10.5.4  Incident Management Program

Manual Transmittal

June 25, 2013

Purpose

(1) This transmits revised IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Material Changes

(1) Reorganized portions of the IRM for improved clarity and flow, made editorial changes, updated text and added new guidance throughout the IRM (further identified below), and updated all links to link to IRM Online, when appropriate, for consistency.

(2) Updated all references to Privacy, Information Protection and Data Security (PIPDS) to Privacy, Governmental Liaison and Disclosure (PGLD).

(3) Deleted the Incident Management Breach Process flow chart and all references to the flow chart throughout the IRM.

(4) Replaced any reference to MITS with IT.

(5) IRM 10.5.4.1 and Exhibit 10.5.4.1 - Deleted the Incident Management Breach Process flow chart and all references to the flow chart.

(6) IRM 10.5.4.1.3 - Updated text and added additional information regarding Incident Management.

(7) IRM 10.5.4.2 - Deleted the Incident Management Breach Process flow chart and all references to the flow chart and added verbiage concerning the Incident Management Program.

(8) IRM 10.5.4.3 - Updated text.

(9) IRM 10.5.4.3.1(1) - Updated text, changed (1) to (2) and added reference to OMB Memo M-06-19 in (1).

(10) IRM 10.5.4.3.2 - Updated text to remove the words "the US Code" and replaced them with "of Title 26."

(11) IRM 10.5.4.3.3 - Updated title to Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets and Hardcopy Records/Documents. Updated text throughout. Replaced references to "Notice Gatekeeper" with "Office of Taxpayer Correspondence" and references to IRM 21.3.1.1.1, Erroneous Correspondence Procedures, with IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process. Added procedure to report certain incidents to SAMC; deleted procedure to report incidents involving the loss or theft of an IT asset to IT (formerly MITS); added procedure regarding BYOD devices (Bring Your Own Device); and added procedure to report incidents involving a theft to Local Law Enforcement.

(12) IRM 10.5.4.3.4 - Updated title and text to include the words "of taxpayer information." Added text regarding Form 11377.

(13) IRM 10.5.4.3.5 - Replaced reference to "Notice Gatekeeper" with "Office of Taxpayer Correspondence" in (1) and added (1) (e) to include procedures regarding suicide threats.

(14) IRM 10.5.4.3.5, Note - Replaced reference to IRM 21.3.1.1.1, Erroneous Correspondence Procedures, with IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process.

(15) IRM 10.5.4.4 - Retitled section to Incident Management Intake, Risk Assessment and Notification, updated text and removed link and reference to the Incident Management Breach Process Flow Chart.

(16) IRM 10.5.4.4.1 - Retitled section to Incident Management Intake, updated text, reorganized section, and added link and Form number for PII Analysis Template.

(17) IRM 10.5.4.4.2 - Previously part of IRM 10.5.4.4.1, now a separate section and retitled to Incident Management Risk Assessment.

(18) IRM 10.5.4.4.3 - Updated text.

(19) IRM 10.5.4.4.4 - Updated title of section to Incident Management Data Loss Notification.

(20) IRM 10.5.4.4.4.1 - Updated title of section to Contents of the IRS Data Loss Notification and deleted reference to Document 12519.

(21) IRM 10.5.4.4.4.2 - Updated title of section to Data Loss Notification Signature; updated required signature to Associate Director, Privacy and Information Protection (PIP)/ Incident Management.

(22) IRM 10.5.4.4.4.3 - Updated title of section to Timeliness of the Data Loss Notification and added new notification goals.

(23) IRM 10.5.4.4.4.4 - Updated title of section to Means of Providing Data Loss Notifications.

(24) IRM 10.5.4.4.5.1(3) - Updated the fax number for the Image Control Team in Andover to 855-807-5720.

(25) IRM 10.5.4.7 - Updated text and links.

(26) IRM 10.5.4.8 - Updated title of section to Identity Theft and Data Loss Information Links, text in (1) and links in a) and b).

