COMMONWEALTH OF KENTUCKYCabinet for Health and Family Services

Department for Income SupportChild Support Enforcement

TO: All IV-D Agents and Staff CSM No. 149Child Support Enforcement Staff

FROM: Steven P. VenoDeputy Commissioner

DATE: December 3, 2010

SUBJECT: Safeguard Review Report

The Internal Revenue Service (IRS) has issued the final Safeguard Review Report as a result of their review of the Kentucky Child Support Enforcement program conducted in November 2009. As a condition of receiving Federal return information, recipient agencies are required by Federal Safeguards Requirements pursuant to IRC Section 6103(p)(4) to establish and maintain, to the satisfaction of the IRS, safeguards designed to prevent unauthorized access, disclosure, and use of all return information and to maintain the confidentiality of that information. A mutual interest exists in our responsibility to ensure that FTI is disclosed only to authorized persons and used only as authorized by statute or regulation. The following is an outline of the requirements and actions needed to ensure the confidentiality and safeguarding of Federal Tax Information (FTI) by Child Support Enforcement and Contracting Official staff. Child Support Handbook Section 6.130, Federal Tax Information, has also been updated to reflect these changes and is also attached.

A. Limiting Access to Tax Data to Employees of the Agency Who have a Need-to-Know and Who are Authorized to Have Access.

Requirement: Agencies are required by IRC Section 6103(p)(4)(C) to restrict access to FTI only to persons whose duties or responsibilities require access and to whom disclosures may be made under provisions of the law (see Exhibit 2, Sec. 6103(p)(4) Safeguards and Exhibit 6, IRC Sec. 7431 Civil Damages for Unauthorized Disclosure of Returns and Return Information of Publication 1075).

Action pertaining to Training on Confidentiality and Safeguarding of FTI: All CSE staff including contracting officials and their staff, will be provided awareness training and must sign the Employee Confidentiality/Security Agreement/Internet/Intranet, E-Mail and Electronic Policies and Procedures form, CHFS-219, and certify that they receive safeguarding of FTI training annually. CSE will develop a certification and recertification monitoring tool.

Action pertaining to payment types on KASES primary display screens: All payment sources are being changed to PYMT. (i.e. HRASEFJC Event History, HRASEPAP Payment History, HRASEFAC Account Statement, and HRASEFAD Participant Statement). Access to the remaining screens that contain FTI will be limited to those staff with a need to know. KASES screens used for court proceedings that contain FTI such as ASEFAA, ASEPAY, and ASEC6B, the former FTAX payment code has been changed to view and print as PYMT. Providing FTI to anyone other than the noncustodial parent is an unauthorized disclosure.

CSM No. 149December 3, 2010Page 2

Action pertaining to tracking/logging printed material containing FTI: All CSE staff including contracting officials and their staff must complete the Tracking Log in SharePoint (Website) from creation or receipt of any FTI document whether it is a report, printed material, or a printed screen and logged through destruction. Procedural instructions and a PowerPoint presentation for the Tracking Log are attached. Access to the Tracking Log will be pushed to each employee’s desktop soon. SharePoint must retain destruction records for seven years or until the IRS on-site audit has been completed.

Action pertaining to Commingling: Agencies should strive to avoid maintaining FTI as part of their case files. Refrain from screen printing unless it is absolutely necessary. In situations where physical separation is impractical, the case file should be clearly labeled “Federal Tax Information” and contain the Notice 129A label. The case file should be handled in such a way that it does not become misplaced or available to unauthorized personnel. An individual document within a case file must be clearly labeled if it contains FTI and the document must be safeguarded. A container (i.e. desk, cabinet) must be clearly labeled if it contains FTI and the container must be safeguarded. FTI that must be labeled also includes file folders with reports containing FTI. A label is attached. Before releasing any file or document containing FTI to an individual or agency not authorized access to FTI, care must be taken to remove all such FTI. Staff must review existing case files and other documentation to ensure compliance with these requirements.

Action pertaining to Internal Inspections: Internal inspections will ensure adequate safeguarding and/or security measures have been maintained. CSE will review both Contracting Official’s offices and any offsite facility they utilize annually. CSE will review all other facilities housing FTI within an 18-month cycle. Key areas that will be addressed during inspections are: record keeping, secure storage, limited access, disposal, and computer systems security. Corrective actions, if needed, will be planned and implemented.

B. Maintaining a Secure Place for Storage of Tax Returns and Tax Return Information.

Requirement: IRC Section 6103(p)(4)(B) requires that a secure place or area for documents containing FTI be maintained for storage. Refer to Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies Section 4., pages 20 through 28.

Action pertaining to control of physical access to computer monitors: Staff must position the monitor to prevent unauthorized individuals and visitors from viewing the display output. Staff must lock their computer monitor each time they leave their desk to prevent unauthorized individuals and visitors from observing the display output.

Action pertaining to Visitor Access Controls for all Child Support Agencies: All offices, sites or facilities where information systems reside and contain FTI must have a visitor log in place. These log records will be reviewed annually by designated staff. Visitor access logs have been updated to include the requirements outlined in Publication 1075. The attached “Visitor’s Log” was provided to CSE staff on April 21, 2010. All visitors to all CSE offices must sign in, provide all of the information requested and sign out when they leave the location. If a visitor does not have a photo ID, staff must note “no photo ID available” on the log.

