TN 6 (02-24)

GN 03301.045 Penalties for Violation of the Information Laws


This section summarizes the penalties provided by the laws which govern privacy and disclosure of information. Employees may be subject to criminal prosecution or disciplinary action under more than one law for improper disclosure of personal information.

1. Social Security Act

The Social Security Act states that the following violations are punishable as misdemeanors by a fine of up to $1,000 and/or 1 year imprisonment:

  • Disclosure of tax return information, files, records, reports or other papers or documents by agency employees, except as permitted by regulation or Federal law (1106(a)).


    This applies to any employee of SSA who comes into possession of the specified information.

  • Misrepresentation by an individual who purports to be an employee or agent of the U.S. with the intent to elicit information as to another individual's date of birth, employment, wages or benefits (1107(b)).

2. Freedom of Information Act

The FOIA provides that agency officials found by a Federal court to have arbitrarily and capriciously withheld disclosable records may be subject to disciplinary action recommended by the Special Counsel to the Merit Systems Protection Board.

NOTE: This provision applies to the officer or employee who was primarily responsible for withholding the record.

3. Privacy Act

There are several types of penalties, as well as civil liabilities, which can be imposed for violations of the Privacy Act.

a. Civil Liabilities of the Agency

An individual may bring a civil action against SSA in a U.S. district court whenever SSA:

  • determines not to amend the individual's records as requested (the court may order SSA to amend the record) ;

  • fails to make such a determination in accordance with the PA;

  • refuses to permit the individual (or the individual and another person chosen by the individual) to view the record and obtain a copy of it upon request (the court may order disclosure of the record);

  • fails to acknowledge in writing within 20 working days after receiving the individual's request for amendment of the record;

  • fails to promptly amend such record or fails to promptly inform the individual of the reason for the refusal of the amendment and the procedures for requesting a review of that refusal, including the name and business address of the reviewing official (the court may order amendment of the record);

  • fails to conduct such a review of a refusal to amend within 30 working days after receiving the request (unless the Commissioner extends this period for a good cause) and, if denied upon review, fails to permit an individual to file a statement for the record, setting forth the reasons for disagreement with SSA's refusal to amend the record;

  • does not notify such an individual of the provisions for judicial review;

  • discloses disputed data about which the subject individual has filed a statement of disagreement without telling the recipient about the dispute and providing copies of the individual's statement (SSA may, if it wishes, furnish recipients of the disputed record with a statement setting forth its reasons for not amending the record);

  • fails to maintain an individual's record with such accuracy, relevance, timeliness and completeness as to assure fairness in any determination about entitlement to benefits or other rights that may be made on the basis of such a record, when a determination is consequently made which is adverse to the individual; and

  • fails to comply with any other provisions of the PA or any rule published thereunder, in such a way as to have an adverse effect on the individual.

If the court determines that SSA acted intentionally or willfully, it may assess against the U.S. the attorney fees, other litigation costs and actual damages that are sustained by the individual. The court will award the plaintiff at least $1,000 in damages in such cases.

b. Criminal Penalties

The following activities are punishable as misdemeanors by a fine of up to $5,000:

  • Willful disclosure of agency records by employees in violation of the PA;

  • Willful maintenance of a system of records by agency employees without meeting the notice requirements of the PA; and

  • Willfully and knowingly obtaining another person's record from an agency under false pretenses.

Since the U.S. would be the prosecuting party, SSA cannot pay fines or legal fees and neither OGC nor DOJ can provide legal representation for an employee accused of punishable activities.

For the purpose of this instruction, DDS employees are considered to be agency employees under the PA.


Individuals cannot bring criminal actions against agency employees or agents for alleged violations of the PA. An individual instead must convince the Department of Justice (DOJ) that an employee “willfully and knowingly” disclosed information contrary to the PA. If convinced, the DOJ may prosecute.

c. Disciplinary Action by the Agency

An SSA employee may be subject to disciplinary action for knowing and willful violations of the PA and implementing regulations. Employees can be disciplined for unknowing or unwillful violations if they had notice of the PA and regulations and failed to inform themselves sufficiently or to conduct themselves in accordance with the requirements. (See 20 CFR Part 401.)

4. Internal Revenue Code

  1. a. 

    Section 7213(a) of the Internal Revenue Code makes willful unauthorized disclosure by a Federal employee of information from a Federal tax return a crime punishable by a $5,000 fine, 5 years imprisonment, or both. Any officer or employee convicted of this crime will be dismissed from Federal office or employment.

  2. b. 

    Section 7431:

    • Permits a taxpayer to bring suit for civil damages in a U.S. district court against any person who knowingly or negligently discloses Federal tax returns or return information in violation of 26 U.S.C. 6103. The taxpayer may also file a suit against the United States if the disclosure was made by a Federal employee.

    • Allows punitive damages for willful or grossly negligent disclosure as well as for actual damages.

    • Provides that in no case shall a plaintiff entitled to recovery be awarded less than $1,000 for each instance of unauthorized disclosure, plus the costs of the action.

  3. c. 

    Employees may be subject to disciplinary action and criminal prosecution for knowing and willful violations of the Privacy Act and regulation.

5. Alcohol and Drug Abuse Patient Records

Any person who violates the Drug Abuse and Treatment Act or the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act may be fined as much as $500 for a first offense and as much as $5,000 for each subsequent offense.


When there is a suspected or alleged criminal violation of the PA involving an SSA employee, route a report of the incident to the employee's supervisor.

The supervisor will review the SSA AIMS, GAM Chapter 15, for further instructions on Personally Identifiable Information Loss and Remediation, and consult OGC as needed.

To Link to this section - Use this URL:
GN 03301.045 - Penalties for Violation of the Information Laws - 02/28/2024
Batch run: 02/28/2024