10.5.4  Incident Management Program

Manual Transmittal

December 02, 2014

Purpose

(1) This transmits revised IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Material Changes

(1) Updated Signature Line from Amy L. Stanton to Frances W. Kleckley.

(2) Made editorial changes and updated text to improve clarity throughout the IRM.

(3) Updated all references in the text from Privacy and Information Protection (PIP) to Privacy Policy and Compliance (PPC).

(4) Deleted all references to IRM 10.5.3.

(5) IRM 10.5.4.1.1 - Renumbered (4) to (5) and added text to define Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) in (4).

(6) IRM 10.5.4.1.3 (2) - Updated text in (b) to include a reference to SPIIDE events; updated text in (c), (h), (i) and (j) to improve clarity.

(7) IRM 10.5.4.2 - Added (2) to include information on SPIIDE.

(8) IRM 10.5.4.3 - Deleted "of Sensitive Information" in the sub-section title.

(9) IRM 10.5.4.3 (1) - Added "IRS" before "IT" and "Bring Your Own Device (BYOD)" to improve clarity and to emphasize both types of IT assets must be reported if lost or stolen.

(10) IRM 10.5.4.3.1 (2) - Added "IRS" before "IT" and "BYOD" assets to improve clarity.

(11) IRM 10.5.4.3.3 - Updated reporting office from the Situation Awareness Management Center (SAMC) to the Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM); added the IM Hotline telephone number; updated the telephone number for the Computer Security Incident Response Center (CSIRC); and added a link to the Think Data Protection IF/THEN chart. Note: This updated guidance posted to SERP as IPU 14U1061 (effective 06/27/2014).

(12) IRM 10.5.4.3.3 (1) (a), (b), and (c) and (3) Note - Updated text in (1) (a), (b) and (c) and updated the link to the Think Data Protection IF/THEN chart in (3) Note.

(13) IRM 10.5.4.3.3.1 - Added new sub-section titled, Other Responsibilities of Reporting Employees and Business Unit Data Owners, to describe other responsibilities Business Units have regarding data loss incidents.

(14) IRM 10.5.4.3.4 (3) - Updated to replace SAMC with PGLD/IM. Note: This updated guidance posted to SERP as IPU 14U1061 (effective 06/27/2014).

(15) IRM 10.5.4.3.5 (1) and (1) (e) - Updated to replace SAMC with PGLD/IM. Note: This updated guidance posted to SERP as IPU 14U1061 (effective 06/27/2014).

(16) IRM 10.5.4.3.5 (1) (e) - Updated text for clarity and provided web address for Suicide Threats on GLDS page.

(17) IRM 10.5.4.3.6 - Added new subsection titled, Safeguarding Personally Identifiable Information Data Extracts (SPIIDE).

(18) IRM 10.5.4.4 - Updated to replace Incident Management with PGLD/IM. Note: This updated guidance posted to SERP as IPU 14U1061 (effective 06/27/2014).

(19) IRM 10.5.4.4.1 - Updated to replace SAMC with PGLD/IM throughout; updated to replace Incident Management or IM with PGLD/IM; changed the last sentence in (2) to a Note; and made some minor wording changes. Note: This updated guidance posted to SERP as IPU 14U1061 (effective 06/27/2014).

(20) IRM 10.5.4.4.1 - Updated text in (1) (b) to improve clarity; moved note previously under (2) to (1) (b); updated text in (1) (c); added a Note to (1) (c) regarding SPIIDE events; deleted reference and link to Form 14164 in (2); removed reference to PII Analysis Template in (2) (a); and updated text in (3).

(21) IRM 10.5.4.4.3 - Updated text to define the responsibilities of the PIIWG and the PPCAC as they relate to IRS data loss incidents and updated title of sub-section.

(22) IRM 10.5.4.4.4.1 - Added a Note stating potentially impacted individuals must contact the credit reporting agency in order to sign up for the free identity theft protection product.

(23) IRM 10.5.4.4.4.2 - Updated to require the signature of the Director of Privacy and Information Protection (PIP) instead of the Associate Director, PIP. Note: This updated guidance posted to SERP as IPU 14U1061 (effective 06/27/2014).

(24) IRM 10.5.4.4.4.3 - Updated to replace SAMC with PGLD. Note: This updated guidance posted to SERP as IPU 14U1061 (effective 06/27/2014).

(25) IRM 10.5.4.4.4 (3) - Updated Organizational lapse time goal for FY 2014 and FY2015.

(26) IRM 10.5.4.4.5 - Editorial updates made to improve clarity.

(27) IRM 10.5.4.4.5.1 - Reorganized to improve clarity and flow and updated instructions to transfer individuals who call on other than the telephone number provided in Letter 4281C to Application 92161 (or 92162 for individuals needing assistance in Spanish) to resolve a discrepancy between IRM 10.5.4 and the Telephone Transfer Guide. Note: This interim guidance posted to SERP as IPU 13U1689 (effective 11/27/2013) as well as to the Electronic Reading Room (ERR) as interim guidance PGLD-10-1113-1689.

(28) IRM 10.5.4.4.5.1 (4) - Updated text to improve clarity; added a Table to show the PO box address as well as the street address; and added an IRM reference to IRM 10.2.13.4.4.1.

(29) IRM 10.5.4.5 - Updated title of sub-section to IRS Data Loss Tracking Indicator - Objectives and made editorial changes to improve clarity.

(30) IRM 10.5.4.5.1 - Updated title of sub-section to IRS Data Loss Tracking Indicator - Development and Implementation and made editorial changes to improve clarity and flow.

(31) IRM 10.5.4.5.1.1 - Updated title of sub-section to Applying the IRS Data Loss Tracking Indicator to IRS Data Loss Incidents; inserted (4) stating there can be multiple IRS data loss indicators on an account; moved (4) to (5); and made editorial changes to improve clarity and flow.

(32) IRM 10.5.4.7 - Deleted sub-section titled, Identity Theft and Data Loss Frequently Asked Questions, to eliminate redundancy. The following sub-sections have consequently been renumbered.

(33) IRM 10.5.4.7 - Previously 10.5.4.8 - Updated title of sub-section to IRS Data Loss and Identity Theft Information Links.

(34) Exhibit 10.5.4.1 - Added a Header Row to the Exhibit. Note: This interim guidance posted to SERP as IPU 13U1689 (effective 11/27/2013) as well as to the Electronic Reading Room (ERR) as interim guidance PGLD-10-1113-1689.

(35) Exhibit 10.5.4-1 - Added Term and Definition for SPIIDE; updated Term and Definition for PIIWG and PPCAC (previously PIPAC); added Term and Definition for the Identity Protection Specialized Unit (IPSU); added Term and Definition for Data Loss/Breach Incident; added Term and Definition for Data Owner; and added Term and Definition for Reporting Employee.

(36) Exhibit 10.5.4-2 - Added a new exhibit titled IRS Information Loss Frequently Asked Questions (FAQs) and renumbered the following exhibits. Note: These FAQs were formerly housed on SERP, under IRM Supplements, IRS Information Loss.

Effect on Other Documents

IRM 10.5.4, dated June 25, 2013, is superseded. The following IRM Procedural Updates (IPUs), issued on 11-27-2013 and 06-27-2014 respectively, have been incorporated into this IRM: IPU 13U1689 (also posted to the Electronic Reading Room (ERR) as interim guidance PGLD-10-1113-1689) and IPU 14U1061.

Audience

The provisions in this manual apply to all divisions, functional units, managers, employees, and contractors within the Internal Revenue Service (IRS).

Effective Date

(12-02-2014)

Frances W. Kleckley
Director, Privacy Policy and Compliance

10.5.4.1  (06-25-2013)
Background of the Incident Management Program

  1. Purpose. This manual defines the mission, objectives, and governance structure of the Incident Management Program. It provides the organizational framework for carrying out specific policies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS data losses, thefts, breaches and disclosures.

  2. Scope. The provisions in this manual apply Servicewide whenever Personally Identifiable Information (PII) is collected, created, transmitted, used, processed, stored, or disposed of, in support of the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and any other outsourced providers doing business with the IRS.

  3. Accountability. Safeguarding and preventing the unauthorized disclosure of PII is a responsibility that is shared by all IRS employees and contractors. Lost, stolen or disclosed PII may be used to perpetrate identity theft or other forms of harm, if the information falls into unauthorized hands.

10.5.4.1.1  (12-02-2014)
Definition of Key Incident Management Terms

  1. Data Loss/Breach Incident. An incident involving a loss, theft, breach, or inadvertent unauthorized disclosure.

  2. Personally Identifiable Information (PII). The definition of personally identifiable information is provided by the Office of Management and Budget (OMB) in OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. The Memorandum is available at http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf. For further information about PII, see the PGLD web page, PII - What is personally identifiable information?, at http://irweb.irs.gov/AboutIRS/bu/pipds/pip/privacy/privacy_art/8352.aspx.

  3. Sensitive But Unclassified (SBU) Information. Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction. For further information on SBU, see the PGLD web page, What is SBU?, at http://irweb.irs.gov/AboutIRS/bu/pipds/pip/privacy/privacy_art/8876.aspx.