(27) Exhibit 10.5.4-1 - Deleted the Incident Management Breach Process Flow Chart. Remaining Exhibits renumbered.

(28) Exhibit 10.5.4-1 - Renumbered from Exhibit 10.5.4-2. Added a column to the Glossary of Incident Management Terms and Definitions table for the Terms; moved the Terms to the first column with only the definitions in the second column. Added or updated text for the definition of Data Loss (Breach) Notification, Federal Information Processing Standards, Federal Information Processing Standards Publications, Incident Management, Office of Management and Budget, Personally Identifiable Information (PII), Unauthorized Disclosure, Safeguard, and Theft. Deleted the definition for Disclosure.

(29) Exhibit 10.5.4-2 - Renumbered from Exhibit 10.5.4-3. Updated text and links.

(30) Exhibit 10.5.4-3 - Renumbered from Exhibit 10.5.4-4. Updated text to include additional alphas in Incident Number.

Effect on Other Documents

IRM 10.5.4, Privacy, Information Protection and Data Security (PIPDS), Incident Management Program, dated December 10, 2010, is superseded.

Audience

The provisions in this manual apply to all divisions, functional units, managers, employees, and contractors within the Internal Revenue Service (IRS).

Effective Date

(06-25-2013)

Frances W. Kleckley
Director, Privacy and Information Protection

10.5.4.1  (06-25-2013)
Background of the Incident Management Program

  1. Purpose. This manual defines the mission, objectives, and governance structure of the Incident Management Program. It provides the organizational framework for carrying out specific policies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS data losses, thefts, breaches and disclosures.

  2. Scope. The provisions in this manual apply Servicewide whenever Personally Identifiable Information (PII) is collected, created, transmitted, used, processed, stored, or disposed of, in support of the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and any other outsourced providers doing business with the IRS.

  3. Accountability. Safeguarding and preventing the unauthorized disclosure of PII is a responsibility that is shared by all IRS employees and contractors. Lost, stolen or disclosed PII may be used to perpetrate identity theft or other forms of harm, if the information falls into unauthorized hands.

10.5.4.1.1  (12-10-2010)
Definition of Key Incident Management Terms

  1. Data Loss Incident. An incident of a reported loss, theft, breach, or disclosure.

  2. Personally Identifiable Information (PII). The definition of personally identifiable information is provided by the Office of Management and Budget (OMB) in OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. The Memorandum is available at http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf. For further information about PII, see the PGLD web page, PII - What is personally identifiable information?, at http://irweb.irs.gov/AboutIRS/bu/pipds/pip/privacy/privacy_art/8352.aspx.

  3. Sensitive But Unclassified Information (SBU). Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction. For further information on SBU, see the PGLD web page, What is SBU?, at http://irweb.irs.gov/AboutIRS/bu/pipds/pip/privacy/privacy_art/8876.aspx.

  4. For a full listing of Incident Management terms, see Exhibit 10.5.4-1, Glossary of Incident Management Terms and Definitions.

10.5.4.1.2  (12-10-2010)
Origins of the Incident Management Program

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information.

  2. The President’s Identity Theft Task Force recommended that Federal agencies improve their capacity to respond to PII data losses. In May 2007, OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, instructed Federal agencies to enhance their safeguards for PII and to enact incident handling and data loss notification policies. See Exhibit 10.5.4-2 for a list of other relevant OMB Memoranda, Federal Guidance, and Internal Revenue Manuals, and details about where to locate them.

  3. The Incident Management Program was created in response to OMB directives and the President's Identity Theft Task Force recommendations, and to ensure IRS compliance with OMB requirements for incident management and data loss notification. Consistent with the OMB directives, the IRS notifies individuals who are determined to be at high risk of harm following a PII data loss. The potentially impacted individuals are notified without unreasonable delay following a risk assessment of the incident.

  4. Since September 2007, the Incident Management Office (IM) (previously known as the ITIM Office) in PGLD (previously known as PIPDS) has been responsible for ensuring IRS incidents involving the loss or theft of an IRS asset, or the loss, theft, or disclosure of PII, are investigated, analyzed and resolved by the PII Incident Management Team.

