The IDHS Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO) will direct the incident investigation with assistance from the BPM. The following information must be provided when reporting a FTI or NDNH breach. If notification is through email, the message must be encrypted with "Incident Response" on the subject line.
- Date & time of incident;
- Date & time discovered;
- How discovered;
- Description of the incident;
- Approximate number of FTI or NDNH records involved;
- Address where occurred; and
- If IT involved - laptop, server, mainframe
Penalties for Unauthorized Disclosure
The penalties for unauthorized disclosure include the following:
- Unauthorized disclosure of Federal tax return information may be punishable by a $5,000 fine, 5 years imprisonment, or both (Section 7213 of the Internal Revenue Code).
- A taxpayer may bring suit for civil damages for unauthorized disclosure of tax return information (Section 7431 of the Internal Revenue Code).
- In the case of willful disclosure or gross negligence, punitive damages may be allowed as well as the cost of the action.
- These penalties apply even if the unauthorized disclosures are made after employment with the agency has been terminated.
- DHS employees are subject to additional restrictions under the Taxpayer Browsing Protection Act. The Act provides a criminal misdemeanor penalty for the willful unauthorized access or inspection of Federal tax information. Tax information includes all returns and return information maintained in either paper or electronic format.
- The unauthorized disclosure, use of, or access to NDNH data may be punishable by an administrative penalty (up to and including dismissal from employment), and a $1,000 fine (Subsection 453(l)(2) of the Social Security Act).
Penalties for Unauthorized Inspection
- Willful unauthorized inspection of Federal tax return information shall be punishable upon conviction by a fine in an amount not exceeding $1,000, or imprisonment of not more than 1 year, or both, together with the costs of prosecution.
- For each act of unauthorized inspection, upon a finding of liability, a cause of action for civil damages may be established (Section 7431 of the Internal Revenue Code). These damages could amount to $1,000 or actual damages, whichever is greater. In the case of gross negligence or a willfully unauthorized inspection, punitive damages may also be assessed.
- The unauthorized disclosure, use of, or access to NDNH data may be punishable by an administrative penalty (up to and including dismissal from employment), and a $1,000 fine (Subsection 453(l)(2) of the Social Security Act).
[signed copy on file]
James T. Dimas
Secretary, Illinois Department of Human Services