  4. Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) is a Data Leakage Prevention (DLP) technology within the IRS CyberSecurity toolkit. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures. Once fully deployed, SPIIDE will detect and prevent data leakage and will provide the IRS with the capability to monitor, log, manage, and protect against security events related to Sensitive Agency Information (SAI), Sensitive But Unclassified (SBU) Information and Personally Identifiable Information (PII). Incident Management may receive SPIIDE events for investigation and will address accordingly if/when received.

  5. For a full listing of Incident Management terms, see Exhibit 10.5.4-1, Glossary of Incident Management Terms and Definitions.

10.5.4.1.2  (12-10-2010)
Origins of the Incident Management Program

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information (PII).

  2. The President’s Identity Theft Task Force recommended that Federal agencies improve their capacity to respond to PII data losses. In May 2007, OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, instructed Federal agencies to enhance their safeguards for PII and to enact incident handling and data loss notification policies. See Exhibit 10.5.4-3 for a list of other relevant OMB Memoranda, Federal Guidance, and Internal Revenue Manuals, and details about where to locate them.

  3. The Incident Management Program was created in response to OMB directives and the President's Identity Theft Task Force recommendations, and to ensure IRS compliance with OMB requirements for incident management and data loss notification. Consistent with the OMB directives, the IRS notifies individuals who are determined to be at high risk of harm following a PII data loss. The potentially impacted individuals are notified without unreasonable delay following a risk assessment of the incident.

  4. Since September 2007, the Incident Management Office (IM) (previously known as the ITIM Office) in PGLD (previously known as PIPDS) has been responsible for ensuring IRS incidents involving the loss or theft of an IRS asset, or the loss, theft, or disclosure of PII, are investigated, analyzed and resolved by the Incident Management Team.

10.5.4.1.3  (12-02-2014)
Incident Management Program Roles and Responsibilities

  1. Privacy, Governmental Liaison and Disclosure (PGLD), previously known as Privacy, Information Protection and Data Security (PIPDS). PGLD works with other business units to provide the IRS with the tools and resources necessary to protect sensitive taxpayer and employee data from potential identity theft due to IRS data loss.

  2. Incident Management (IM). This PGLD office manages the reporting, risk assessment, and tracking of IRS data loss incidents as well as data loss notification to individuals potentially impacted by the IRS data loss, in accordance with OMB M-07-16. IM has the following specific responsibilities related to administering the Incident Management Program in the IRS:

    1. Interpreting federal laws, regulations, and policies relating to the protection of PII (see IRM 11.3.1, Introduction to Disclosure, athttp://irm.web.irs.gov/link.asp?link=11.3.1 for more information)

    2. Coordinating with other program areas in the IRS to ensure compliance with OMB Memorandum 07-16 and related directives. IM may also receive SPIIDE events for investigation and will address accordingly if/when received.

    3. Carrying out activities as required by the Privacy Policy and Compliance Advisory Committee (PPCAC)

    4. Identifying and tracking data loss incidents

    5. Conducting risk assessments of data loss incidents

    6. Mitigating risks associated with data loss incidents before substantial damage occurs

    7. Preparing all reporting documentation pertaining to data loss incidents

    8. Making notification recommendations regarding potentially impacted individuals based on assessed risk and consulting with appropriate law enforcement officials and other offices or authorities if necessary

    9. Convening and facilitating the PII Working Group (PIIWG) to review all notification recommendations with the exception of notification recommendations for certain high risk level/high profile breaches which are instead elevated to the PPCAC

    10. Presenting certain high risk level/high profile breach notification recommendations to the PPCAC

    11. Supporting communications and other follow-up actions based on PPCAC notification decisions

    12. Identifying emerging trends and developing appropriate strategies and responses

    13. Improving procedures to reduce the occurrence of data loss incidents

    14. Developing, defining, monitoring, and executing Incident Management policies and procedures

    15. Overseeing the maintenance, publication, and conveyance of the Servicewide Incident Management Internal Revenue Manual

    16. Communicating and coordinating with internal stakeholders to ensure consistency regarding data loss policy and issues.

  3. Identity Protection Specialized Unit (IPSU). The Incident Management Program is supported by the IPSU, which assists individuals impacted by IRS data loss by answering general incident related inquiries. The IPSU also provides assistance to individuals impacted by identity theft or individuals who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by the IPSU even if the individual has not experienced any problems with, or received communications from, the IRS. See IRM 21.9.2, Accounts Management Identity Theft, at http://irm.web.irs.gov/link.asp?link=21.9.2, for more information about the IPSU.

10.5.4.2  (12-02-2014)
Overview of the Incident Management Program

  1. The Incident Management Program includes the management of the IRS data loss reporting process, as well as the risk assessment and tracking of IRS data loss incidents and notification to individuals potentially impacted by IRS data losses.

  2. The Incident Management Program also includes interaction with CyberSecurity’s SPIIDE application, a technology which, when fully deployed, will detect and prevent data leakage and will provide the IRS with the capability to monitor, log, manage, and protect against security events related to Sensitive Agency Information (SAI), Sensitive But Unclassified (SBU) Information and Personally Identifiable Information (PII). Incident Management may receive events for investigation and will address accordingly if/when received.

10.5.4.3  (12-02-2014)
Reporting Losses, Thefts and Disclosures

  1. All IRS employees are required to report the loss or theft of an IRS IT asset, or an asset in the Bring Your Own Device (BYOD) program, or hardcopy record or document containing sensitive information, or the inadvertent unauthorized disclosure of sensitive information, whether it be electronically, verbally or in hardcopy form, within one hour.

    Note:

    Sensitive information in hardcopy form includes, but is not limited to, taxpayer correspondence, tax returns, transcripts, faxes, email messages (printed), and personnel and job application information.

10.5.4.3.1  (12-02-2014)
Timely Reporting: Within One Hour

  1. As per OMB Memo M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, dated July 12, 2006, all incidents involving personally identifiable information must be reported within one hour of discovering the incident.

  2. The timely reporting, within one hour, of all inadvertent unauthorized disclosures of sensitive information, and all losses or thefts of sensitive information and IRS IT assets and "BYOD" assets, is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility the information will be compromised and used to perpetrate identity theft or other forms of harm.

10.5.4.3.2  (06-25-2013)
Intentional Unauthorized Disclosures

  1. Incidents involving intentional unauthorized disclosures must be reported to the Treasury Inspector General for Tax Administration (TIGTA) as soon as possible. See IRM 11.3.1, Introduction to Disclosure, at http://irm.web.irs.gov/link.asp?link=11.3.1 andIRM 11.3.38, Role and Responsibilities of Disclosure Managers, athttp://irm.web.irs.gov/link.asp?link=11.3.38, for further information. See also Section 7213 of Title 26 which imposes fines and/or other punishment for the willful unauthorized disclosure of a return or return information.

10.5.4.3.3  (12-02-2014)
Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets and Hardcopy Records/Documents

  1. An employee who becomes aware of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IRS IT asset or "BYOD" asset, or hardcopy record or document containing sensitive information, is required to report the incident within one hour to his or her manager and one of the following offices based on what was lost or disclosed:

    1. The Office of Taxpayer Correspondence (OTC), if the incident involves taxpayer correspondence, using the Servicewide Notice Information Program's (SNIP) Erroneous Taxpayer Correspondence Reporting Form, available at http://dci0150cpres/CMIS/STACI/redbutton.aspx. The Erroneous Taxpayer Correspondence Reporting Form is also available on the SERP website, under SNIP. The scope of the Reporting Form includes taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, and other electronic transmissions such as email. See IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process,at http://irm.web.irs.gov/link.asp?link=25.13.1.3. The OTC will notify the Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM), as necessary after an initial analysis of the incident. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of incidents to PGLD/IM, lessens the operational impact of reporting an incident, and focuses resources on correcting the error to prevent additional breaches/losses.

    2. The Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM), if the incident does not involve taxpayer correspondence, e.g., a verbal disclosure, or if the incident involves the loss or theft of hardcopy records or documents containing sensitive information, packages lost during shipment, etc., using the Incident Reporting Form, available at https://mem0200vpwbap1.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2. Call (267) 941-7777 if you have any problems with the online form.

      Note:

      If you participate in the Bring Your Own Device (BYOD) program, you must report the loss or theft of your "BYOD " asset to PGLD as well as open a KISAM ticket to report the loss or theft. See the Incident Reporting and Alerts webpage on the CSIRC website at http://mits.web.irs.gov/Cybersecurity/Divisions/Operations/Services/Advise_Alert.htm for additional information regarding BYOD devices.

    3. The Computer Security Incident Response Center (CSIRC), if the incident involves the loss or theft of an IRS IT asset, e.g., an IRS issued computer, laptop, router, printer, cell phone, BlackBerry, etc., or removable media (CD/DVD, flash drive, floppy, etc.), using the Computer Security Incident Reporting Form available at https://www.csirc.web.irs.gov/incident/, or by calling (240) 613-3606.