10.5.4.1.3  (06-25-2013)
Incident Management Program Roles and Responsibilities

  1. Privacy, Governmental Liaison and Disclosure (PGLD), previously known as Privacy, Information Protection and Data Security (PIPDS). The Office of PGLD works with other business units to provide the IRS with the tools and resources necessary to protect sensitive taxpayer and employee data from potential identity theft due to IRS data loss.

  2. Incident Management (IM). This PGLD office manages the reporting, risk assessment, and tracking of IRS data loss incidents as well as data loss notification to individuals potentially impacted by the IRS data loss, in accordance with OMB M-07-16. IM has the following specific responsibilities related to administering the Incident Management Program in the IRS:

    1. Interpreting federal laws, regulations, and policies relating to the protection of PII (see IRM 11.3.1, Introduction to Disclosure, athttp://irm.web.irs.gov/link.asp?link=11.3.1 for more information)

    2. Coordinating with other program areas in the IRS to ensure compliance with OMB Memorandum 07-16 and related directives

    3. Carrying out activities as required by the Privacy and Information Protection (PIP) Advisory Committee, which oversees the development and execution of the Incident Management Program

    4. Identifying and tracking data loss incidents

    5. Conducting risk assessments of data loss incidents

    6. Mitigating risks associated with data loss incidents before substantial damage occurs

    7. Preparing all reporting documentation pertaining to data loss incidents

    8. Making notification recommendations regarding potentially impacted individuals based on assessed risk and consulting with appropriate law enforcement officials and other offices or authorities

    9. Convening and facilitating the PII Working Group to review data loss incident risk assessments and validating notification recommendations

    10. Presenting notification recommendations to the PIP Advisory Committee for final decision and approval

    11. Supporting communications and other follow-up actions based on PIP Advisory Committee notification decisions

    12. Identifying emerging trends and developing appropriate strategies and responses

    13. Improving procedures to reduce the occurrence of data loss incidents

    14. Developing, defining, monitoring, and executing Incident Management policies and procedures

    15. Overseeing the maintenance, publication, and conveyance of the Servicewide Incident Management Internal Revenue Manual

    16. Communicating and coordinating with internal stakeholders to ensure consistency regarding data loss policy and issues.

  3. Identity Protection Specialized Unit (IPSU). The Incident Management Program is supported by the IPSU, which assists individuals impacted by IRS data loss by answering general incident related inquiries. The IPSU also provides assistance to taxpayers impacted by identity theft or taxpayers who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by the IPSU even if the taxpayer has not experienced any problems with, or received communications from, the IRS. See IRM 21.9.2, Accounts Management Identity Theft, at http://irm.web.irs.gov/link.asp?link=21.9.2, for more information about the IPSU.

10.5.4.2  (06-25-2013)
Overview of the Incident Management Program

  1. The Incident Management Program includes the management of the IRS data loss reporting process, as well as the risk assessment and tracking of IRS data loss incidents and notification to individuals potentially impacted by IRS data losses.

10.5.4.3  (06-25-2013)
Reporting Losses, Thefts and Disclosures of Sensitive Information

  1. All IRS employees are required to report the loss or theft of an IT asset or hardcopy record or document, or the inadvertent unauthorized disclosure of sensitive information, whether it be electronically, verbally or in hardcopy form, within one hour.

    Note:

    Sensitive information in hardcopy form includes, but is not limited to, taxpayer correspondence, tax returns, transcripts, faxes, email messages (printed), and personnel and job application information.

10.5.4.3.1  (06-25-2013)
Timely Reporting: Within One Hour

  1. As per OMB Memo M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, dated July 12, 2006, all incidents involving personally identifiable information must be reported within one hour of discovering the incident.

  2. The timely reporting within one hour of all inadvertent unauthorized disclosures of sensitive information, and all losses or thefts of sensitive information and IT assets, is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility the information will be compromised and used to perpetrate identity theft or other forms of harm.

