Part 10. Security, Privacy and Assurance

Chapter 5. Privacy, Information Protection and Data Security (PIPDS)

Section 4. Incident Management Program

10.5.4  Incident Management Program

10.5.4.1  (12-10-2010)
Background of the Incident Management Program

  1. Purpose. This manual defines the mission, objectives, and governance structure of the Incident Management Program. It provides the organizational framework for carrying out specific policies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS data losses, thefts, breaches and disclosures. The Incident Management Breach Process is most easily understood by reviewing the Incident Management Breach Process flow chart, also available in Exhibit 10.5.4-1.

  2. Scope. The provisions in this manual apply Servicewide whenever Personally Identifiable Information (PII) is collected, created, transmitted, used, processed, stored, or disposed of, in support of the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and any other outsourced providers doing business with the IRS.

  3. Accountability. Safeguarding and preventing the unauthorized disclosure of PII is a responsibility that is shared by all IRS employees and contractors. Lost, stolen or disclosed PII may be used to perpetrate identity theft or other forms of fraud, if the information falls into unauthorized hands.

10.5.4.1.1  (12-10-2010)
Definition of Key Incident Management Terms

  1. Data Loss Incident. An incident of a reported loss, theft, breach, or disclosure.

  2. Personally Identifiable Information (PII). The definition of personally identifiable information is provided by OMB 07-16. For further information about PII, see the PIPDS web page, PII - What is personally identifiable information?

  3. Sensitive But Unclassified Information (SBU). Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction. For further information on SBU, see the PIPDS web page, What is SBU?

  4. For a full listing of Incident Management terms, see Exhibit 10.5.4-2, Glossary of Incident Management Terms and Definitions.

10.5.4.1.2  (12-10-2010)
Origins of the Incident Management Program

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information.

  2. The President’s Identity Theft Task Force recommended that Federal agencies improve their capacity to respond to PII data losses. In May 2007, OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, instructed Federal agencies to enhance their safeguards for PII and to enact incident handling and data loss notification policies. See Exhibit 10.5.4-3 for a list of other relevant OMB Memoranda, Federal Guidance, Internal Revenue Manuals, and details about where to locate them.

  3. The Incident Management Program was created in response to these OMB directives, the President's Identity Theft Task Force recommendations and to ensure IRS compliance with OMB requirements for incident management and data loss notification. Consistent with the OMB directives, the IRS notifies individuals who are determined to be at high risk of harm following a PII data loss. The potentially impacted individuals are notified without unreasonable delay following a risk assessment of the incident.

  4. Since September 2007, the Incident Management Office (previously ITIM Office) in PIPDS has been responsible for ensuring IRS incidents involving the loss or theft of an IRS asset or the loss, theft, or disclosure of PII are investigated, analyzed and resolved by the PII Incident Management Team.

10.5.4.1.3  (12-10-2010)
Incident Management Program Roles and Responsibilities

  1. Privacy, Information Protection & Data Security (PIPDS). The Office of PIPDS works with other business units to provide the IRS with the tools and resources necessary to protect sensitive taxpayer and employee data from potential identity theft due to data loss.

  2. Incident Management. This PIPDS office has the following specific responsibilities related to administering the Incident Management Program in the IRS:

    1. Interpreting federal laws, regulations, and policies relating to the protection of PII (see IRM 11.3.1, Introduction to Disclosure for more information)

    2. Coordinating with other program areas in the IRS to ensure compliance with OMB Memorandum 07-16 and related directives

    3. Carrying out activities as required by the Privacy and Information Protection (PIP) Advisory Committee, which oversees the development and execution of the Incident Management Program

    4. Identifying and tracking data loss incidents

    5. Conducting risk assessments of data loss incidents

    6. Mitigating risks associated with such incidents before substantial damage occurs

    7. Preparing all reporting documentation pertaining to data loss incidents

    8. Making notification recommendations regarding potentially impacted individuals based on assessed risk and consulting with appropriate law enforcement officials and other offices or authorities

    9. Convening and facilitating the PII Working Group to review data loss incident risk assessments and validating notification recommendations

    10. Presenting notification recommendations to the PIP Advisory Committee for final decision and approval

    11. Supporting communications and other follow-up actions based on PIP Advisory Committee notification decisions

    12. Identifying emerging trends and developing appropriate strategies and responses

    13. Improving procedures to reduce data loss incidents

    14. Developing, defining, monitoring, and executing Incident Management policies and procedures

    15. Overseeing the maintenance, publication, and conveyance of the Servicewide Incident Management Internal Revenue Manual

    16. Communicating and coordinating with internal stakeholders to ensure consistency regarding data loss policy and issues

  3. Identity Protection Specialized Unit (IPSU). The Incident Management Program supports the IPSU, which assists individuals impacted by IRS data loss by answering general incident related inquiries. The IPSU also provides assistance to taxpayers impacted by identity theft or taxpayers who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by IPSU even if the taxpayer has not experienced any problems with, or received communications from, the IRS. See IRM 21.9.2, Accounts Management Identity Theft, for more information about the IPSU.