      Note:

      If the incident involves both the loss or theft of an IRS IT asset, e.g., the loss or theft of an IRS issued laptop, flash drive, etc., and the loss or theft of hardcopy records or documents containing sensitive information, packages lost during shipment, etc., report the incident to CSIRC. Do not report it to PGLD/IM.

  2. You must also report the incident to the Treasury Inspector General for Tax Administration (TIGTA), if the incident involves a loss or theft of an IRS IT asset or non-IRS IT asset (BYOD device), e.g., computer, laptop, router, printer, removable media, CD/DVD, flash drive, floppy, etc., or a loss or theft of hardcopy records/documents containing sensitive information, at (800) 366-4484.

  3. If the incident involves a theft, file a Police Report with your Local Law Enforcement authority, but do not disclose sensitive data and/or taxpayer data.

    Note:

    See the PGLD webpage, Data Protection and Inadvertent Disclosures, at http://irweb.irs.gov/AboutIRS/bu/pipds/information_protection/default.aspx, and the Think Data Protection IF/THEN Chart, at https://portal.ds.irsnet.gov/sites/PGLD/idt1/If-Then-Guide-Reporting-Data-Loss-Incidents.pdf, for additional information and guidance.

10.5.4.3.3.1  (12-02-2014)
Other Responsibilities of Reporting Employees and Business Unit Data Owners

  1. In addition to timely reporting so the PGLD Incident Management team (IMT) can begin its risk assessment process, reporting employees and Business Unit (BU) data owners have other responsibilities:

    1. Containment. The BU data owners must take steps to contain the data loss/breach. For example, if employee or taxpayer data is inadvertently exposed on the internet, the BU data owner must immediately take steps to remove the data and/or close the access; or, if DVDs have been shared with material that should have been redacted, the BU must take steps to immediately recover them and request the recipient remove public access (if the information was made publicly available) and replace it with the proper data. The BU should contact the Office of Privacy, Governmental Liaison and Disclosure (PGLD), Online Fraud Detection and Prevention Office, if assistance is required to contain a breach involving an electronic transmission such as email or a breach involving the posting of information on the internet.

      Note:

      If the employee reporting the data loss/breach incident is not the BU data owner, the reporting employee must collaborate with the BU and PGLD/IMT to determine the best approach for managing containment.

    2. Information Requests. Any information requested by PGLD/IMT (i.e., SSN’s, names, dates, etc.) should be provided as quickly as possible to ensure timely reporting and taxpayer notification. If a delay is likely, contact the IMT at (267) 941-7777 to facilitate next steps.

    3. Mitigation. The BU data owner must analyze the event circumstances and determine the necessary steps to prevent similar breaches in the future. This could entail investigating the cause of the breach and developing a prevention plan if necessary. A prevention plan may include a security audit of both physical and technical security; a review and/or development of policies and procedures; and a review of employee training.

  2. Definition of Data Owner and Reporting Employee.

    1. Data Owner. The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data loss/breach incident. For example, if a POA tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporter is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.

    2. Reporting Employee. The reporting employee is the employee who identifies/recognizes a data loss/breach incident and reports the incident as required. The reporting employee is responsible for reporting all pertinent information relative to the data loss/breach incident.

10.5.4.3.4  (06-27-2014)
Inadvertent Accesses of Taxpayer Information

  1. Inadvertent accesses of taxpayer information are reported on the hard copy Form 11377, Taxpayer Data Access, located at http://core.publish.no.irs.gov/forms/internal/pdf/25123i04.pdf, or the fillable Form 11377-E, Taxpayer Data Access, located at http://core.publish.no.irs.gov/forms/internal/pdf/39100i04.pdf.

  2. Form 11377 may be used by employees Servicewide to document accesses to taxpayer return information when the accesses are not supported by direct case assignment, were performed in error (inadvertent access), or when the access may raise a suspicion of an unauthorized access.

  3. Some examples of an inadvertent access include accidentally entering an incorrect Taxpayer Identification Number or unintentionally retrieving other taxpayer information while working an assigned case. Inadvertent accesses are not reported to PGLD/IM, CSIRC or OTC.

10.5.4.3.5  (12-02-2014)
"No Reporting" Situations

  1. The following are examples of situations which require no reporting to PGLD/IM, CSIRC, OTC, etc., as they are not considered erroneous correspondence or unauthorized disclosures:

    1. An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find that he or she is not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

    2. An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number provided by the taxpayer or authorized representative was incorrect.

    3. An IRS employee follows all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    4. The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    5. An IRS employee follows procedures in IRM 21.1.3.12, Suicide Threats, to disclose a taxpayer's name, address/location, and/or telephone number to Law Enforcement because the taxpayer threatened suicide and/or threatened harm to another individual. In this situation, the disclosure of this information is not prohibited by law; therefore, although the Suicide Threat must be reported to Disclosure, TIGTA, and the Office of Employee Protection , no reporting to PGLD/IM is necessary unless directed to do so by Disclosure. See IRM 21.1.3.12, Suicide Threats, athttp://serp.enterprise.irs.gov/databases/irm.dr/current/21.dr/21.1.dr/21.1.3.dr/21.1.3.12.htm, and the Governmental Liaison, Disclosure and Safeguards (GLDS)Suicide Threats page at http://discl.web.irs.gov/unqsitu/SuicdThrts.asp for the procedures to follow when a taxpayer threatens suicide or when it is appropriate to contact the local Law Enforcement authority versus federal or State Law Enforcement authorities.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process, at http://irm.web.irs.gov/link.asp?link=25.13.1.3. for additional information regarding erroneous correspondence procedures.

10.5.4.3.6  (12-02-2014)
Safeguarding Personally Identifiable Information Data Extracts (SPIIDE)

  1. Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) is a Data Leakage Prevention (DLP) technology within the IRS CyberSecurity toolkit. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures. Once fully deployed, SPIIDE will detect and prevent data leakage and will provide the IRS with the capability to monitor, log, manage, and protect against security events related to Sensitive Agency Information (SAI), Sensitive But Unclassified (SBU) Information and Personally Identifiable Information (PII). Incident Management may receive SPIIDE events for investigation and will address accordingly if/when received.

10.5.4.4  (06-25-2013)
Incident Management Intake, Risk Assessment and Notification

  1. This section covers the intake and risk assessment of IRS data loss incidents by PGLD/IM as well as notification to potentially impacted individuals.

10.5.4.4.1  (12-02-2014)
Incident Management Intake

  1. When a data loss incident occurs (this includes the loss or theft of an IRS asset, or the loss, theft, or disclosure of PII), the incident is reported to either PGLD/IM or CSIRC.

    1. The incident is reported to PGLD/IM if the incident involves, for example, a verbal disclosure or the loss or theft of hardcopy records. The incident is also reported to PGLD/IM if the incident involves a non-IRS IT asset, i.e., an asset in the Bring Your Own Device (BYOD) program.

    2. The incident is reported to CSIRC if the incident involves the loss or theft of an IRS IT asset, or multiple assets, i.e., an IRS IT asset and hardcopy records or documents containing sensitive information.

      Note:

      The form and instructions for incidents involving IT assets are different from the forms and instructions for all other incidents.

    3. The PII mailbox (*PII) is a centralized communication tool used by the Incident Management Team to send and receive all communications throughout the incident intake process. Incident summaries with a brief description of the incident are automatically sent via email to the PII mailbox whenever incidents are reported to CSIRC or PGLD/IM via the Incident Reporting Forms.

    Note:

    Incident Management Intake may also include events received from SPIIDE for investigation.

  2. PGLD/IM performs an initial assessment of the incident. If PII or SBU data is involved, if necessary, PGLD/IM will send an Impacted Individuals and/or Business Excel Spreadsheet, to the IRS employee and the employee's manager to obtain additional information.

    1. The PGLD/IM and CSIRC Incident Reporting Forms provide an inventory of possible compromised data elements, the source of the data, whether the data was encrypted, and any other special factors that need to be considered, such as data being used in a criminal or grand jury investigation.

    2. The Impacted Individuals and/or Businesses Excel Spreadsheet provides an inventory of the names and TINs of all the individuals potentially impacted by the data loss.

  3. PGLD/IM will escalate/report all High-Impact Incidents to the PPC Leadership Team before proceeding with further reporting duties. For purposes of this procedure, the PPC Leadership Team consists of the Director, Privacy Policy and Compliance, the Deputy Director, Privacy Policy and Compliance, and the Associate Director, Incident Management, as well as other staff that may be designated by these officials to receive notification. The *PII mailbox, at mailto:pii@irs.gov ,will be copied on all notifications. PGLD/IM will wait for feedback from the PPC Leadership Team before proceeding with further reporting duties for High-Impact Incidents. For purposes of this procedure, a High-Impact Incident is defined as one that:

    1. Potentially impacts 100 or more individuals;

    2. Involves circumstances that are exceptional in nature and may draw media attention, e.g., a break-in at an IRS office or alternative work site in which a potential data loss has been reported, documents falling off the back of a truck, a loss known to potentially involve a high-profile individual, a loss where it appears the media may have already been contacted, etc.; or,

    3. Involves information the loss of which may negatively impact the IRS, e.g., the loss of e-file records, the compromise of sensitive information involving a high-profile IRS initiative, incidents affecting IRS.gov, such as a glitch allowing personal information to be accessed, etc.

