5101:12-1-20.2 Safeguarding of information from the internal revenue service and safeguarding visit procedures.

(A) This rule describes the procedures an agency is required to follow in order to safeguard information received from the internal revenue service (IRS). The procedures for safeguarding federal tax information (FTI) are based upon the tax information security guidelines described in IRS publication 1075 (rev. 8/2010). IRS publication 1075 is available at www.irs.gov. The safeguarding requirements of this rule apply to any paper, electronic, or imaged record.

For purposes of this rule, an agency includes a child support enforcement agency (CSEA), or any public or private entity that has access to FTI.

(B) Failure to comply with the safeguarding requirements of this rule shall result in the revocation of access to the support enforcement tracking system (SETS) or any other computer application that contains information from the IRS, ohio department of taxation (ODT), state parent locator service (SPLS), federal parent locator service (FPLS), or unemployment compensation (UC).

(C) For purposes of this rule, FTI is defined as federal tax return information other than information provided by the taxpayer, including but not limited to:

(1) Address information obtained from the IRS;

(2) Social security numbers obtained from the IRS;

(3) Federal tax filing status; or

(4) Identification of the payment source as an IRS tax refund offset collection.

(D) Each CSEA shall complete and submit to the office of child support (OCS) within ODJFS a JFS 07072, "Safeguarding of Internal Revenue Service, Ohio Department of Taxation, Federal Parent Locator Service, and Unemployment Compensation Information" (rev. 2/2006) no later than the last day of March each year. The JFS 07072 must be signed and dated by the director or administrator of the CSEA.

(E) Each agency that has access to FTI shall:

(1) Submit to OCS a completed and signed JFS 07014, "Tax Information Safeguarding Authorization Agreement" (rev. 4/2008) for each agency employee who has access to FTI upon the employment or re-employment of the employee and on an annual basis no later than the last day of March thereafter.

(2) Establish, maintain, and make available to OCS or the IRS upon request, a permanent FTI tracking system, utilizing one of the following methods:

(a) The FTI tracking database provided by OCS;

(b) The JFS 07019, "Federal Tax Information Item Tracking Log" (4/2008); or

(c) An alternative FTI tracking database, provided that:

(i) The database contains all of the same data elements as the JFS 07019; and

(ii) The CSEA submits the database to OCS for approval and OCS approves the database.

(3) Establish and maintain a permanent system of standardized records with regard to a request made by the agency for FTI from the IRS, including the reason for the request, the date the request is made and the date FTI is received, and the name of the agency employee(s) having access to the information.

(4) Store FTI during non-duty hours in accordance with the secure storage and minimum protection standards described in IRS publication 1075.

(5) Limit access to file keys and safe combinations to the agency employee responsible for safeguarding FTI and a maximum of two alternates who are permitted access to the FTI.

(6) Limit access to FTI to only the agency employees who are authorized to inspect and use the information.

(7) Follow the commingling standards described in IRS publication 1075 by maintaining FTI obtained from the IRS either separately from a file or within a file. When FTI is maintained within a file, the outside jacket of the file shall have a label stating that the file contains FTI.

(8) Ensure that mail received containing FTI, that is properly labeled as described in paragraph (E)(10)(a) of this rule, is not opened before delivery to the agency employee(s) responsible for safeguarding the information.

(9) Ensure that computer stations are safeguarded utilizing appropriate methods, including but not limited to:

(a) Restricting access only to authorized staff;

(b) Password protections;

(c) Screen savers; and

(d) Logging out of the system.

(10) Ensure that correspondence containing FTI is properly transmitted in the following methods:

(a) When sending the correspondence by ordinary mail, the agency shall send the correspondence in a double-sealed envelope with a label on the inner envelope that alerts the recipient that the mail contains FTI;

(b) When sending the correspondence by electronic mail, the agency shall send the correspondence as an attachment to the electronic message that is encrypted and password protected. The text of the electronic message shall alert the recipient that the attachment contains FTI; and

(c) When sending the correspondence by facsimile (i.e., fax), the agency shall:

(i) Include a cover sheet that alerts the fax recipient that the correspondence contains FTI and indicate the name of the intended fax recipient;

(ii) Verify that the intended fax recipient is an authorized person; and

(iii) Verify that the intended fax recipient will be present at the fax machine to receive the correspondence at the time the agency sends it.

(11) Ensure that FTI is destroyed in accordance with the destruction methods described in IRS publication 1075 when FTI is no longer needed by the agency.

(12) In accordance with a schedule that shall be established by OCS, each CSEA with access to FTI shall, at the direction of OCS, either participate in a safeguarding visit or complete a safeguarding self inspection in accordance with paragraphs (F) and (G) of this rule at least once every three years.