10.5.4.2  (12-10-2010)
Overview of the Incident Management Program

  1. The Incident Management Program consists of three critical components:

    1. Reporting. This is covered below in IRM 10.5.4.3, Reporting Losses, Thefts and Disclosures of Sensitive Information.

    2. Responding. This is covered in the Incident Management Breach Process flow chart, or below in IRM 10.5.4.4, Responding: The Incident Management Breach Process.

    3. Tracking. This is covered below in IRM 10.5.4.5, Tracking: IRS Data Loss and Identity Theft Tracking Indicators.

10.5.4.3  (12-10-2010)
Reporting Losses, Thefts and Disclosures of Sensitive Information

  1. All IRS employees are required to report the loss, theft, or disclosure of sensitive information, whether it be electronically, verbally or in hardcopy form, within one hour.

    Note:

    Sensitive information in hardcopy form includes, but is not limited to, taxpayer correspondence, tax returns, transcripts, faxes, E-mail messages (printed), and personnel and job application information.

10.5.4.3.1  (12-10-2010)
Timely Reporting: Within One Hour

  1. The timely reporting within one hour of all information losses or thefts is critical. This is so that any needed investigation can be initiated quickly to decrease or mitigate the possibility the information will be compromised and used to perpetrate identity theft or other forms of fraud.

10.5.4.3.2  (12-10-2010)
Intentional Unauthorized Disclosures

  1. If an employee becomes aware of an intentional unauthorized disclosure, the incident must be reported to the Treasury Inspector General for Tax Administration (TIGTA), as soon as possible. See IRM 11.3.1, Introduction to Disclosure and IRM 11.3.38, Role and Responsibilities of Disclosure Managers for further information. See also Section 7213 of the US Code which imposes fines and/or other punishment for the willful unauthorized disclosure of a return or return information.

10.5.4.3.3  (12-10-2010)
Inadvertent Disclosures

  1. Employees who become aware of an inadvertent disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document containing sensitive information, are required to report the incident within one hour to each of the following, as applicable:

    1. His or her manager, in all instances

    2. The Notice Gatekeeper, if the incident involves taxpayer correspondence using the Servicewide Notice Information Program (SNIP)Erroneous Taxpayer Correspondence Reporting Form (available on the SERP website, under SNIP). The scope of this form has been expanded to include electronic communication like faxes, transcripts, and E-mail messages. See IRM 21.3.1.1.1, Erroneous Correspondence Procedures. The Notice Gatekeeper will notify the Computer Security Incident Response Center (CSIRC) as necessary after an initial analysis of the incident. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of incidents to CSIRC, lessens the operational impact of reporting an incident, and focuses resources on correcting the error to prevent additional breaches/losses.

    3. CSIRC, if the incident does not involve taxpayer correspondence (for example, a verbal disclosure, lost laptop, data disk, or packages lost during shipment), using the Computer Security Incident Reporting Form located at https://www.csirc.web.irs.gov/incident/ , or by calling 1-866-216-4809

    4. TIGTA, if the incident involves the loss or theft of an IT asset (e.g. computers, laptops, routers, printers, removable media, CD/DVD, flash drive, floppy), or hardcopy records/documents, at 1-800-366-4484

    5. Modernization & Technology Services (MITS) Enterprise Services Help Desk (ESD) at 1-866-743-5748, if the incident involves the loss or theft of an IT asset

10.5.4.3.4  (12-10-2010)
Inadvertent Accesses

  1. Inadvertent accesses are reported on the hard copy Form 11377, Taxpayer Data Access, or the fillable Form 11377-E, Taxpayer Data Access. An inadvertent access is when an employee accesses or reads tax records by accident. Some examples include accidentally entering an incorrect Taxpayer Identification Number or unintentionally retrieving other taxpayer information while working an assigned case. Inadvertent accesses are not reported to CSIRC or SNIP.