10.5.4.4.2  (06-25-2013)
Incident Management Risk Assessment

  1. Incident Management performs a risk assessment to evaluate the likely risk of harm, specifically the potential for identity theft, for all reported IRS data loss incidents, based on standardized factors and ratings criteria. The end result of the assessment is a categorization of the incident into one of four levels. Categorization into levels dictates a recommended level of response and determines when, what, how, and to whom notification of a data loss should be given.

  2. Incident Management uses the following three-step methodology to assess all incidents to determine the potential likelihood of harm to individuals:

    1. Step 1: Key factors. Each of the four factors identified by OMB (the nature of the data elements breached; the likelihood the PII is accessible and usable; the likelihood the PII may lead to harm as defined by the Privacy Act; and the ability of the agency to mitigate the risk of harm) is assessed in relation to the specific incident to determine the potential likelihood of harm to individuals. See (3) below for additional information on the risk assessment factors. Note: OMB suggests a fifth factor, the number of individuals affected. However, this factor is not used to determine if notification should be provided, but may dictate the communication vehicles used for notification. Identifying the data elements and assessing the impact of the loss are key factors that must be considered in determining if, when, and how notification will be provided to potentially impacted individuals.

    2. Step 2: Factor ratings. Each of the four factors is then rated based on its impact level (high, moderate, low, or no impact) with corresponding points from 3 to 0 assigned to each impact level;

    3. Step 3: Incident categorization. Based on the total factor rating points the incident is categorized into one of four levels. Incidents with a total factor rating point of between 8-12 are considered Level Three. Potentially impacted individuals involved in a data loss incident categorized as Level Three will be sent a data loss letter.

  3. The IRS risk assessment includes the following factors and key considerations, at a minimum:

    1. The nature of the data elements breached, i.e., the type of information disclosed, e.g., whether the data loss incident involved PII, i.e., SSN's, addresses, and names;

    2. The likelihood the information was made accessible to and usable by unauthorized individuals, e.g., was data encrypted using an encryption product approved for government use by the National Institute of Standards and Technology (NIST), and does it meet Federal Information Processing Standard (FIPS) 140-2 specifications;

    3. The likelihood the information may lead to harm as defined by the Privacy Act, i.e., the damage potential of the information disclosed, e.g., whether the information can be used to cause harm, such as identity theft or public embarrassment; and

    4. The ability of the IRS to mitigate the potential harm, e.g., does the agency have the capabilities to take countermeasures.

10.5.4.4.3  (12-02-2014)
The PII Working Group (PIIWG) and the Privacy Policy and Compliance Advisory Committee (PPCAC)

  1. The PII Working Group (PIIWG) is a decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security. It is responsible for reviewing risk assessment recommendations and timely approving all notification recommendations with the exception of notification recommendations for certain high risk level/high profile breaches (or incidents otherwise representing a service wide impact) which are instead elevated for review, decision making, and concurrence to the Privacy Policy and Compliance Advisory Committee (PPCAC).

  2. The PPCAC is a committee comprised of executives from all key business and functional unit stakeholders. It was originally established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and PII data loss policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives. The PPCAC is responsible for review of, has decision making authority for, and is responsible for timely concurrence on, certain high risk level/high profile breaches (or incidents otherwise representing a service wide impact) as determined by the Director, PPC.

  3. After Incident Management has completed its risk analysis of an incident and developed a recommendation with regard to the appropriate response, the recommendation is presented to the PIIWG for review and concurrence. .

  4. For certain high risk level/high profile breaches (or incidents otherwise representing a service wide impact), , the recommendation is instead presented to the PPCAC for review and concurrence.

  5. If the notification recommendation is to notify potentially impacted individuals, and if the PIIWG or PPCAC concurs with the recommendation to notify, then potentially impacted individuals are notified of the data loss via Letter 4281C, IM Breach Notification Letter.

10.5.4.4.4  (06-25-2013)
Incident Management Data Loss Notification

  1. The IRS will notify potentially impacted individuals if the evaluation of an IRS data loss incident results in a high risk of harm to these individuals.

  2. The IRS will notify these individuals via Letter 4281C, IM Breach Notification Letter.

  3. The IRS will identify individuals who have been sent Letter 4281C, IM Breach Notification Letter, by marking each account with the IRS data loss indicator TC 971 AC 505 (only if the account is on the Master File (MF). See IRM 10.5.4.5.1.1, Applying Tracking Indicators to IRS Data Loss Incidents, for additional information.

10.5.4.4.4.1  (12-02-2014)
Contents of the Data Loss Notification

  1. The IRS will notify individuals potentially impacted by IRS data loss incidents using Letter 4281C, IM Breach Notification Letter. The IRS may use a unique letter when deemed necessary and appropriate. Notifications will be written plainly and clearly, and will generally include, at a minimum, the following information:

    1. A brief description of what happened, including the date of the data loss incident;

    2. To the extent possible, a description of the type of PII disclosed as a result of the data loss incident (e.g., name, SSN, date of birth, address);

    3. Actions that potentially impacted individuals should take to protect themselves from potential harm;

    4. A toll-free number that potentially impacted individuals can contact for more information;

    5. A statement that the IRS has provided or will provide potentially impacted individuals with an identity theft protection product at no cost for twelve months, and the contact information for the credit reporting agency.

      Note:

      The potentially impacted individual must contact the credit reporting agency in order to sign up for the free identity theft protection product.

10.5.4.4.4.2  (12-02-2014)
Data Loss Notification Signature

  1. The Director, Privacy Policy and Compliance (PPC) shall sign notification letters to individuals potentially impacted by a data loss incident.

10.5.4.4.4.3  (12-02-2014)
Timeliness of the Data Loss Notification

  1. The IRS will notify individuals potentially impacted by IRS data loss incidents without unreasonable delay following the completion of the risk assessment process.

  2. Beginning with FY 2012, the business measure/lapse time goal is an average of 19 days from the PGLD(IM)/CSIRC Report Date to the Data Loss Notification Letter Date.

  3. Also beginning in FY 2012, a new Organizational goal was introduced to measure the average elapsed time between the Incident Date and the Data Loss Notification Letter Date. This new lapse time goal was established at 60 days for FY 2012; reduced to 54 days for FY 2013; further reduced to 50 days for FY 2014; and is now 40 days for FY 2015.

  4. The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any potentially impacted individuals.

10.5.4.4.4.4  (12-02-2014)
Means of Providing Data Loss Notifications

  1. The IRS will provide written notification to the individual's address of record on IDRS.

  2. Based on the number of potentially impacted individuals and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as newspapers or other media outlets.

  3. At the discretion of the PPCAC, and consistent with applicable law, the IRS may notify external entities. In making its decision, the PPCAC will consider whether notifying external entities would result in any of the following:

    1. Aiding the public in its response to the incident (e.g., whether constructive notification via media channels would help the IRS alert potentially impacted individuals more effectively and expeditiously than via notification letter alone)

    2. Facilitating the IRS’ ability to mitigate the potential harm resulting from the data loss incident (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries)

    3. Contributing to unnecessary public alarm

    4. Creating an unnecessary burden on the public, external entities, or potentially impacted individuals

10.5.4.4.5  (12-02-2014)
Ongoing Support

  1. Based on the circumstances of the data loss incident, the IRS will provide ongoing support to potentially impacted individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free number staffed by trained IRS personnel to respond to general data loss incident-related inquiries

    2. Information on websites and other resources providing information about identity theft prevention and protection

    3. Coordination with business units on IRS data loss incidents that affect an individual's tax account, such as phishing schemes

10.5.4.4.5.1  (12-02-2014)
Handling Inquiries Regarding Data Loss Letters

  1. The contact telephone number provided in Letter 4281C, IM Breach Notification Letter, is 1-866-225-2009. The Identity Protection Specialized Unit (IPSU) supports this dedicated number and is trained to respond to IRS data loss questions and questions regarding Letter 4281C. .

  2. The IPSU answers general incident related inquiries regarding the IRS data loss and prepares an Inquiry Referral Form (Form 4442) if the caller requests specific information regarding the incident that the IPSU is unable to answer. The Form 4442 is directed to PGLD's Incident Management office in Philadelphia for resolution.

  3. In some instances, individuals who receive Letter 4281C may call an IRS telephone number other than the number provided in the letter (1-866-225-2009). If an IRS phone assistor other than an assistor in the IPSU receives a call from an individual in response to Letter 4281C, or the individual asks to speak to the employee whose number appears on Letter 4281C (0847999999), transfer the call to extension 92161 (for callers needing assistance in Spanish, use extension 92162).