CSM No. 149December 3, 2010Page 3

Action pertaining to On-Site Storage: According to IRS Publication 1075, Section 4.0, the Minimum Protection Standards (MPS) establish a uniform method of protecting data and items that require safeguarding. Since local factors may require additional security measures, management must analyze their circumstances to determine space, container, and other security needs for their facility. The objective of MPS is to prevent unauthorized access to FTI. MPS requires two barriers to access FTI under normal security: secured perimeter/locked container, locked perimeter/secured interior, or locked perimeter/security container. Locked means an area or container that has a lock and the keys or combination is controlled. A security container is a lockable metal container with a resistance to forced penetration, with a security lock and keys or combinations are controlled. A secured perimeter (area) is an internal area that has been designed to prevent undetected entry by unauthorized persons during duty and non-duty hours. Non agency personnel may not reside in areas containing FTI unless the person is authorized to access that FTI. Unless secured areas are equipped with operating electronic intrusion detection devices, all doors entering the space must be locked and strict key or combination control should be exercised. All FTI must be stored in a secure area and must be restricted to authorized employees who have an official need-to-know the information to perform their job duties. Case files containing FTI are to be filed in a closed container (locked cabinet, locked desk drawer) within a secured area where visitors, cleaning crews, maintenance crews, the landlord, and other unauthorized individuals will not have access to FTI, preventing any persons in the building after hours from accessing FTI. All offices, sites, or facilities must make changes necessary to comply with the MPS requirements.

Action pertaining to Agency-Owned and Contracted Off-Site Storage Facilities: The Minimum Protection Standards (MPS) described in the paragraph above also apply to FTI data being stored in agency-owned and contracted off-site storage facilities. All contracts between CSE and off-site storage facilities must be specific to the storage of boxes containing FTI and must contain specific language that access to stored boxes are by authorized child support employees only. The boxes containing FTI must be labeled as such. The boxes must be sealed prior to transport and remain sealed while at the off-site facility. Also, the contract should be inclusive of the penalty provisions found under IRC 7213, 7213A, and 7431 (see Exhibit 7, Contract Language for General Services attached).

Action pertaining to Safeguarding Keys and Combinations: Keys should be issued only to individuals having a need to access an area or container that houses FTI. Accountability records should be maintained on keys and should include an inventory of total keys available and issued keys. A periodic reconciliation should be done on all key records. All CSE offices that utilize combination locks must change the combination annually, or more often, when an employee who knows the combination leaves the employment of the agency or changes positions. All keys must be returned to inventory when a person leaves the employment of the agency or changes positions.

CSM No. 149December 3, 2010Page 4

Action pertaining to transporting FTI documents: All FTI transported through the mail or courier/messenger service must be double-sealed; that is one envelope within another envelope. The inner envelope should be marked confidential with some indication that only the designated official or delegate is authorized to open it. Using sealed boxes serves the same purpose as double sealing and prevents anyone from viewing the contents thereof. All shipments of FTI (including electronic media and microfilm) whether being mailed, sent via courier/messenger service, or hand carried to another child support office or offsite storage facility must be documented on the form, CS-196 Transmittal for Shipping and Receiving of Case File with Federal Tax Information and monitored to ensure that each shipment is properly and timely received and acknowledged.

Action pertaining to Information Systems security incidents potentially affecting the confidentiality of FTI: CHFS Employees, contractors, and all persons providing contractor services who suspects an information security incident must report that incident within one hour of discovery to their supervisor, Deputy Commissioner Steve Veno, and to the OATS Security and Audit Section at CHFSITSecurity@ky.gov or CHFS IT Security Team on the Global Address Listing (GAL). An information security incident may be:

Possible or actual release, altering or loss of or damage to confidential information, such as HIPAA-protected health information and federal tax information.

Giving or telling another person your password. Loss or theft of a laptop or desktop computer or handheld data device. Loss or theft of external storage devices, like external hard drives, ZIP and flash drives, CDs

and DVDs, used for Cabinet business. Unauthorized use of CDs, DVDs, or other removable media to copy confidential

information. Attempts to obtain HIPAA or confidential information by email or other electronic

communication. Attempts by unknown sources to persuade users to download infected email or attachments Receipt of unsolicited, unusual or suspicious email or phone calls. Unauthorized physical entry into a controlled area that contains confidential or HIPAA-

protected information. Electronic monitoring of another employee’s workstation. Blackberry password disabled.

C. Disposal of Federal Tax and Return Information upon Completion of Use.

Requirement: FTI in paper format must be disposed of in accordance with the requirements of Publication 1075, Section 8.0. FTI furnished to CSE and contracted staff and any material generated from the FTI furnished information such as computer printouts, notes, work papers, and screen prints, must be destroyed after no longer needed. All CSE staff including contracting officials and their staff must log the destruction of any FTI document whether it is a report, printed material, or a printed screen. Procedural instructions and a PowerPoint presentation for the Tracking Log are attached. FTI must never be disclosed to an agency’s contractors during disposal unless authorized by the IRC.

CSM No. 149December 3, 2010Page 5

Action pertaining to Disposing of Federal Tax Information: Destruction must be witnessed by an agency employee and must be shredded to effect 5/16 inch or smaller. This applies to all CSE offices that dispose of FTI.