10.5.4.3.2  (06-25-2013)
Intentional Unauthorized Disclosures

  1. Incidents involving intentional unauthorized disclosures must be reported to the Treasury Inspector General for Tax Administration (TIGTA) as soon as possible. See IRM 11.3.1, Introduction to Disclosure, at http://irm.web.irs.gov/link.asp?link=11.3.1 andIRM 11.3.38, Role and Responsibilities of Disclosure Managers, athttp://irm.web.irs.gov/link.asp?link=11.3.38, for further information. See also Section 7213 of Title 26 which imposes fines and/or other punishment for the willful unauthorized disclosure of a return or return information.

10.5.4.3.3  (06-25-2013)
Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets and Hardcopy Records/Documents

  1. An employee who becomes aware of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document containing sensitive information, is required to report the incident within one hour to his or her manager and one of the following offices based on what was lost or disclosed:

    1. The Office of Taxpayer Correspondence (OTC), formerly Notice Gatekeeper, if the incident involves taxpayer correspondence, using the Servicewide Notice Information Program's (SNIP) Erroneous Taxpayer Correspondence Reporting Form, available at http://dci0150cpres/CMIS/STACI/redbutton.aspx. The Erroneous Taxpayer Correspondence Reporting Form is also available on the SERP website, under SNIP. The scope of the Reporting Form includes taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, and other electronic transmissions such as email. See IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process,at http://irm.web.irs.gov/link.asp?link=25.13.1.3. The OTC will notify the Situation Awareness Management Center (SAMC) as necessary after an initial analysis of the incident. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of incidents to SAMC, lessens the operational impact of reporting an incident, and focuses resources on correcting the error to prevent additional breaches/losses.

    2. The Situation Awareness Management Center (SAMC), if the incident does not involve taxpayer correspondence, e.g., a verbal disclosure, or if the incident involves the loss or theft of sensitive information, e.g., hardcopy records or documents, packages lost during shipment, etc., or a non-IRS IT asset , i.e., an IT asset in the Bring Your Own Device (BYOD) program, using the Incident Reporting Form, available at http://gdi.web.irs.gov/archibus/schema/ab-products/gdi/samc/csi_samc_reporter_report_incident.axvw, or by calling 1-866-216-4809.

      Note:

      You must also open a KISAM ticket to report the loss or theft of a BYOD device. See the Incident Reporting and Alerts webpage on the CSIRC website at http://mits.web.irs.gov/Cybersecurity/Divisions/Operations/Services/Advise_Alert.htm for additional information regarding BYOD devices.

    3. The Computer Security Incident Response Center (CSIRC), if the incident involves the loss or theft of an IRS IT asset, e.g., an IRS issued computer, laptop, router, printer, removable media, CD/DVD, flash drive, floppy, cell phone, BlackBerry, etc., using the Computer Security Incident Reporting Form available at https://www.csirc.web.irs.gov/incident/, or by calling 1-866-216-4809.

      Note:

      If the incident involves both the loss or theft of an IRS IT asset, e.g., the loss or theft of an IRS issued laptop, flash drive, etc., and the loss or theft of sensitive information, e.g., the loss or theft of hardcopy records or documents, packages lost during shipment, etc., report the incident to CSIRC . Do not report it to SAMC.

  2. You must also report the incident to the Treasury Inspector General for Tax Administration (TIGTA), if the incident involves a loss or theft of an IRS IT asset or non-IRS IT asset (BYOD device) , e.g., computer, laptop, router, printer, removable media, CD/DVD, flash drive, floppy, etc., or a loss or theft of hardcopy records/documents containing sensitive information, at 1-800-366-4484.

  3. If the incident involves a theft, file a Police Report with your Local Law Enforcement authority, but do not disclose sensitive data and/or taxpayer data.

    Note:

    See the PGLD webpage, Data Protection and Inadvertent Disclosures, at http://irweb.irs.gov/AboutIRS/bu/pipds/information_protection/default.aspx, for additional information.