10.5.4.3.5  (12-10-2010)
"No Reporting" Situations

  1. The following situations require no reporting to CSIRC, the Notice Gatekeeper, PIPDS, etc., as they do not constitute erroneous correspondence or a disclosure:

    1. An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find that he or she is not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

    2. An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number provided by the taxpayer or authorized representative was incorrect.

    3. An IRS employee follows all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS and says he or she is not the taxpayer.

    4. The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.

      Note:

      See IRM 21.3.1.1.1, Erroneous Correspondence Procedures for further information.

10.5.4.4  (12-10-2010)
Responding: The Incident Management Breach Process

  1. The Incident Management Breach Process is most easily understood by reviewing the Incident Management Breach Process flow chart, also available in Exhibit 10.5.4-1. A more detailed explanation of the process follows immediately below.

10.5.4.4.1  (12-10-2010)
Incident Management Intake and Risk Assessment

  1. Incident Management Intake. When a data loss incident occurs (this includes the loss or theft of an IRS asset, or the loss, theft, or disclosure of PII), the incident is reported to CSIRC. CSIRC sends a notification via E-mail to the PII mailbox that contains an incident summary including the information necessary to open a case. The PII mailbox is a centralized communication tool used by the PII Incident Management Team to send and receive all communications throughout the incident intake process, including the standard introductory E-mail from CSIRC. Incident Management performs an initial assessment of the incident. If PII or SBU data is involved, Incident Management will send a PII Analysis Template to the IRS employee and the employee's manager to obtain additional information. The CSIRC Incident Report and PII Analysis Template provide an inventory of possible compromised data elements, the source of the data, whether the data was encrypted, and any other special factors that need to be considered, such as data being used in a criminal or grand jury investigation.

  2. High-Impact Incidents. CSIRC will escalate/report all High-Impact Incidents to the PIP Leadership Team before proceeding with further reporting duties. For purposes of this procedure, the PIP Leadership Team consists of the Director, Privacy and Information Protection, the Deputy Director, Privacy and Information Protection, and the Associate Director, Incident Management, as well as other staff that may be designated by these officials to receive notification. The *PII mailbox will be copied on all notifications. For purposes of this procedure, a High-Impact Incident is defined as one that: potentially impacts 100 or more individuals; involves circumstances that are exceptional in nature and may draw media attention, e.g., a break-in at an IRS office or alternative work site in which a potential data loss has been reported, documents falling off the back of a truck, a loss known to potentially involve a high-profile individual, a loss where it appears the media may have already been contacted, etc.; or involves information the loss of which may negatively impact the IRS, e.g., the loss of e-file records, the compromise of sensitive information involving a high-profile IRS initiative, incidents affecting IRS.gov, such as a glitch allowing personal information to be accessed, etc. CSIRC will wait for feedback from the PIP Leadership Team before proceeding with further reporting duties for High-Impact Incidents.

  3. Incident Management Risk Assessment. Incident Management performs a risk assessment to evaluate the likely risk of harm, specifically the potential for identity theft, for all reported IRS data loss incidents, based on standardized factors and ratings criteria. The end result of the assessment is a categorization of the incident into one of four levels. Categorization into levels dictates a recommended level of response and determines when, what, how, and to whom notification of a data loss should be given.

  4. Likelihood Of Harm. Incident Management uses the following three-step methodology to assess all incidents to determine the potential likelihood of harm to individuals:

    1. Step 1: Examine key factors. Each of the four factors identified by OMB (the nature of the data elements breached; the likelihood the PII is accessible and usable; the likelihood the PII may lead to harm as defined by the Privacy Act; and the ability of the agency to mitigate the risk of harm) is assessed in relation to the specific incident to determine the potential likelihood of harm to individuals. Note: OMB suggests a fifth factor, the number of individuals affected. However, this factor is not used to determine if notification should be provided, but may dictate the communication vehicles used for notification. Identifying the data elements and assessing the impact of the loss are key factors that must be considered in determining if, when, and how notification will be provided to potentially impacted individuals.

    2. Step 2: Factor ratings. Each of the four factors is then rated based on its impact level (high, moderate, low, or no impact) with corresponding points from 3 to 0 assigned to each impact level;

    3. Step 3: Incident categorization. Based on the total factor rating points the incident is categorized into one of four levels. Incidents with a total factor rating point of between 8-12 are considered Level Three. Potentially impacted individuals involved in a data loss incident categorized as Level Three will be sent a data loss letter.