  4. Correspondence (and any attachments) received in response to Letter 4281C, or addressed to employee 0847999999, must be forwarded to the IPSU in Andover. See the address table below and IRM 10.2.13.4.4.1, Shipping Personally Identifiable Information (PII). If the correspondence appears to be time sensitive, fax it to the Image Control Team (ICT) in Andover at (855) 807-5720. The IPSU will review the correspondence and determine if a Referral to the Incident Management office in Philadelphia is necessary.

    United States Postal Service (USPS) Mailing Address Private Delivery Service (PDS) Mailing Address
    Internal Revenue Service
    Attn: IPSU
    P. O. Box 9039
    Andover, MA 01810-0939
    Internal Revenue Service
    Attn: IPSU
    Stop 360
    310 Lowell St. Andover, MA 01810-4500
  5. See the table in Exhibit 10.5.4-2 for a list of frequently asked questions regarding the IRS data loss letter (Letter 4281C) and general questions regarding IRS Information Loss.

10.5.4.4.6  (12-10-2010)
Retention and Disposition

  1. Incident Management will adhere to all document retention schedules in accordance with IRM 1.15, Records and Information Management. This applies to all materials in electronic or hard copy format that are created in response to an IRS data loss incident.

10.5.4.5  (12-02-2014)
IRS Data Loss Tracking Indicator - Objectives

  1. The Incident Management Program tracks IRS data loss related incidents to support the following objectives:

    1. Reduce taxpayer burden while addressing IRS data loss incidents.

    2. Increase operational efficiency of the IRS by detecting and processing reported IRS data loss incidents as early and consistently as possible.

10.5.4.5.1  (12-02-2014)
IRS Data Loss Tracking Indicator - Development and Implementation

  1. PGLD developed an IRS data loss indicator Action Code to centrally track IRS data loss incidents.

  2. The IRS data loss indicator was implemented by PGLD to identify individuals whose PII was lost, breached, stolen, or disclosed because of an IRS data loss incident.

  3. The IRS data loss indicator is input as a Transaction Code (TC) 971 with Action Code (AC) 505. The TC 971 AC 505 is displayed on the Integrated Data Retrieval System (IDRS) on the entity portion of each affected individual's account.

10.5.4.5.1.1  (12-02-2014)
Applying the IRS Data Loss Tracking Indicator to IRS Data Loss Incidents

  1. PGLD/IM inputs a TC 971 AC 505 on the entity portion of an individual's account (as long as the entity is established on the Master File) when all of the following occur:

    1. An individual's PII was lost, breached, disclosed, or stolen.

    2. The incident risk assessment results in a high risk of harm to the potentially impacted individuals.

    3. The IRS notifies the individual of the data loss incident via Letter 4281C, IM Breach Notification Letter.

    Example:

    Case files containing PII were lost while being shipped from one location to another. Since the incident risk assessment resulted in a high risk of harm, Incident Management will send notification letters to the potentially impacted individuals.

  2. Input of TC 971 AC 505 is limited and reserved for use by PGLD/IM employees; however, this indicator is visible and available for reference on the entity portion of an individual’s account. See Exhibit 10.5.4–4 for more information about this indicator.

  3. PGLD/IM inputs TC 971 AC 505 on an account regardless of the existence of any identity theft indicator codes that may be present on the account.

  4. There can be multiple IRS data loss indicators input/present on an individual's account. Each TC 971 AC 505 represents a different IRS data loss incident.

  5. In some instances, it may be necessary for PGLD/IM personnel to manually reverse the TC 971 AC 505. Although input of the TC 972 AC 505 is limited and reserved for use by PGLD/IM employees, Exhibit 10.5.4-5 is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field.

10.5.4.6  (12-10-2010)
Awareness Training and Education

  1. The Incident Management Program develops and implements initiatives to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, disclosure, or theft of PII.

  2. The Incident Management Program supports the annual Information Protection and Disclosure Mandatory Briefing and the Unauthorized Access (UNAX) Mandatory Briefing, which are managed by the Office of Privacy. These briefings provide information regarding privacy, disclosure, computer security, and UNAX to all employees.

10.5.4.7  (06-25-2013)
IRS Data Loss and Identity Theft Information Links

  1. Links to publicly available external websites and internal IRS intranet websites containing identity theft and identity theft-related information and publications are provided below as well as internal links for IRS data loss incident reporting and the PGLD website.

    1. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues:

      # Title Description Link Owner
      1 Internal Revenue Service (IRS) Website IRS Identity Protection home page http://www.irs.gov/uac/Identity-Protection IRS
      2 Federal Trade Commission (FTC) Identity Theft Website FTC Identity Theft home page http://www.consumer.ftc.gov/features/feature-0014-identity-theft FTC
      3 Federal Trade Commission (FTC) Identity Theft Victim's Complaint and Affidavit Direct link to FTC Identity Theft Affidavit; includes instructions and guidance for completing FTC Affidavit

      Note:

      This form is no longer accepted by the IRS to substantiate identity theft. However, it can still be used by individuals to substantiate identity theft with credit bureaus and/or any companies where accounts have been opened using the victim's identity.

      http://www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf FTC
      4 Internal Revenue Service (IRS) Identity Theft Affidavit (Form 14039) Direct link to IRS Identity Theft Affidavit (Form 14039). This form is used by taxpayers who want to report to the IRS that he/she is a victim of identity theft, or who may become a victim of identify theft as a result of a lost or stolen wallet or purse, or who notice suspicious activity on his/her credit card or bank statements. http://www.irs.gov/pub/irs-pdf/f14039.pdf IRS
      5 United States Department of Justice Website Identity Theft and Identity Fraud Information http://www.justice.gov/criminal/fraud/websites/idtheft.html DOJ
      6 Taxpayer Advocate Service (TAS) Website Taxpayer Advocate Service home page http://www.irs.gov/uac/Taxpayer-Advocate-Service-6 TAS
      7 Social Security Administration (SSA) Website Social Security Administration (SSA) home page http://www.ssa.gov SSA
      8 Social Security Administration (SSA) Publication - Identity Theft and Your Social Security Number on SSA Website Social Security Administration (SSA) Publication http://www.ssa.gov/pubs/EN-05-10064.pdf SSA
      9 Identity Theft Task Force Website President's Task Force on Identity Theft home page http://www.idtheft.gov Identity Theft Task Force
      10 IRS Phishing Website Instructions on how to report and identify phishing, email scams, and bogus IRS websites http://www.irs.gov/uac/Report-Phishing IRS
      11 Credit Bureaus Direct links to the three recognized credit bureaus: Equifax, Experian, and TransUnion http://www.equifax.com
      http://www.experian.com
      http://www.transunion.com/
      Equifax, Experian, and TransUnion
      12 IRS Pub 4523 Beware of Phishing Schemes http://www.irs.gov/pub/irs-pdf/p4523esp.pdf IRS
      13 IRS Pub 4524 Security Awareness and Identity Theft http://www.irs.gov/pub/irs-pdf/p4524.pdf IRS
      14 IRS Pub 4535 Identity Theft Prevention and Victim Assistance http://www.irs.gov/pub/irs-pdf/p4535.pdf IRS
      15 Identity Theft Resource Center® (ITRC) Website Nonprofit organization dedicated exclusively to the understanding and prevention of identity theft http://www.idtheftcenter.org/ ITRC
      16 OnGuard Online Website Identity theft prevention tips from the federal government and technology industry http://www.onguardonline.gov/ FTC
    2. Internal IRS intranet links that provide general information on identity theft, identity theft-related issues, and data loss incidents:

      # Title Description Link Owner
      1 Privacy, Governmental Liaison and Disclosure (PGLD) Website Office of Privacy, Governmental Liaison and Disclosure home page http://irweb.irs.gov/AboutIRS/bu/pipds/default.aspx PGLD
      2 Privacy, Governmental Liaison and Disclosure (PGLD) e-Trak Privacy on-line application Privacy, Governmental Liaison and Disclosure (PGLD) PII Incident Reporting Form https://mem0200vpwbap1.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2 SAMC
      3 Computer Security Incident Response Center (CSIRC) Website Computer Security Incident Response Center (CSIRC) Computer Security Incident Reporting Form https://www.csirc.web.irs.gov/incident/ IT (Information Technology)
      4 IRM 1.2.25.2 IRS Policy Statement on assisting taxpayers who report they are victims of identity theft http://irm.web.irs.gov/link.asp?link=1.2.25.2 IRS