10.5.4.3.4  (06-25-2013)
Inadvertent Accesses of Taxpayer Information

  1. Inadvertent accesses of taxpayer information are reported on the hard copy Form 11377, Taxpayer Data Access, located at http://core.publish.no.irs.gov/forms/internal/pdf/25123i04.pdf, or the fillable Form 11377-E, Taxpayer Data Access, located at http://core.publish.no.irs.gov/forms/internal/pdf/39100i04.pdf.

  2. Form 11377 may be used by employees Servicewide to document accesses to taxpayer return information when the accesses are not supported by direct case assignment, were performed in error (inadvertent access), or when the access may raise a suspicion of an unauthorized access.

  3. Some examples of an inadvertent access include accidentally entering an incorrect Taxpayer Identification Number or unintentionally retrieving other taxpayer information while working an assigned case. Inadvertent accesses are not reported to SAMC, CSIRC or OTC.

10.5.4.3.5  (06-25-2013)
"No Reporting" Situations

  1. The following are examples of situations which require no reporting to SAMC, CSIRC, (OTC), PGLD, etc., as they are not considered erroneous correspondence or unauthorized disclosures:

    1. An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find that he or she is not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

    2. An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number provided by the taxpayer or authorized representative was incorrect.

    3. An IRS employee follows all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.

    4. The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.

    5. An IRS employee discloses a taxpayer's name, address/location, and/or telephone number to Law Enforcement because the taxpayer threatened suicide and/or threatened harm to another individual. In this situation, the disclosure of this information is not prohibited by law; therefore, although the Suicide Threat must be reported to Disclosure per IRM 21.1.3.12, no reporting to SAMC is necessary unless directed to do so by Disclosure. See IRM 21.1.3.12, Suicide Threats, athttp://serp.enterprise.irs.gov/databases/irm.dr/current/21.dr/21.1.dr/21.1.3.dr/21.1.3.12.htm, for the procedures to follow when a taxpayer threatens suicide or when it is appropriate to contact the local Law Enforcement authority versus federal or State Law Enforcement authorities.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process, at http://irm.web.irs.gov/link.asp?link=25.13.1.3. for additional information regarding erroneous correspondence procedures.

10.5.4.4  (06-25-2013)
Incident Management Intake, Risk Assessment and Notification

  1. This section covers the intake and risk assessment of IRS data loss incidents by Incident Management as well as notification to potentially impacted individuals.

10.5.4.4.1  (06-25-2013)
Incident Management Intake

  1. When a data loss incident occurs (this includes the loss or theft of an IRS asset, or the loss, theft, or disclosure of PII), the incident is reported to either SAMC or CSIRC.

    1. The incident is reported to SAMC if the incident involves, for example, a verbal disclosure or the loss or theft of hardcopy records. The incident is also reported to SAMC if the incident involves a non-IRS IT asset, i.e., an asset in the Bring Your Own Device (BYOD) program.

    2. The incident is reported to CSIRC if the incident involves the loss or theft of an IRS IT asset, or multiple assets, i.e., an IRS IT asset and sensitive information, e.g., hardcopy records or documents.

    3. Both SAMC and CSIRC send a notification via email to the PII mailbox that contains an incident summary including the information necessary to open a case. The PII mailbox is a centralized communication tool used by the PII Incident Management Team to send and receive all communications throughout the incident intake process, including the standard introductory email from SAMC and CSIRC.

  2. Incident Management performs an initial assessment of the incident. If PII or SBU data is involved, Incident Management will send a Form 14164, Personally Identifiable Information (PII) Analysis, available at http://core.publish.no.irs.gov/forms/internal/pdf/55370a13.pdf, and an Impacted Individuals and/or Businesses Excel Spreadsheet, to the IRS employee and the employee's manager to obtain additional information. Note that the form and instructions for incidents involving IT assets are different from the forms and instructions for all other incidents.

    1. The SAMC/CSIRC Incident Report and PII Analysis Template provide an inventory of possible compromised data elements, the source of the data, whether the data was encrypted, and any other special factors that need to be considered, such as data being used in a criminal or grand jury investigation.

