office_of_chief_counsel internal_revenue_service memorandum number release date cc pa almielke gl-149712-10 uilc date date to associate area_counsel indianapolis small_business self-employed from a m gulas senior counsel branch procedure administration subject tracking the redisclosure of personal information obtained by the internal_revenue_service from a state department of motor vehicles issue sec_1 whether the irs is subject_to the redisclosure provisions within the driver privacy protection act of as incorporated into the indiana code whether paragraph of the standard government account agreement regarding state law notification requirements is necessary in light of the more specific federal authority that governs disclosure and breach notification answer sec_1 once an individual’s in bmv record is collected by the irs for tax_administration_purposes it becomes return_information under sec_6103 subject_to very stringent rules protecting the data from unauthorized access or disclosure thus the specific rules regarding access and disclosure set forth within sec_6103 preempt the more general_rule set forth in the driver privacy protection act the irs follows federal_law and omb guidance concerning disclosure of breach notifications as a result paragraph of the standard government account agreement is unnecessary given that the federal authorities governing breach notification supercede the state law breach notification requirements gl-149712-10 facts currently the irs is working on a government account agreement agreement with the state of indiana that will allow irs personnel computer access to the bureau of motor vehicles in bmv computer database the state’s standard enhanced agreement which allows access to personal information includes both recordkeeping requirements regarding the redisclosure of such information and consent to an on-site audit of such records the in bmv database contains personally identifiable information pii the in bmv is concerned with maintaining the security and privacy of those individuals who have pii in the in bmv database the irs obtains motor_vehicle registration and lien information from the in bmv primarily in the course of performing collection investigations the information is used to determine whether there is sufficient equity in vehicles to warrant seizure and sale to satisfy outstanding tax_liabilities the driver privacy protection act of u s c et seq dppa provides federally imposed restrictions on state motor_vehicle bureaus regarding to whom personal information may be disclosed the dppa also imposes restrictions on an authorized recipient’s redisclosure of personal information in reviewing the draft agreement you have inquired whether the irs should have in place safeguards to comply with the redisclosure provision of the dppa in addition you have asked whether paragraph of the agreement regarding indiana state law notification requirements is necessary given the more specific federal authority that governs disclosure and breach notification because of the concerns raised by these issues you have requested that we opine on the matter analysis sec_6103 states that returns and return_information are confidential and cannot be disclosed except as authorized by title_26 return_information is defined in sec_6103 as a taxpayer's identity the nature source or amount of his income and includes any data received by recorded by furnished to or collected by the secretary with respect to the determination of the existence or possible existence of liability or the amount thereof of any person under this title for any_tax sec_6103 defines taxpayer_identity as the name of a person with respect to whom a return is filed his mailing address his taxpayer_identification_number or a combination thereof gl-149712-10 irs employees may access bmv records for a number of tax_administration_purposes for example they may identify or locate assets to seize to satisfy federal tax_liens or identifying assets that would suggest a taxpayer is underreporting the amount of his income once the bmv record becomes a part of a tax investigation ie is received by the irs it is return_information subject_to very stringent rules protecting the data from unauthorized access or disclosure there are exceptions to the general confidentiality rule authorizing the irs to disclose return_information but congress included each of these exceptions within the statute after careful consideration as to the need for the disclosure to implement federal programs or further federal interests for example sec_6103 authorizes the irs to make disclosures to the department of justice for use in tax_administration investigations such as grand jury investigations into tax_fraud or other title_26 offenses the legislative_history of sec_6103 evidences congressional intent that the justice_department is to continue to receive returns and return_information with respect to the taxpayer whose civil or criminal tax_liability is at issue general explanation of the tax reform act of h_r 94th cong 2d sess jct print thus a bmv record collected by an irs employee which now has the characterization of return_information might be disclosed to justice as part of the tax investigation file and be used as evidence to demonstrate unreported income sec_6103’s confidentiality requirements are buttressed by criminal and civil sanctions if an irs employee knowingly makes an unauthorized access of return_information called a unax that employee can be prosecuted under sec_7213a and if convicted face a prison term of up to one year a fine and loss of employment an irs employee who knowingly makes an unauthorized disclosure of return_information if convicted of a violation of sec_7213 can face imprisonment of up to years a fine and loss of employment in addition sec_7431 creates a cause of action for a taxpayer to sue the united_states for damages including punitive_damages if the taxpayer can prove there was a knowing or negligent unauthorized disclosure of or access to his returns or return_information sec_6103 preempts the dppa to the extent they conflict the dppa provides federally imposed restrictions on state motor_vehicle bureaus regarding to whom personal information may be disclosed the dppa also imposes restrictions on an authorized recipient’s redisclosure of personal information u s c b