  5. Risk Assessment Factors. The IRS risk assessment includes the following factors and key considerations, at a minimum:

    1. The nature of the data elements breached, i.e., the type of information disclosed, e.g., whether the data loss incident involved PII, i.e., SSN's, addresses, and names;

    2. The likelihood the information was made accessible to and usable by unauthorized persons, e.g., was data encrypted using an encryption product approved for government use by the National Institute of Standards and Technology (NIST), and does it meet Federal Information Processing Standard (FIPS) 140-2 specifications;

    3. The likelihood the information may lead to harm as defined by the Privacy Act, i.e., the damage potential of the information disclosed, e.g., whether the information can be used to cause harm, such as identity theft or public embarrassment; and

    4. The ability of the IRS to mitigate the potential harm, e.g., does the agency have the capabilities to take countermeasures.

10.5.4.4.2  (12-10-2010)
The PII Incident Management Working Group (IMWG) and the Privacy and Information Protection Advisory Committee (AC)

  1. The PII Incident Management Working Group (IMWG) and the Privacy and Information Protection Advisory Committee (PIP AC) include representatives from all business units and functional organizations. The IMWG approves low risk case decisions and provides high risk case recommendations to the PIP AC for final decision making.

  2. After Incident Management has completed its risk analysis of an incident and developed a recommendation with regard to the appropriate response, the recommendation is reviewed by the PII Incident Management Working Group (IMWG).

  3. If the IMWG agrees with the notification recommendation, the final decision to notify is presented to the Privacy and Information Protection Advisory Committee (PIP AC) for approval and concurrence.

  4. If the PIP AC concurs with the notification recommendation, potentially impacted individuals are then notified of the data loss via Letter 4281C, IM Breach Notification Letter.

10.5.4.4.3  (12-10-2010)
Incident Notification

  1. The IRS will notify potentially impacted individuals after the evaluation of a data loss incident that results in a high risk of harm to these individuals.

  2. The IRS will notify these individuals via Letter 4281C, IM Breach Notification Letter.

  3. The IRS will identify individuals who have been sent Letter 4281C, IM Breach Notification Letter, by marking each account with the IRS data loss indicator TC 971 AC 505 (only if the account is on the MF). See IRM 10.5.4.5.1.1, Applying Tracking Indicators to IRS Data Loss Incidents, for additional information.

10.5.4.4.3.1  (12-10-2010)
Contents of the Notification

  1. The IRS will notify individuals potentially impacted by IRS data loss incidents using Letter 4281C, IM Breach Notification Letter. The IRS may use a unique letter when deemed necessary and appropriate. Notifications will be written plainly and clearly, and will generally include, at a minimum, the following information:

    1. A brief description of what happened, including the date of the data loss incident

    2. To the extent possible, a description of the type of PII disclosed as a result of the data loss incident (e.g., name, SSN, date of birth, address)

    3. Actions that potentially impacted individuals should take to protect themselves from potential harm

    4. A toll-free number that potentially impacted individuals can contact for more information

    5. A statement that the IRS has provided or will provide potentially impacted individuals with credit monitoring at no cost for twelve months, and the contact information for the credit monitoring service

    6. Document 12519, Information Loss Frequently Asked Questions, an enclosure containing websites and other resources that provide information about identity theft prevention and protection

10.5.4.4.3.2  (12-10-2010)
Notification Signature

  1. The Director, Privacy and Information Protection (PIP) shall sign notification letters to individuals potentially impacted by a data loss incident.

10.5.4.4.3.3  (12-10-2010)
Timeliness of the Notification

  1. The IRS will notify individuals potentially impacted by data loss incidents involving PII without unreasonable delay following the completion of the risk assessment process.

  2. PIPDS has established a business measure for the Incident Management Program to notify potentially impacted individuals within a median 45 days from the date the data loss incident is reported to CSIRC to the date of the notification letter.

  3. The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any potentially impacted individuals.

10.5.4.4.3.4  (12-10-2010)
Means of Providing Notification

  1. The IRS will provide written notification to the taxpayer's address of record on IDRS.

  2. Based on the number of potentially impacted individuals and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as newspapers or other media outlets.