(13) OCS shall complete a visit in accordance with paragraph (F) of this rule at least once every eighteen months for internal headquarters and facilities housing FTI.

(F) FTI safeguarding visit.

In accordance with IRS publication 1075, OCS may conduct an FTI safeguarding visit (hereafter "visit") with each agency that has access to FTI that is related to the child support program. The purpose of the visit is to ensure that adequate FTI safeguards and security measures are maintained by the agency.

(1) OCS notification of the visit.

(a) When the agency is a CSEA, OCS will notify the director or administrator and tax offset coordinator of the date and time of the visit.

(b) When the agency is not a CSEA, OCS will notify the appropriate agency point of contact of the date and time of the visit.

(2) Visit procedures.

(a) Ten business days before the visit, OCS will send a JFS 07013, "Federal Tax Information Safeguarding Questionnaire" (rev. 4/2008).

(b) The agency shall complete and return the JFS 07013 to OCS no later than three business days before the visit.

(c) OCS may perform any or all of the following activities during the visit:

(i) Select a random sample of cases to review.

(ii) Review and discuss the JFS 07013.

(iii) Review and discuss the permanent FTI tracking system the agency has elected to use.

(iv) Complete a physical walk-through of the building.

(3) Visit follow up procedures for an agency.

(a) OCS shall send to the agency an initial report documenting the visit within fifteen business days from the date of the visit. The initial report shall identify any FTI safeguarding vulnerabilities of the agency that are discovered during the visit.

(b) When the agency receives the initial report from OCS and the initial report identifies any FTI safeguarding vulnerabilities, the agency shall send to OCS a written response that describes the actions the agency shall take to remedy the vulnerabilities, including a timeline for completing the actions. The agency may also provide additional information or clarify any identified vulnerabilities contained in the initial report. The agency shall send the written response to OCS no later than thirty days after the receipt of the initial report from OCS.

(c) OCS shall respond to the agency written response described in paragraph (F)(3)(b) of this rule, indicating whether the actions proposed to remedy any vulnerabilities meet the federal or state safeguarding regulations; OCS may also request additional information from the agency. OCS shall send the final report to the agency no later than forty-five days after issuing the initial report.

(G) FTI safeguarding self-inspection.

In accordance with IRS publication 1075, OCS may require that a CSEA complete an FTI self-inspection of each agency location that has access to FTI that is related to the child support program. The purpose of the self-inspection is to ensure that adequate FTI safeguards and security measures are maintained by the agency.

(1) OCS notification for the need to complete the self-inspection.

OCS will notify the CSEA director or administrator and tax offset coordinator as to the month in which the agency is required to complete a self inspection.

(2) Self-inspection procedures.

(a) OCS will send a self-inspection report questionnaire ten days prior to the beginning of the month in which the self-inspection is scheduled.

(b) The agency shall complete its agency inspection and return the completed self-inspection report questionnaire to OCS by the last day of the self-inspection month.

(3) Self-inspection follow-up procedures.

(a) Within fifteen days of receipt of the completed self-inspection report questionnaire, OCS shall notify the agency as to whether additional information is required. Should additional information be required, the agency shall submit the additional information within fifteen days of the request for information. If no additional information is required, OCS shall notify the agency that the self-inspection report questionnaire has been accepted.

(b) Should the CSEA fail to return the self-inspection report questionnaire or respond to a request for additional information within the required timeframe, OCS reserves the right to conduct an on-site inspection in accordance with rule 5101:12-1-20.2 of the Administrative Code.

(H) Agency reporting requirements for unauthorized access to or inspection of FTI.

An agency shall comply with the following requirements, in accordance with the FTI incident response and incident reporting standards described in IRS publication 1075, including but not limited to:

(1) Training all staff in FTI incident response procedures.

(2) Routinely tracking and documenting FTI security incidents.

(3) Promptly reporting any unauthorized inspection and disclosure or use of FTI to the appropriate authority, as described in section 10 of IRS publication 1075 (revised 8/2010).

Replaces: Part of 5101:12-1- 20.2

Effective: 03/01/2012
R.C. 119.032 review dates: 01/01/2017
Promulgated Under: 119.03
Statutory Authority: 3125.08 , 3125.25 , 3125.51
Rule Amplifies: 3125.03 , 3125.08 , 3125.43 , 3125.50
Prior Effective Dates: 8/1/82, 12/16/89, 10/1/90, 4/1/91, 1/1/92, 2/11/93, 9/1/94, 6/2/01, 7/1/02, 1/1/06, 6/15/06