provides in relevant part in regard to the service’s activities that the state may disclose personal information for the following purposes for use by any government agency including any court or law enforcement agency in carrying out its functions or any private person or entity acting on behalf of a federal state or local agency in carrying out its functions gl-149712-10 for use in connection with any civil criminal administrative or arbitral proceeding in any federal state or local court or agency or before any self-regulatory body including the service of process investigation in anticipation of litigation and the execution or enforcement of judgments and orders or pursuant to an order of a federal state or local court both of these paragraphs contemplate that a federal_agency will need to use the bmv records for its official duties regarding redisclosure of personal information u s c c provides as follows any authorized recipient that resells or rediscloses personal information covered by this chapter must keep for a period of years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor_vehicle department upon request emphasis added emphasis added in turn indiana has implemented these federal requirements at ind code d which provides that except for a recipient under sec_1o of this chapter a recipient who resells or re-discloses personal information is required to maintain and make available for inspection to the bureau upon request for at least five years records concerning each person that receives the information and the permitted use for which the information was obtained the dppa and in statute provide restrictions on an authorized recipient’s redisclosure of pii as noted above sec_6103 provides the general_rule with respect to confidentiality and disclosure issues related to tax returns and tax_return information once an in bmv record is collected by an irs employee it has the characterization of return_information subject_to very stringent rules protecting the data from unauthorized access or disclosure including an accounting for certain redisclosures see sec_6103 moreover once the bmv record becomes part of an irs file it is subject_to the record-keeping procedures for that file to the extent that the dppa and in statute impose conflicting safeguard or record-keeping procedures for the redisclosure of pii such as access to irs records by state employees those provisions are ineffective as a general_rule a precisely drawn detailed statute will preempt more general remedies 491_us_701 quoting 425_us_820 for example in hobbs v u s the fifth circuit_court of appeals found that sec_6103 which permits disclosure of tax_return information in a proceeding pertaining to tax_administration is a more detailed statute and should therefore preempt the conflicting provisions of the privacy_act because the privacy_act provisions are more general 209_f3d_401 5th cir similarly in simichi v u s the court noted that if any individual gl-149712-10 provision of the privacy_act conflicts with a corresponding provision in sec_6103 than the former must yield wl at see 162_f3d_113 d c cir 703_f2d_271 7th cir by analogy sec_6103 contains very strict rules that operate to protect data from unauthorized access or disclosure in contrast the dppa and in statute provide more generalized protection procedures with respect to redisclosure of pii as sec_6103 is dedicated entirely to confidentiality and disclosure issues related to tax returns and return_information it will preempt the more general protection provisions offered by the dppa and in statute at least when as here provisions conflict if however the in bmv believes that the irs is misusing in bmv records it can report the matter to the treasury_inspector_general_for_tax_administration the office with the authority to perform audits of irs programs as well as investigate the activities of individual irs employees see generally sec_7803 and conference_report to accompany h_r irs restructuring and reform act of taxpayer returns and return_information are available for inspection by the treasury ig for tax_administration pursuant to sec_6103 id pincite federal notification requirements paragraph of the standard indiana government account agreement provides that if the subscriber discloses any personal information the customer shall pay the cost s of the notice s of any and all disclosure s of the system security breach es in addition to any other claims and expenses for which it is liable under the law ind code the irs adheres to federal_law including sec_6103 and the privacy_act as well as omb guidelines to determine when an individual should be notified that his her information may have been breached as a federal_agency the irs is not permitted to enter into state government account agreements which include a breach notification provision requiring the agency to absorb the cost of notification for all data breaches of pii rather omb guidance advises federal agencies to consider the risks of identity theft and other adverse effects and to provide notification when an analysis of the factors indicates that notification is appropriate office of mgmt budget exec office of the president safeguarding against and responding to the breach of personally identifiable information m-07-16 in response the irs has implemented notification procedures that follow and meet the requirements of the omb guidance among those responsibilities is that the agency must inter alia only maintain records that are necessary and relevant to accomplish the agency’s purpose inform the individual of the reason it seeks the information and the agency’s uses for such information publish a notice of the systems of records maintained on individuals maintain records that are timely accurate and complete and establish appropriate technical and physical safeguards to ensure the security or integrity or confidentiality of such records see generally u s c sec_552a e gl-149712-10 in sum the irs has breach notification procedures in place and notifies individuals when there is a risk of identity theft or other adverse effect from data breaches moreover the irs is required to follow federal authority such as sec_6103 and the privacy_act with respect to disclosure and breach notification rather than follow state law procedures please call if you have any further questions