Exhibit 10.5.4-1 
Glossary of Incident Management Terms and Definitions

TERM DEFINITION
Access The ability or opportunity to gain knowledge of personally identifiable information.
Breach The loss of control, disclosure, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where individuals other than authorized users and for other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
Data Loss/Breach Incident An incident involving a loss, theft, breach, or inadvertent unauthorized disclosure.
Data Loss (Breach) Notification The process of notifying potentially impacted individuals following the evaluation of a PII data loss incident which results in a high risk of harm to these individuals. Also known as PII data loss incident notification.
Data Loss Incident Risk Assessment A risk assessment conducted on an IRS data loss, theft, breach, or inadvertent unauthorized disclosure incident. The risk assessment includes factors that must be considered, specifically the context of the incident and the data that was disclosed. Example - An IRS employee in the field loses a taxpayer case file . The case file contained PII data such as name, address, SSN, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to determine if notification should be given to the potentailly impacted individual.
Data Owner The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data loss/breach incident. For example, if a POA tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporter is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.
Federal Information Processing Standards (FIPS) A set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
Federal Information Processing Standards (FIPS) Publications Publications issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Trade Commission (FTC) An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Harm Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
   a) Potential for blackmail;
   b) Disclosure of private facts;
   c) Mental pain and emotional distress;
   d) Potential for secondary uses of the information that could result in fear or uncertainty, or unwarranted exposure leading to humiliation or loss of self-esteem;
   e) Identity theft; or
  f) Financial loss.
Identity Protection Specialized Unit (IPSU) The IPSU assists individuals impacted by IRS data loss by answering general incident related inquiries or prepares an Inquiry Referral Form (Form 4442) if the caller requests specific information regarding the incident that the IPSU is unable to answer. The IPSU also provides assistance to individuals impacted by identity theft or Individuals who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by the IPSU even if the individual has not experienced any problems with, or received communications from, the IRS.
Identity Theft A fraud that is committed or attempted using an individual's identifying information without authority.
Incident Management The process of managing incidents involving the loss, theft, breach or disclosure of data. This term can also be used to refer to the Office within Privacy, Governmental Liaison and Disclosure responsible for the process of managing incidents involving the loss, theft, breach or disclosure of data by the IRS.
Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
Loss Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data.
National Institute of Standards and Technology (NIST) A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
The Office of Management and Budget (OMB) OMB assists the President in overseeing the preparation of the Federal budget and evaluates the effectiveness of agency programs, policies, and procedures, and works to make sure that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. In addition, OMB oversees and coordinates the Administration's regulatory, procurement, financial management, information technology, and information management policies.
Personally Identifiable Information (PII) Personally Identifiable Information is any information that, by itself or in combination with other information, may be used to uniquely identify an individual. See OMB 07-16. and the PGLD web page PII - What is personally identifiable information? for additional information.
PII Incident An actual or suspected loss of control, disclosure, unauthorized disclosure, unauthorized acquisition of, or unauthorized access to PII. PII incidents include situations in whichindividuals other than authorized users may or do have access to PII for an unauthorized purpose. This applies to PII maintained in electronic or hard copy format.
PII Incident Notification See Data Loss (Breach) Notification.
PII Working Group (PIIWG) A decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security. It is responsible for reviewing risk assessment recommendations and timely approving all notification recommendations with the exception of notification recommendations for certain high risk level/high profile breaches (or incidents otherwise representing a service wide impact) which are instead elevated for review, decision making, and concurrence to the Privacy Policy and Compliance Advisory Committee (PPCAC).
Privacy Policy and Compliance Advisory Committee (PPCAC) A committee comprised of executives from all key business and functional unit stakeholders; originally established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and PII data loss policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives. The PPCAC is responsible for review of, has decision making authority for, and is responsible for timely concurrence on, certain high risk level/high profile breaches (or incidents otherwise representing a service wide impact) as determined by the Director, PPC.
Reporting Employee The reporting employee is the employee who identifies/recognizes a data loss/breach incident and reports the incident as required. The reporting employee is responsible for reporting all pertinent information relative to the data loss/breach incident.
Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguard Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) A Data Leakage Prevention (DLP) technology within the IRS CyberSecurity toolkit. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures. Once fully deployed, SPIIDE will detect and prevent data leakage and will provide the IRS with the capability to monitor, log, manage, and protect against security events related to Sensitive Agency Information (SAI), Sensitive But Unclassified (SBU) and Personally Identifiable Information (PII).
Sensitive But Unclassified (SBU) Information Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.
Theft An asset, electronic or hardcopy, thought or known to have been taken without permission from the individual who is responsible for the asset.
Unauthorized Access The willful unauthorized access and/or inspection of tax returns and return information.
Unauthorized Disclosure An unauthorized and unlawful release of information to an individual who is not authorized to receive the information.
Unreasonable Delay A delay in notification following the discovery of a data breach beyond that which is necessary to determine the scope of the breach while considering the needs of law enforcement and national security, and, if applicable, to restore the reasonable integrity of the computerized data system compromised. This means if a breach is discovered and all the information necessary to determine the scope of the breach is gathered within 30 days, it is unreasonable to wait until the 45th day to notify the individuals whose information was breached.

Exhibit 10.5.4-2 
IRS Information Loss Frequently Asked Questions (FAQs)

This table lists frequently asked questions regarding the IRS data loss letter (Letter 4281C) and general questions regarding IRS Information Loss. The table categorizes the questions and answers into the following categories: Caller Authentication Process; Details of Information Loss; Referral; Identity Theft Protection/Credit Monitoring Product; Prevention of Future Information Losses/Protection Against Identity Theft; Impact of Information Loss on Tax Information; Validity of Information Loss Letter/IRS Contact Information; Dependent/Minor Information Loss; and a Standard Closing. This list of FAQs is for use by the Identity Protection Specialized Unit (IPSU) CSR employees only. IPSU employees are the only employees authorized and trained to respond to IRS Information Loss notification inquiries.

