IRS Match and Safeguard

0165.000.05 Incident Response for Unauthorized IRS Disclosures

IM-65 December 12, 2024; IM-82 September 27, 2023; IM-109 July 16, 2020

Upon discovering a possible improper inspection or disclosure of Federal Tax Information (FTI), including breaches and security incidents, by a federal employee, a state employee, or any other person, the individual making the observation or receiving information must notify, Family Support Division, Income Maintenance security officer in Central Office at FSD.IMPRIVACY@DSS.MO.GOV.

  1. Within 24 hours of the incident report, the Divisional Security Officer or his/her designee will contact the:
  2. The Security Officer or his/her designee will document the incident by preparing and submitting an incident report. The incident report will include the following information:
      • Name of agency
      • The Security Officer’s name or the name of his/her designee and contact information
      • Date and time of incident
      • Date and time the incident was discovered
      • How the incident was discovered
      • Description of the incident and the data involved, including specific data elements, if known
      • Potential number of FTI records involved, if known, or if unknown, provide a range
      • Where the incident occurred
      • Any information technology involved (e.g., laptop, server, mainframe)

    NOTE:   The incident report will not include any FTI.

  3. The Security Officer will provide a copy of the incident report to the Divisional Privacy Officer. The Divisional Privacy Officer will:
    • Complete an Information Disclosure Incident Report(Ref: )
    • Send the report to the DSS Privacy Officer
    • Promptly notify the affected individual(s) (or their next of kin, if deceased), when they determine a breach has occurred, by first class mail at their last known address, within sixty (60) days of the breach, as outlined in 45 CFR § 164.404; see also Admin. Policy 5-103.
  4. The Divisional Privacy and Security Officer or his/her designee will (in conjunction with the Department Privacy Officer):
    • Track and document all physical and information system security incidents
    • Conduct post–incident reviews to ensure the incident response procedures were followed
    • Recommend additional training or procedural changes as needed

Penalties for Unauthorized Inspection or Disclosure of FTI

Unauthorized inspection of FTI shall be punishable upon conviction by a fine in any amount not exceeding $1,000, or imprisonment of not more than one year or both, together with the costs of prosecution.

  1. The unauthorized disclosure of FTI is a federal felony punishable by a fine of up to $5,000 or up to five years in prison, or both.
  2. Disclosure of FTI will render the disclosing party vulnerable to a civil suit for damages in the U.S. District Court.

NOTE:  The civil and criminal penalties apply even if the unauthorized disclosures were made after the party’s employment with the agency terminated.