  3. At the discretion of the PIP Advisory Committee (AC), and consistent with applicable law, the IRS may notify external entities. In making its decision, the PIP AC will consider whether notifying external entities would result in any of the following:

    1. Aiding the public in its response to the incident (e.g., whether constructive notification via media channels would help the IRS alert potentially impacted individuals more effectively and expeditiously than via notification letter alone)

    2. Facilitating the IRS’ ability to mitigate the potential harm resulting from the data loss incident (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries)

    3. Contributing to unnecessary public alarm

    4. Creating an unnecessary burden on the public, external entities, or potentially impacted individuals

10.5.4.4.4  (12-10-2010)
Ongoing Support

  1. Based on the circumstances of the data loss incident, the IRS will provide ongoing support to potentially impacted individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free number staffed by trained IRS personnel to respond to general data loss incident-related inquiries

    2. Information on websites and other resources providing information about identity theft prevention and protection

    3. Coordination with business units on data loss incidents that affect taxpayers’ tax returns, such as phishing schemes

10.5.4.4.4.1  (12-10-2010)
Handling Taxpayer Inquiries Regarding Data Loss Letters

  1. The Identity Protection Specialized Unit (IPSU) receives calls from individuals who have received notification of an IRS data loss Letter 4281C, IM Breach Notification Letter. The IPSU answers general incident related inquiries regarding the data loss and prepares an Inquiry Referral Form (Form 4442) if the caller requests specific information regarding the incident that the IPSU is unable to answer. The Form 4442 is directed to the Incident Management office in Philadelphia for resolution.

  2. In some instances, IRS phone assistors other than the assistors in the IPSU may receive calls from taxpayers that have received Letter 4281C. If an employee receives a call from an individual in response to Letter 4281C, or the individual asks to speak to the employee whose number appears on Letter 4281C (0847999999), refer the individual to 1-866-225-2009. The IPSU supports this dedicated number and is trained to respond to Letter 4281C questions.

  3. Correspondence received in response to Letter 4281C, or addressed to employee 0847999999, must be forwarded to the IPSU at the following address: IRS, Attn: IPSU, PO Box 9039, Andover, MA, 01810–9039. If the correspondence appears to be time sensitive, fax it to the Image Control Team (ICT) in Andover at (978)247-9965. The IPSU can provide further assistance regarding the data loss incident and information to protect the taxpayer's personal data.

10.5.4.4.5  (12-10-2010)
Retention and Disposition

  1. Incident Management will adhere to all document retention schedules in accordance with IRM 1.15.1, Records and Information Management. This applies to all materials in electronic or hard copy format that are created in response to an IRS data loss incident.

10.5.4.5  (12-10-2010)
Tracking: IRS Data Loss and Identity Theft Tracking Indicators

  1. The Incident Management Program tracks data loss related incidents to support the following objectives:

    1. Reduce taxpayer burden while addressing data loss incidents.

    2. Increase operational efficiency of the IRS by detecting and processing reported data loss incidents as early and consistently as possible.

10.5.4.5.1  (12-10-2010)
IRS Data Loss and Identity Theft Tracking Indicators

  1. PIPDS developed and implemented data loss and identity theft indicator codes to centrally track IRS data loss and identity theft incidents. Each indicator is input as a Transaction Code (TC) with Action Code (AC) and displayed on the Integrated Data Retrieval System (IDRS) command code ENMOD of the affected taxpayer's account.

  2. TC 971 AC 505 was implemented by PIPDS to identify taxpayers whose PII was lost, breached, stolen, or disclosed because of an IRS data loss incident.

10.5.4.5.1.1  (12-10-2010)
Applying Tracking Indicators to IRS Data Loss Incidents

  1. TC 971 AC 505 is applied to a taxpayer’s account when all of the following occur:

    1. A taxpayer’s PII was lost, breached, disclosed, or stolen.

    2. The incident risk assessment results in a high risk of harm to the potentially impacted individuals.

    3. The IRS notifies the taxpayer of this data loss incident.

    Example:

    Taxpayer case files containing PII were lost while being shipped from one location to another. Since the incident risk assessment resulted in a high risk of harm, Incident Management will send a notification letter to the potentially impacted individuals.

  2. Input of TC 971 AC 505 is limited and reserved for use by PIPDS employees, however this indicator will be visible and available for reference on the individual’s account. See Exhibit 10.5.4–4 for more information about this indicator.

  3. PIPDS inputs TC 971 AC 505 on an account regardless of the existence of any other identity theft indicator code (AC 501, 504, or 506) that may be present on the account. See IRM 10.5.3, Identity Protection Program for information on Action Codes 501, 504, and 506.