    2. The Impacted Individuals and/or Businesses Excel Spreadsheet provides an inventory of the names and TINs of all the individuals potentially impacted by the data loss.

  3. Incident Management (IM) will escalate/report all High-Impact Incidents to the PIP Leadership Team before proceeding with further reporting duties. For purposes of this procedure, the PIP Leadership Team consists of the Director, Privacy and Information Protection, the Deputy Director, Privacy and Information Protection, and the Associate Director, Incident Management, as well as other staff that may be designated by these officials to receive notification. The *PII mailbox, at mailto:pii@irs.gov ,will be copied on all notifications. IM will wait for feedback from the PIP Leadership Team before proceeding with further reporting duties for High-Impact Incidents. For purposes of this procedure, a High-Impact Incident is defined as one that:

    1. Potentially impacts 100 or more individuals;

    2. Involves circumstances that are exceptional in nature and may draw media attention, e.g., a break-in at an IRS office or alternative work site in which a potential data loss has been reported, documents falling off the back of a truck, a loss known to potentially involve a high-profile individual, a loss where it appears the media may have already been contacted, etc.; or,

    3. Involves information the loss of which may negatively impact the IRS, e.g., the loss of e-file records, the compromise of sensitive information involving a high-profile IRS initiative, incidents affecting IRS.gov, such as a glitch allowing personal information to be accessed, etc.

10.5.4.4.2  (06-25-2013)
Incident Management Risk Assessment

  1. Incident Management performs a risk assessment to evaluate the likely risk of harm, specifically the potential for identity theft, for all reported IRS data loss incidents, based on standardized factors and ratings criteria. The end result of the assessment is a categorization of the incident into one of four levels. Categorization into levels dictates a recommended level of response and determines when, what, how, and to whom notification of a data loss should be given.

  2. Incident Management uses the following three-step methodology to assess all incidents to determine the potential likelihood of harm to individuals:

    1. Step 1: Key factors. Each of the four factors identified by OMB (the nature of the data elements breached; the likelihood the PII is accessible and usable; the likelihood the PII may lead to harm as defined by the Privacy Act; and the ability of the agency to mitigate the risk of harm) is assessed in relation to the specific incident to determine the potential likelihood of harm to individuals. See (3) below for additional information on the risk assessment factors. Note: OMB suggests a fifth factor, the number of individuals affected. However, this factor is not used to determine if notification should be provided, but may dictate the communication vehicles used for notification. Identifying the data elements and assessing the impact of the loss are key factors that must be considered in determining if, when, and how notification will be provided to potentially impacted individuals.

    2. Step 2: Factor ratings. Each of the four factors is then rated based on its impact level (high, moderate, low, or no impact) with corresponding points from 3 to 0 assigned to each impact level;

    3. Step 3: Incident categorization. Based on the total factor rating points the incident is categorized into one of four levels. Incidents with a total factor rating point of between 8-12 are considered Level Three. Potentially impacted individuals involved in a data loss incident categorized as Level Three will be sent a data loss letter.

  3. The IRS risk assessment includes the following factors and key considerations, at a minimum:

    1. The nature of the data elements breached, i.e., the type of information disclosed, e.g., whether the data loss incident involved PII, i.e., SSN's, addresses, and names;

    2. The likelihood the information was made accessible to and usable by unauthorized persons, e.g., was data encrypted using an encryption product approved for government use by the National Institute of Standards and Technology (NIST), and does it meet Federal Information Processing Standard (FIPS) 140-2 specifications;

    3. The likelihood the information may lead to harm as defined by the Privacy Act, i.e., the damage potential of the information disclosed, e.g., whether the information can be used to cause harm, such as identity theft or public embarrassment; and

    4. The ability of the IRS to mitigate the potential harm, e.g., does the agency have the capabilities to take countermeasures.

10.5.4.4.3  (06-25-2013)
The PII Incident Management Working Group (IMWG) and the Privacy and Information Protection Advisory Committee (AC)

  1. The PII Incident Management Working Group (IMWG) and the Privacy and Information Protection Advisory Committee (PIP AC) include representatives from all business units and functional organizations. The IMWG approves low risk case decisions and provides high risk case recommendations to the PIP AC for final decision making.