INFORMATION LOSS QUESTIONS INFORMATION LOSS ANSWERS
CALLER AUTHENTICATION PROCESS - QUESTIONS CALLER AUTHENTICATION PROCESS - ANSWERS
Q1. Why are you asking for my SSN? A1. We are asking for your SSN in order to access your IRS information so that we can verify your identity and update your IRS record with any actions or activity resulting from this call.
Q2. Do I have to provide my SSN? A2. No, you do not have to provide your SSN in order for me to assist you. We ask for your SSN in order to access your IRS information so that we can verify your identity and update your IRS record with any actions or activity resulting from this call. If there are questions today that I am unable to assist you with and which require referral to another office for response, I will require your SSN at that time in order to ensure that we respond to the right person with the right information.
Q3. I have a Power of Attorney (POA) for a client who recently received a letter from the IRS regarding an information loss. Can you help me? A3. I can provide information regarding the information loss; however, I will first have to verify that you have the requisite authority to receive the information. Note to CSR: If the call is not the impacted individual, but claims to represent the individual, determine whether the individual provided a power of attorney (POA) in connection with the IRS information loss. Do not recognize a representative when the POA on file only identifies tax matters and does not specifically identify the information loss. Also, a POA cannot request credit monitoring or identity theft protection from Equifax for his/her client.
DETAILS OF INFORMATION LOSS QUESTIONS DETAILS OF INFORMATION LOSS ANSWERS
Q4. I don’t understand the letter I received regarding an IRS information loss. Can you tell me what it means? A4. IRS documents or records containing personal information which could be used to identify you, such as your name, address and social security number, were lost on or about the date mentioned in your letter. The letter you received is to inform you about the information loss and to offer you a free identity theft protection product for one year.
Q5. Can you tell me what personal information of mine was lost? A5. The personal information that was lost may have included, for example, your name, your address, your social security number, and/or your tax account information (tax years and balance due).
Q6. What’s the impact of this information loss on me? A6. Although we have no reason to believe that your personal information has been misused, it is possible that your information could be misused by someone to commit fraud or identity theft. Identity theft occurs when someone uses your personal information such as your name or social security number, without your permission, to commit fraud or other crimes. For your protection, we are offering you a free identity theft protection product for one year with Equifax, one of the three national credit reporting agencies that offer credit-management tools.
Q7. How can I tell if my information has been used to commit fraud or if I have been a victim of identity theft? A7. Unusual or suspicious activity on your bank statements, credit card statements, or any statements relating to recent financial transactions, may be an indication that your personal information has been used to commit fraud or that you've been a victim of identity theft. If you notice any unusual or suspicious activity, you should report it immediately to the financial institution involved.
Q8. When was my information lost? A8. Your information was lost on the date stated in the letter you received from us.
Q9. What is the earliest date that suspicious activity might have occurred due to the loss of my information? A9. Beginning with the date of your information loss (which was stated in your letter), you should monitor your credit report, bank statements, credit card statements and any statements relating to recent financial transactions.
Q10. Why did it take so much time after the loss of information to notify me? A10. We needed time to assess the situation to determine the specific information lost as well as the likelihood for recovery of the information. We then notified you as quickly as possible after the assessment was completed.
Q11. Why did the IRS decide to notify me about the incident? A11. Government policy requires all agencies and bureaus to notify people when information is lost and there is a potential risk that the information could be misused. We want to ensure that you are fully informed of any potential risk so you can better protect yourself and take the necessary steps to monitor your financial transactions.
Q12. What is the likelihood that my information will be recovered? A12. Unfortunately, we don’t know whether your information will be recovered or not. You received the notification letter because we have an obligation to inform you so that you can take the proper precautions.
Q13. What do you mean my information was lost? What does lost mean? A13. We lost possession and control of documents that contain your personal information.
REFERRAL QUESTIONS REFERRAL ANSWERS
Q14. Do I need to send any information to the IRS? A14. At this time you do not need to send any information to us. However, if we determine that we do need you to send any information, you will be contacted via letter by the appropriate IRS business office. Please note that the IRS does not initiate contact with taxpayers via email.
Q15. When did the IRS determine that my personal information had been lost? A15. Unfortunately, I don't have access to that specific information. We can provide that information to you, but it will require research by authorized personnel. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
Q16. How did this information loss happen? A16. Unfortunately, I don't have access to that specific information. We can provide that information to you, but it will require research by authorized personnel. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
Q17. How many people were affected by this information loss? A17. Unfortunately, I don't have access to that specific information. We can provide that information to you, but it will require research by authorized personnel. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
Q18. Can you tell me what additional information of mine was lost? A18. Unfortunately, I don't have access to any additional information. We can provide that information to you, but it will require research by authorized personnel. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
IDENTITY THEFT PROTECTION/CREDIT MONITORING PRODUCT QUESTIONS IDENTITY THEFT PROTECTION /CREDIT MONITORING PRODUCT ANSWERS
Q19. How do I sign up for (or enroll in) the free Equifax identity theft protection/credit monitoring product? A19. To sign up for (or enroll in) the free Equifax identity theft protection/credit monitoring product for one year, you must follow the instructions that were included in the letter that you received from us. If you have a specific question regarding those instructions I will be glad to assist you today.
Specific Equifax identity theft protection/credit monitoring product enrollment instructions: You can enroll by internet or by telephone. In addition to your enrollment promotion code, Equifax will ask for your customer information (name, address, social security number, date of birth, and telephone number). You'll also have to give Equifax permission to access and monitor your credit files. To enroll by phone, call 1-866-937-8432 to access the Equifax automated telephone enrollment process; to enroll online, go to http://www.myservices.equifax.com/tri. If you decide to enroll online, Equifax will send you information and reports through your online account. If you decide to enroll by phone, Equifax will send all credit reports and alerts to you by mail.
Q20. What will happen when I enroll in Equifax' identity theft protection product? A20. Upon your enrollment, you will receive daily credit file monitoring and automated alerts of key changes to your Equifax, Experian, and Trans Union credit reports; access to your credit report; toll-free customer assistance available 24 hours a day, 7 days a week; up to $1 million in identity theft insurance with $0 deductible, at no additional cost to you (limitations and exclusions apply); and other services that will ensure you can effectively monitor your personal accounts. In addition, you can place a Fraud Alert on your credit files at all three agencies. If you choose this option, then all creditors should contact you before creating any new account in your name.
Q21. Do I have to pay for the identity theft protection product? A21. No, you do not have to pay for the identity theft protection product from Equifax. It is available to you free of charge. However, it is only available to the individual to whom the letter was addressed, and not to any other family members.
Q22. What is a Fraud Alert? A22. A fraud alert is a consumer statement added to your credit report. This statement alerts creditors of possible fraudulent activity within your report and requests that they contact you prior to creating any accounts in your name.
Q23. How do I place a fraud alert with Equifax? A23. To place a fraud alert on your Equifax credit file, visit www.fraudalerts.equifax.com or contact the Equifax auto fraud line at 1-877-478-7625, and follow the simple prompts. Once the fraud alert has been placed with Equifax, a notification will be sent to the other two credit reporting agencies, Experian and Trans Union, on your behalf.
Q24. Why do I have to provide my social security number and date of birth to Equifax and not to the IRS? A24. The IRS is not a party to any agreement made between you and Equifax. Please be assured that the IRS has not provided and will not provide any personal information to Equifax regarding this information loss. Please ensure you review all privacy and security statements to ensure you understand how Equifax will collect, maintain and handle your personal data.
Q25. Can the IRS automatically enroll me with Equifax? A25. The IRS can't automatically enroll you with Equifax because personal information must be provided in order to enroll you in the identity theft protection product. The IRS doesn't provide any personal information to Equifax regarding any information loss. To understand how Equifax will collect, maintain and handle your personal data, be sure to review all privacy and security statements.
Q26. I called the Equifax toll free number but I am having trouble with the Equifax system and getting my free identity theft protection product. Can you help me? A26. Once you have input your promotion/enrollment code, if are having difficulty with the system, you will be given the option of speaking to a live person that can assist you in signing up for the free identity theft protection product. If you want to call an Equifax agent directly, you may call Equifax toll free at 1-866-252-4576. The IRS is not a party to any agreement made between you and Equifax, and unfortunately, we cannot assist you with the problem you encountered with the Equifax system.
Q27. I tried to use the promotion/enrollment code included in the information loss letter to sign up for the Equifax identity theft protection product, but I was told the code had expired. Can you help me? A27. Unfortunately, I am unable to assist you with your expired enrollment code. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. You should expect an answer within 30 days. We are sorry for any inconvenience this may cause you.
Q28. I received a letter from the IRS regarding an information loss incident but I lost (or misplaced) the letter. Can you send me another letter? A28. Unfortunately, I am unable to assist you with replacing the letter. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. You should expect an answer within 30 days.
Q29. My husband received a letter from the IRS regarding an information loss incident but I didn't. Why didn't I receive a letter? A29. Unfortunately, I am unable to answer that question. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. You should expect an answer within 30 days.
PREVENTION OF FUTURE INFORMATION LOSSES/PROTECTION AGAINST IDENTITY THEFT QUESTIONS PREVENTION OF FUTURE INFORMATION LOSSES/PROTECTION AGAINST IDENTITY THEFT ANSWERS
Q30. Can you tell me what Identity Theft is? A30. Yes. Identity theft occurs when someone uses your personal information such as your name or social security number, without your permission, to commit fraud or other crimes.
Q31. I haven’t noticed any suspicious activity in my financial statements, but what can I do to protect myself from being victimized by credit card fraud or identity theft? A31. We strongly recommend that you closely monitor your financial statements and that you take advantage of the free identity theft protection product from Equifax we are making available to you. You can minimize your risk by taking these precautions.
Q32. Should I contact my financial institutions (and/or other creditors), or will the IRS do this for me? A32. The IRS is not authorized to act on your behalf on any issue dealing with your personal finances. However, you should monitor your financial accounts and sign up for the free Equifax identity theft protection product. If you see any unusual activity you should contact your financial institutions (and/or other creditors) since the IRS will not contact financial institutions or other creditors on your behalf. The IRS may provide additional services should you experience identity theft as a result of the information loss by the IRS.
Q33. I believe that I have been a victim of ID Theft as a result of this information loss. How are you going to assist me in dealing with this? A33. I apologize for any inconvenience. In order to start the process to assist you I will need you to provide photocopies (not originals) of the following materials: 1.Authentication of Identity. A legible copy of a valid U.S. federal or state government-issued form of identification (example, driver’s license, state identification card, social security card, passport, etc.). 2.Evidence of Identity Theft. A copy of a police report indicating identity theft as the issue or Form 14039, Identity Theft Affidavit. Please fax this information to 978-247-9965 or you may photocopy this information and mail it to: Internal Revenue Service, P.O. Box 9039, Andover, MA 01810-0939. I am also going to fill out a referral form and send it to the office that will investigate your claim of ID Theft as a result of the IRS information loss.
Q34. Where should I report suspicious or unusual activity? A34. If you notice any suspicious or unusual activity in any of your financial accounts, you should report it immediately by: 1. Contacting the financial institution where you noticed the suspicious or unusual activity on your account. 2. Contacting the fraud department of Equifax, one of the three major credit bureaus, by calling 1-800-525-6285; or online at www.equifax.com; or by writing to: Equifax, P.O. Box 740241, Atlanta, GA 30374-0241 3. Filing a complaint with the Federal Trade Commission by calling the FTC’s Identity Theft Hotline, 1-877-438-4338; or online at www.ftc.gov/idtheft; or by writing to: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580. If you believe that the suspicious or unusual activity is a result of this information loss, contact the Treasury Inspector General for Tax Administration (TIGTA), Office of Investigations, by calling the TIGTA hotline, 1-800-366-4484; or online at www.tigta.gov and click on “Report Fraud, Waste, and Abuse”; or by writing to: Treasury Inspector General for Tax Administration Hotline, PO Box 589, Ben Franklin Station, Washington, DC, 20044-0589.
Q35. What is the IRS doing to make sure that this does not happen again? A35. We have strict policies in place to protect your privacy and to ensure the information entrusted to us is secure. Specifically: 1. We use a computer security incident response center that continuously monitors the security of IRS computer systems and networks and serves as the first point of contact for any information loss incident. 2.We issue updated data protection policies and processes to our employees and provide security and privacy education and training tools to improve employee awareness and skill levels. 3.We implemented a system to protect all information stored or transmitted on IRS equipment. 4. We provide cable locks for IRS employees who are assigned laptops and may travel outside of their office locations on IRS business.
IMPACT OF INFORMATION LOSS ON TAX INFORMATION - QUESTIONS IMPACT OF INFORMATION LOSS ON TAX INFORMATION - ANSWERS
Q36. What is the impact on my personal or business related tax return information? A36. Because there is no evidence to suggest that your information has been misused at this time, we do not anticipate any tax-related impact as a result of this information loss. However if you receive an IRS notice or letter that leads you to believe that someone may have used your personal information fraudulently for tax purposes, please notify the IRS immediately by responding to the name and number printed on the notice or letter or by calling the IRS at 1-800-829-1040.
Q37. You said that the information lost included my SSN. I also have an EIN. How do I know if my EIN has been misused? A37. As with your personal financial information, you should also monitor your business accounts for any unusual or suspicious activity on your bank statements, credit card statements, or any statements relating to recent financial transactions. This may be an indication that your information has been used to commit fraud or that you have been a victim of identity theft. If you notice any unusual or suspicious activity, you should report it immediately to the financial institution involved.
Q38. What if the loss of my personal information results in a problem with my Federal income tax information? A38. If you receive a notice or letter from the IRS that leads you to believe someone may have used your personal information fraudulently, please notify the IRS immediately by responding to the name and number printed on the notice or letter. Our tax examiners will work with you and other agencies, such as the Social Security Administration, to help resolve the problem. You should also know that the IRS does not initiate contact with taxpayers or request personal taxpayer information through email. If you do receive this type of request, it may be an attempt by identity thieves to get your private tax information. Additionally, you may contact the Taxpayer Advocate Service (TAS) by calling 1-877-777-4778 or TTY/TDD 1-800-829-4059. TAS is an independent organization within the IRS whose employees assist taxpayers who are experiencing economic harm, who are seeking help in resolving tax problems that have not been resolved through normal channels, or who believe that an IRS system or procedure is not working as it should. If you believe you are eligible for TAS assistance, call TAS at 1–877–777-4778 or TTY/TDD 1-800-829-4059. For more information about TAS, go to http://www.irs.gov/advocate or see IRS Publication 1546, Taxpayer Advocate Service – Your Voice at the IRS.
VALIDITY OF INFORMATION LOSS LETTER/IRS CONTACT INFORMATION - QUESTIONS VALIDITY OF INFORMATION LOSS LETTER/IRS CONTACT INFORMATION - ANSWERS
Q39. How can I verify that this letter actually came from the IRS? A39. You can go to our official public website at www.irs.gov. Click on "Contact IRS" at the very top of the front page, and then select "Call Us With Your Tax Questions.” When you call any of the numbers listed on this page you will be forwarded to the number contained in your letter as that number was established specifically to respond to your questions regarding your information loss.
Q40. I received an e-mail from the IRS asking me to provide personal information (credit card info) so my refund could be deposited into my personal bank account. Is this a legitimate request from the IRS? How do I respond to it? A40. The IRS did not send the e-mail as the IRS does not initiate contact with taxpayers via email. Phishing (as in “fishing for information” and “hooking” victims) is a scam where Internet fraudsters send email messages to trick unsuspecting victims into revealing personal and financial information that can be used to steal the victim's identity. Current scams include phony emails which claim to come from the IRS and which lure the victims into the scam by telling them that they are due a tax refund.
Q41. How do I know the phone number I’m calling right now is not part of a fraud that is taking place with my tax information being misused? A41. I can understand your fears about what is taking place. My name is ____________ and my badge # is ________. You can go to our official public website at www.irs.gov. Click on "Contact IRS" at the very top of the front page, and then select "Call Us With Your Tax Questions.” When you call any of the numbers listed on this page you will be forwarded to the number contained in your letter as that number was established specifically to respond to your questions regarding your information loss.
Q42. All IRS correspondence I get has my SSN on it. Why doesn’t my SSN appear on this letter? A42. We intentionally deleted your SSN from the letter we sent you to minimize any future impact on your information. We are also looking at additional ways that we can reduce the risk of exposure of personal information in all of our correspondence and systems.
Q43. What is your involvement with this information loss issue and where are you located? A43. I am part of the Identity Protection Specialized Unit located in XXXXX. I am trained to assist you with any questions or concerns you may have about this issue and to refer you to the appropriate office if I am unable to answer any if your questions.
Q44. Who can I call for further assistance or information? A44. If you have additional questions or require further assistance you may contact us again at 1-866-225-2009.
Q45. Is there an organization outside the IRS that can provide tax assistance for free or a nominal fee? A45. You may be eligible for assistance from a Low Income Taxpayer Clinic (LITC). LITCs provide low income taxpayers with representation in federal tax controversies with the IRS for free or for a nominal charge. Additional information can be found in Publication 4134, Low Income Taxpayer Clinic List, which is available at www.irs.gov or your local IRS office.
DEPENDENT/MINOR INFORMATION LOSS - QUESTIONS DEPENDENT/MINOR INFORMATION LOSS - ANSWERS
Q46. Did this information loss include my dependent’s personally identifiable information? A46. If the information loss included your dependent’s personally identifiable information, and your dependent is under the age of 18, the letter you received regarding the information loss stated that your dependent’s information was also lost. If the information loss included your dependent’s personally identifiable information, and your dependent is over the age of 18, you will receive one letter regarding the information loss, and your dependent will also receive a letter. If the information loss included your dependent’s personally identifiable information, and your dependent is under the age of 18, but your dependent already has a history of filing Federal Income Tax Returns, your dependent, although under 18, will receive his/her own letter.
Q47. Why didn’t my dependent child receive his/her own promotion code for the free identity theft protection product? A47. The credit reporting agencies do not knowingly maintain credit files on minor children. Therefore, we cannot extend the free identity theft protection product offer to your dependent child (children).
Q48. How can I protect my dependent (child)? A48. Parents/Guardians who are interested in determining whether an Equifax credit file exists for their child (less than 18 years of age), or who have a concern that their child’s identity may have been misused, can take one of the following actions: 1. Try to place a fraud alert on the child's credit report by calling the Equifax Automated Fraud Alert telephone line at 1-877-478-7625. The system will ask for a social security number and address information. If the system responds by asking for additional identification verification documents such as a social security card, then this confirms that the child does not have a credit file at this time. 2.Send a copy of the minor child’s birth certificate and a copy of a social security card or letter/form from the Social Security Administration along with a letter explaining that the child may be a victim of identity theft to Equifax. Additionally, the parent must provide a copy of his/her driver's license or other government-issued proof of his/her identity, which includes his/her current address. Parents/guardians can send this information to the following address: Equifax Information Services P.O. Box 740256 Atlanta, Georgia 30374. Once Equifax receives this information, they will perform a search of their database for a credit file under the child's SSN number. If Equifax does NOT find a match, they will inform the parent or guardian in writing that a credit file was not found. If a credit file is found, Equifax’s Fraud Investigation Department will become involved to help manage a successful resolution of the situation.
STANDARD CLOSING I hope I have been of some assistance to you today. We regret any inconvenience this incident has caused you. We at the IRS are serious about protecting your personal information and we are committed to making sure that the information you have entrusted us is protected, secure and private. We want to emphasize that you should take advantage of the free identity theft production product offered to you in the letter you received and that you should continue to carefully monitor your financial statements and take the appropriate actions if you identify any suspicious activity on your accounts. Please contact us at 1-866-225-2009 if you have additional questions or require further assistance regarding this issue.