  4. In some instances, it may be necessary for PIPDS personnel to manually reverse the TC 971 AC 505. Although input of the TC 972 AC 505 is limited and reserved for use by PIPDS employees, Exhibit 10.5.4-5 is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field.

10.5.4.6  (12-10-2010)
Awareness Training and Education

  1. The Incident Management Program institutes initiatives to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, disclosure, or theft of PII.

  2. The Incident Management Program also supports the annual Information Protection and Disclosure Mandatory Briefing and the Unauthorized Access (UNAX) Mandatory Briefing, which are managed by the Office of Privacy. These briefings provide information regarding privacy, disclosure, computer security, and UNAX to all employees.

10.5.4.7  (12-10-2010)
Identity Theft Frequently Asked Questions

  1. How is the IRS tracking and monitoring data loss incidents?

    1. The IRS will track data loss incidents by placing a data loss indicator (TC 971 AC 505) on the entity portion of all individuals who have been sent a data loss notification letter (as long as the entity is established on the Master File).

  2. Can there be more than one IRS data loss or identity theft-related TC 971 placed on a taxpayer's account?

    1. Yes, there can be multiple data loss or identity-theft related TC 971s input/present on a taxpayer's account (e.g., different action codes, different tax years, and/or different functions). Each indicator represents an incident that meets the criteria of the specific indicator placed on the account. For further detail on the IRS data loss indicator, see IRM 10.5.4.5.1.1, and IRM 10.5.3, Identity Protection Program, for details regarding the IRS identity theft indicators.

  3. Under what circumstances can the IRS data loss or identity theft-related tracking indicators (i.e., TC 971 with AC 501, 504, 505, or 506) be reversed?

    1. In some instances, it may be necessary to manually reverse the IRS data loss or identity theft indicators. A data loss indicator may be reversed because of a keying or internal error, or an internally identified negative impact. Although input of the TC 972 AC 505 is limited and reserved for use by PIPDS employees, Exhibit 10.5.4-5 is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field. For additional information on reversing the IRS identity theft indicators, see IRM 10.5.3, Identity Protection Program.

  4. The IRS identified the taxpayer as being impacted by a data loss, theft, breach, or disclosure incident and placed a TC 971 AC 505 on the account. What happens next?

    1. The taxpayer will receive a data loss notification letter (Letter 4281C, IM Breach Notification Letter) from the IRS advising him/her that information controlled by the IRS may have been disclosed to unauthorized individuals. The notification letter contains information related to identity protection and free credit monitoring products arranged for the taxpayer by the IRS. Note: The taxpayer must call the credit-monitoring agency in order to sign up for the services.

  5. What is the role of the Identity Protection Specialized Unit (IPSU)?

    1. The IPSU receives calls from individuals who have received an IRS data loss letter (Letter 4281C). The IPSU answers general incident related inquiries regarding the data loss and prepares an Inquiry Referral Form (Form 4442) if the caller requests specific information regarding the incident which the IPSU is unable to answer. The Form 4442 is directed to the Incident Management office in Philadelphia for resolution.

    2. The IPSU receives taxpayer calls and works with taxpayers who believe they have been victims of identity theft that does not affect tax administration. After a taxpayer provides substantiation documentation, the unit will apply a TC 971 AC 504 to the taxpayer's account.

    3. The IPSU also receives calls from taxpayers who believe they are victims of identify theft that does affect tax administration; however, these callers are referred to the appropriate functional business unit for resolution. See IRM 21.9.2.3.3,Tax-Related Identity Theft (IPSU Toll-Free line CSRs only). The IPSU periodically follows-up with these units to ensure the case is being worked appropriately.

    4. The IPSU will also assist taxpayers whose situations meet TAS criteria 5 -7 AND involve identity theft. See IRM 21.1.3.18, Taxpayer Advocate Service (TAS) Guidelines, and IRM 21.9.2.10, Identity Theft Assistance Request (ITAR) – General Information.

    (6) What sources can I reference to get general information regarding identity theft and identity theft-related topics?

    1. See IRM 10.5.4.8, Identity Theft Information Links.

10.5.4.8  (12-10-2010)
Identity Theft Information Links

  1. This section of the manual provides links to websites containing identity theft-related information and publications. Specifically, the links include publicly available websites and IRS intranet websites that house general information, as well as function-specific IRM sections that provide guidance on identity theft-related cases and issues.

