1410 Security for IRS, FTI, and BEERS Information | TANF

To ensure that information is secured in accordance with federal laws, three individuals at the State Office are given access to maintain Federal tax information. The following actions are required if FTI is received:

If the third party returns the verification using a document other than the Secured Verification Letter, the other document must be scanned in the case file.

The receipt of Federal Tax Information from IRS/BEERS cannot be documented in Case Notes in the Integrated Eligibility System (IES).

All staff, including Quality Control reviewers and fraud investigators who request verification, are to adhere to the secured verification procedures.

State auditors or other contractors shall not have access to FTI.

The State Office should receive a UNAX (Unauthorized Access) poster to display in employee areas within the building.

The SOG USER Access roles provide access to FTI (IRS/BEERS) to designated State Office personnel. Access should be limited to no more than three TANF staff at the State Office. Only staff that have a need-to-know should have access to these files.

Restricting access to designated personnel minimizes improper disclosure of FTI. No employee should be given greater access than is necessary for the job-related duties.

Picture identification, badges, or credentials must be visible and worn above the waist at all times.

FTI (IRS/BEERS) such as copies of alerts, verification requests and destruction logs must be logged on Form 379, IEVS print log in and stored in a two-barrier security system.

Printing and/or faxing FTI is strictly prohibited. In the event it is printed, FTI (IRS/BEERS) such as copies of alerts, verification requests and destruction logs must be logged on Form 379, IEVS print log in and stored in a two-barrier security system for five (5) years.

FTI (IRS/BEERS) cannot be maintained in a case record. FTI (IRS/BEERS) that is currently maintained in a case file must be purged of printed copies of IRS/BEERS alerts, verification or verification requests resulting from IRS/BEERS system alerts. Information purged from the case file must be documented and placed in secured storage or destroyed.

A two-barrier security system is one in which information is maintained in a locked file cabinet or container located in a locked room. Entrance to the secured room must be limited to specifically authorized personnel. If authorized personnel leave the room for any reason, the room must be locked.

Access to FTI is permitted only to individuals who require the FTI to perform their official duties and as authorized under the Internal Revenue Code (IRC). FTI must never be indiscriminately disseminated, even within the recipient agency, body, or commission. Agencies must evaluate the need for FTI before the data is requested or disseminated. Inadvertent access is access to FTI without authority and is non-willful. Willful access to FTI by a person without authorization or need-to-know may be prosecuted under IRC § 7213A.

No more than three employees should have keys to the room and file. Non-DFCS personnel cannot have access to the locked room. Key access will be addressed at the state level Quality Assurance yearly review. Maintenance of the room is to be performed under the supervision of an agency employee.

FTI is processed during scheduled periods of the tax year. If there is a match with an active TANF case, the individual will display on the Federal Tax Information – TANF Summary screen in IES for a worker with the FTI (IRS/BEERS) security role to review.

BEERS is processed during scheduled periods of the tax year. If there is a match with an active TANF case, a task will be generated and assigned to worker with FTI (IRS/BEERS) security role. The task must be reviewed daily to determine if reported information will impact TANF eligibility.

When FTI (IRS/BEERS) data impacts TANF eligibility, DFCS submits a request for an Intentional Program Violation (IPV) investigation.

Computer-generated letters must not be used to verify FTI/BEERS information. Form 1215, Secured Verification Letter is maintained by the State Office TANF Policy Unit and can be duplicated for future use.

Verification requests related to FTI (IRS/BEERS) must be safeguarded until transported to the mail carrier. The worker assigned to process FTI must transport any mail containing FTI data to the mail carrier or post office to ensure that safeguards are in place.

Using Fax and/or e-mail to request or receive Federal Tax Information is prohibited to transmissions outside of the agency’s internal network. Emails are only sent to authorized recipients and must require adequate labeling and protection. Mail servers, clients, and network infrastructure must meet requirements listed in Publication 1075.

If FTI information is inadvertently faxed or emailed outside of the agency’s requirements, the agency Privacy Officer (privacy@dhs.ga.gov) must be contacted immediately.

The Information and Technology (IT) Section, Office of Quality Management OFI Quality Assurance Section (QA), Federal Regulations and Data Analysis Section and Program and Administration Section assist in the efforts to meet security objectives. The QA review is used to evaluate the State Office TANF Unit security measures.

Computers and electronic media that receive, process, store, access, protect and/or transmit FTI must be in a secure area with restricted access. In situations when requirements of a secure area with restricted access cannot be maintained, such as home work sites, remote terminals or other office work sites, the equipment must receive the highest level of protection practical. All computers and mobile devices that contain FTI and reside at an alternate work site must employ encryption mechanisms to ensure that FTI may not be accessed if the computer is lost or stolen.

All FTI must be locked up when not in use. When removable media contains FTI, it must be labeled as FTI.

All computers, electronic media and removable media containing FTI must be kept in a secured area under the immediate protection and control of an authorized employee or locked up. When not in use, the media must be promptly returned to a proper storage area/container.

“Piggyback” or “tailgate” into restricted locations is prohibited. DFCS must ensure that all individuals entering an area containing FTI do not bypass access controls or allow unauthorized entry of other individuals. Unauthorized access must be challenged by authorized individuals. Security personnel must be notified of piggyback/tailgate attempts.

All employees must keep a clean desk for the protection of FTI. No documents containing FTI information should be left within eyesight of anyone without approved access. This includes paper output and electronic storage to preclude unauthorized disclosures.

If an employee’s access is terminated the User Access Request form must be completed to delete or change the SOG User Role.

If the confidentiality of FTI can be adequately protected, telework sites such as employee’s homes or other non-traditional work sites can be used. FTI remains subject to the same safeguard requirements and the highest level of attainable security.

The agency must retain ownership and control for all hardware, software and end-point equipment connecting to public communication networks, where these are present at alternate work sites. The use of virtual desktop infrastructure with non-agency-owned devices is an acceptable alternative if all requirements of a Virtual Desktop Infrastructure (VDI) are met.

Employees must have a specific room or area in a room that has the appropriate space and facilities for the type of work done. Employees also must have a way to communicate with their managers or other members of the agency if security problems arise.

Printing of FTI at an alternate work site is prohibited. If an exception is required, the agency must ensure employees have access to locking file cabinets or desk drawers so that documents, disks, and tax returns may be properly secured when not in use. If agency furniture is not furnished to the employee, the agency must ensure that an adequate means of storage exists at the alternate work site. The agency must provide “locking hardware” to secure automated data processing equipment to large objects, such as desks or tables. Smaller, agency-owned equipment must be locked in a filing cabinet or desk drawer when not in use.

FTI may be stored on hard disks only if agency-approved security access control devices have been installed, are receiving regularly scheduled maintenance including upgrades and are being used. Access controls must include password security, an audit trail, encryption, virus detection and data overwriting capabilities.

Only agency-approved security access control devices and agency-approved software will be used. Use of illegal and/or non-approved software is prohibited. Electronic media that is to be reused must follow media sanitization requirements.

Do not leave computers unprotected at any time. Ensure the computer is locked during brief absences while employees are away.

All participating employees and managers must complete specialized training in security, disclosure awareness and ethics provided by the agency. This training covers situations that could occur as the result of an interruption of work by family, friends, or other sources.