Exhibit 10.5.4-3 
References

The Incident Management Program was established to ensure Servicewide implementation of federal directives to protect citizens and government employees against IRS data losses and misuse of sensitive personal data. The following are the principal documents involving the Incident Management Program:
OMB Memoranda. OMB Memoranda are available on the Office of Management and Budget home page at http://www.whitehouse.gov/omb/memoranda.

  1. M-06-15, Safeguarding Personally Identifiable Information , May 22, 2006

  2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

  3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

  4. M-06-20 (M-05-15), Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 17 2006

  5. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007



Other Federal Guidance. The President’s Identity Theft Task Force documents are available on the Identity Theft Task Force website at http://www.idtheft.gov/.

  1. Combating Identity Theft: A Strategic Plan, The President’s Identity Theft Task Force Report, April 2007

  2. Combating Identity Theft, Volume II: Supplemental Information , The President’s Identity Theft Task Force Report, April 2007

  3. The President’s Identity Theft Task Force Report , September 2008




IRS Internal Revenue Manuals

  1. IRM 10.5.1, Policy, Roles and Responsibilities, http://irm.web.irs.gov/link.asp?link=10.5.1 .

  2. IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirementshttp://irm.web.irs.gov/link.asp?link=10.5.5 .

Exhibit 10.5.4-4 
TC 971 AC 505 — IRS Data Loss Indicator

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the data loss incident occurred. The Incident Tracking Number (number assigned to the data loss case). This number begins with two alphas ("IR" , "CR" , or "PR" ) and is followed by 11 numeric digits. For example: IR20100211034

Exhibit 10.5.4-5 
TC 972 AC 505 — Reversal of TC 971 AC 505

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

TC 972 AC 505 Miscellaneous Field
Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and must be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER

More Internal Revenue Manual