    1. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues:

      # Title Description Link Owner
      1 Internal Revenue Service (IRS) Website Identity Theft and Your Tax Records http://www.irs.gov/privacy/article/0,,id=186436,00.html

      Note:

      Can also be accessed via the IRS.gov home page using the search term Identity Theft

      		IRS
      2 Federal Trade Commission (FTC) Identity Theft Website FTC identity theft awareness home page http://www.ftc.gov/bcp/edu/microsites/idtheft/ FTC
      3 FTC Identity Theft Affidavit Direct link to FTC Identity Theft Affidavit; includes instructions and guidance for completing FTC Affidavit

      Note:

      This form is no longer accepted by the IRS to substantiate identity theft. However, it can still be used by individuals to substantiate identity theft with credit bureaus and/or any companies where accounts have been opened using the victim's identity.

      		http://www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf FTC
      4 IRS Identity Theft Affidavit (Form 14039) IRS Form 14039 will be used by taxpayers who want to report to the IRS that he/she is a victim of identity theft, or who may become victims of identify theft as a result of a lost or stolen wallet or purse, or other suspicious activity on their credit card or bank statements. http://www.irs.gov/pub/irs-pdf/f14039.pdf IRS
      5 United States Department of Justice Website Identity Theft and Identity Fraud Information http://www.justice.gov/criminal/fraud/websites/idtheft.html DOJ
      6 TAS Website Taxpayer Advocate Service http://www.irs.gov/advocate TAS
      7 SSA Website Social Security Administration (SSA) home page http://www.ssa.gov SSA
      8 SSA Identity Theft Website Social Security Administration (SSA) identity theft home page http://www.ssa.gov/pubs/10064.html SSA
      9 Identity Theft Task Force Website President's Task Force on Identity Theft home page http://www.idtheft.gov Identity Theft Task Force
      10 IRS Phishing Website Instructions on how to report and identify phishing, E-mail scams, and bogus IRS websites http://www.irs.gov/privacy/article/0,,id=179820,00.html IRS
      11 Credit Bureaus Direct links to the three recognized credit bureaus: Equifax, Experian, and TransUnion http://www.equifax.com
      http://www.experian.com
      http://www.transunion.com       		Equifax, Experian, and TransUnion
      12 IRS Pub 4523 Beware of Phishing Schemes http://www.irs.gov/pub/irs-pdf/p4523esp.pdf IRS
      13 IRS Pub 4524 Security Awareness and Identity Theft http://www.irs.gov/pub/irs-pdf/p4524.pdf IRS
      14 IRS Pub 4535 Identity Theft Prevention and Victim Assistance http://www.irs.gov/pub/irs-pdf/p4535.pdf IRS
      15 Identity Theft Resource Center® (ITRC) Nonprofit organization dedicated exclusively to the understanding and prevention of identity theft http://www.idtheftcenter.org/ ITRC
      16 OnGuard Online Identity theft prevention tips from the federal government and technology industry http://www.onguardonline.gov/ FTC

    2. Internal IRS intranet links that provide general information on identity theft, identity theft-related issues, and data loss incidents:

      # Title Description Link Owner
      1 PIPDS Identity Theft Program Website Office of Privacy, Information Protection & Data Security (PIPDS) home page http://irweb.irs.gov/AboutIRS/bu/pipds/default.aspx PIPDS
      2 CSIRC Website Computer Security Incident Response (CSIRC) home page http://www.csirc.web.irs.gov/ MITS
      3 IRM 1.2.25.2 IRS Policy Statement on assisting taxpayers who report they are victims of identity theft http://irm.web.irs.gov/link.asp?link=1.2.25.2 IRS

Exhibit 10.5.4-1 
Flow Chart: Incident Management Breach Process

This image is too large to be displayed in the current screen. Please click the link to view the image.

