MR #17.06: New Confidentiality Requirements, Breach of Confidentiality Reporting Procedures and Penalties for Unauthorized Disclosure or Inspection of Confidential Earnings Information

illinois Department of Human Services

03/10/17

Summary:

  • Information on earnings obtained through data exchanges with the Internal Revenue Service, National Directory of New Hires, or the Social Security Administration is confidential.
  • No Federal Tax Information or National Data New Hire Information may ever be sent to anyone by means of e-mail or fax machine.
  • Any data incident must be reported to the IDHS Chief Privacy Officer (CPO), the IDHS Chief Information Security Officer (CISO), the Bureau of Performance Management (BPM), and the Division Director, or his/her designee, immediately upon discovery.
  • The CPO and CISO will direct the investigation into the data incident. 
  • The CPO, CISO, or BPM must report the data incident to the Treasury Inspector General for Tax Administration and the Administration for Children and Families within 24 hours of discovery.
  • The unauthorized disclosure, use of, or access to NDNH data may be punishable by an administrative penalty (up to and including dismissal from employment), and a $1,000 fine (Subsection 453(I)(2) of the Social Security Act). 

Protecting Confidentiality of FTI and NDNH Information

It is the policy of the Illinois Department of Human Services and the Internal Revenue Service that no Federal Tax Information (FTI) or National Data New Hire (NDNH) Information may ever be sent to anyone by means of e-mail or fax machine.

New Procedures for Reporting a Breach of FTI and NDNH Confidentiality

In accordance with IDHS Security Incident Procedures, in all cases, the IDHS Chief Privacy Officer (CPO), the IDHS Chief Information Security Officer (CISO), the Bureau of Performance Management (BPM), and the Division Director, and/or his or her designee must be contacted immediately upon discovery of an unauthorized disclosure, use or access of FTI or NDNH data by the person who discovered the data incident, or the person's supervisor. The CPO and CISO will direct the investigation into the data incident.

The CPO, the CISCO or the BPM must report the data incident within 24 hours to the following agencies:

  • FTI: Special Agent-in-Charge, Treasury Inspector General for Tax Administration (TIGTA) in Chicago at (312) 554-8751; and
  • NDNH: Administration for Children and Families, Office of Child Support Enforcement, FPLS Information Security Officer by telephone at (202) 401-5410 or email at linda.boyer@acf.hhs.gov.

These agencies will be notified with the information listed below, by an encrypted electronic message with "Incident Response" on the subject line.

The following information must be provided when reporting a FTI or NDNH breach:

  • Date & time of incident;
  • Date & time discovered;
  • How discovered;
  • Description of the incident;
  • Approximate number of FTI or NDNH records involved;
  • Address where occurred; and
  • If IT involved - laptop, server, mainframe.

Additional Penalties for Unauthorized Disclosure and Unauthorized Inspection of NDNH Data

  • The unauthorized disclosure, use of, or access to NDNH data may be punishable by an administrative penalty (up to and including dismissal from employment), and a $1,000 fine (Subsection 453(l)(2) of the Social Security Act).

Manual Revisions

PM 01-01-04-c
WAG 01-01-04-c

[signed copy on file]

James T. Dimas

Secretary, Illinois Department of Human Services