Exhibit 10.5.4-2 
Glossary of Incident Management Terms and Definitions

Access - The ability or opportunity to gain knowledge of personally identifiable information.
Breach - The loss of control, disclosure, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
Data Loss (Breach) Notification - The process of notifying potentially impacted individuals following the discovery of a PII data loss incident when the incident results in a high risk of harm to these individuals. Also known as PII data loss incident notification.
Data Loss Incident Risk Assessment - A risk assessment conducted on an IRS incurred data loss, theft, breach, or disclosure incident. The risk assessment includes factors that must be considered, specifically the context of the incident and the data that was disclosed. Example - An IRS employee in the field loses a taxpayer case file assigned to him. It contained PII data such as name, address, SSN, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to determine if notification should be given to the taxpayer.  
Federal Information Processing Standard (FIPS) - Publications issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Trade Commission (FTC) - An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Harm - Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
   a) Potential for blackmail;
   b) Disclosure of private facts;
   c) Mental pain and emotional distress;
   d) Potential for secondary uses of the information that could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem;
   e) Identity theft; or
  f) Financial loss.
Identity Theft - A fraud that is committed or attempted using a person's identifying information without authority.
Incident Management - The process of managing incidents involving the loss, theft, breach or disclosure of data.
Information Technology - Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
Loss - Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data.
National Institute of Standards and Technology (NIST) - A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
Office of Management and Budget (OMB) - A cabinet-level office that oversees the activities of federal agencies and monitors the adherence of their assigned federal programs to presidential policies.
Personally Identifiable Information (PII) - The definition of personally identifiable information is provided by OMB 07-16. For further information about PII, see the PIPDS web page PII - What is personally identifiable information?
PII Incident - An actual or suspected loss of control, disclosure, unauthorized disclosure, unauthorized acquisition of, or unauthorized access to PII. PII incidents include situations where persons other than authorized users may or do have access to PII for an unauthorized purpose. This applies to PII maintained in electronic or hard copy format.
PII Incident Notification - See Data Loss (Breach) Notification.
PII Incident Management Working Group - A decision making body chaired by the Deputy Director, Incident Management. Membership consists of senior management and key technical experts from all key business and functional unit stakeholders. Policy roles include: a)Review Incident Management Program policy analyses and recommendations, b) Provide further analysis, data collection and support material for AC decision making, and c) Provide recommendations to AC for final decision making. Operational roles include: a) Review Incident Management case risk analyses and recommendations, b) Provide further analysis, data collection and support material for AC decision making, c) Approve low-risk case decisions, and d) Provide medium and high-risk case recommendations for victim notification to AC for final decision making.  
Privacy and Information Protection (PIP) Advisory Committee - A committee established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and PII data loss policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives.  
Risk - The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment - The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguards - Protective measures prescribed to meet the privacy requirements specified for an information system.
Sensitive But Unclassified Information - Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.  
Unauthorized Access - The willful unauthorized access and/or inspection of tax returns and return information.
Unreasonable Delay - A delay in notification following the discovery of a data breach beyond that which is necessary to determine the scope of the breach while considering the needs of law enforcement and national security, and, if applicable, to restore the reasonable integrity of the computerized data system compromised. This means if a breach is discovered and all the information necessary to determine the scope of the breach is gathered within 30 days, it is unreasonable to wait until the 45th day to notify the individuals whose information was breached.  

Exhibit 10.5.4-3 
References

The Incident Management Program was established to ensure Servicewide implementation of federal directives to protect citizens and government employees against data losses and misuse of sensitive personal data. The following are the principal documents involving the Incident Management Program:


OMB Memoranda

  1. M-06-15, Safeguarding Personally Identifiable Information , May 22, 2006

  2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

  3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

  4. M-06-20 (M-05-15), Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 17 2006

  5. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

OMB Memoranda are available at Office of Management and Budget at http://www.whitehouse.gov/omb/memoranda.

Other Federal Guidance

  1. Combating Identity Theft: A Strategic Plan, The President’s Identity Theft Task Force Report, April 2007

  2. Combating Identity Theft, Volume II: Supplemental Information , The President’s Identity Theft Task Force Report, April 2007

  3. President’s Identity Theft Task Force Report Summary of Interim Recommendations, September 2006


The President’s Identity Theft Task Force documents are available at http://www.idtheft.gov/

IRS Internal Revenue Manuals

  • IRM 10.5.1, Privacy, Information Protection & Data Security Policy and Guidance

  • IRM 10.5.3, Identity Protection Program

Exhibit 10.5.4-4 
TC 971 AC 505 — IRS Data Loss Indicator

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Information Protection & Data Security personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the data loss incident occurred. The Incident Tracking Number (number assigned to the data loss case). This number begins with the literal "IR" and is followed by 11 numeric digits. For example: IR20100211034

Exhibit 10.5.4-5 
TC 972 AC 505 — Reversal of TC 971 AC 505

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Information Protection & Data Security personnel.

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

TC 972 AC 505 Miscellaneous Field
Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and must be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER

More Internal Revenue Manual