  2. After Incident Management has completed its risk analysis of an incident and developed a recommendation with regard to the appropriate response, the recommendation is reviewed by the PII Incident Management Working Group (IMWG).

  3. For high risk incidents, if the IMWG agrees with the notification recommendation, the final decision to notify is presented to the Privacy and Information Protection Advisory Committee (PIP AC) for approval and concurrence.

  4. If the PIP AC concurs with the notification recommendation, potentially impacted individuals are then notified of the data loss via Letter 4281C, IM Breach Notification Letter.

10.5.4.4.4  (06-25-2013)
Incident Management Data Loss Notification

  1. The IRS will notify potentially impacted individuals if the evaluation of an IRS data loss incident results in a high risk of harm to these individuals.

  2. The IRS will notify these individuals via Letter 4281C, IM Breach Notification Letter.

  3. The IRS will identify individuals who have been sent Letter 4281C, IM Breach Notification Letter, by marking each account with the IRS data loss indicator TC 971 AC 505 (only if the account is on the Master File (MF). See IRM 10.5.4.5.1.1, Applying Tracking Indicators to IRS Data Loss Incidents, for additional information.

10.5.4.4.4.1  (06-25-2013)
Contents of the Data Loss Notification

  1. The IRS will notify individuals potentially impacted by IRS data loss incidents using Letter 4281C, IM Breach Notification Letter. The IRS may use a unique letter when deemed necessary and appropriate. Notifications will be written plainly and clearly, and will generally include, at a minimum, the following information:

    1. A brief description of what happened, including the date of the data loss incident;

    2. To the extent possible, a description of the type of PII disclosed as a result of the data loss incident (e.g., name, SSN, date of birth, address);

    3. Actions that potentially impacted individuals should take to protect themselves from potential harm;

    4. A toll-free number that potentially impacted individuals can contact for more information;

    5. A statement that the IRS has provided or will provide potentially impacted individuals with an identity theft protection product at no cost for twelve months, and the contact information for the credit reporting agency.

10.5.4.4.4.2  (06-25-2013)
Data Loss Notification Signature

  1. The Associate Director, Privacy and Information Protection (PIP)/ Incident Management shall sign notification letters to individuals potentially impacted by a data loss incident.

10.5.4.4.4.3  (06-25-2013)
Timeliness of the Data Loss Notification

  1. The IRS will notify individuals potentially impacted by IRS data loss incidents without unreasonable delay following the completion of the risk assessment process.

  2. Beginning with FY 2012, the business measure/lapse time goal is an average of 19 days from the SAMC/CSIRC Report Date to the Data Loss Notification Letter Date.

  3. Also beginning in FY 2012, a new Organizational goal was introduced to measure the average elapsed time between the Incident Date and the Data Loss Notification Letter Date. This new lapse time goal was established at 60 days for FY 2012 and was reduced to 54 days in FY 2013.

  4. The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any potentially impacted individuals.

10.5.4.4.4.4  (06-25-2013)
Means of Providing Data Loss Notifications

  1. The IRS will provide written notification to the taxpayer's address of record on IDRS.

  2. Based on the number of potentially impacted individuals and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as newspapers or other media outlets.

  3. At the discretion of the PIP Advisory Committee (AC), and consistent with applicable law, the IRS may notify external entities. In making its decision, the PIP AC will consider whether notifying external entities would result in any of the following:

    1. Aiding the public in its response to the incident (e.g., whether constructive notification via media channels would help the IRS alert potentially impacted individuals more effectively and expeditiously than via notification letter alone)

    2. Facilitating the IRS’ ability to mitigate the potential harm resulting from the data loss incident (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries)

    3. Contributing to unnecessary public alarm

    4. Creating an unnecessary burden on the public, external entities, or potentially impacted individuals

10.5.4.4.5  (12-10-2010)
Ongoing Support

  1. Based on the circumstances of the data loss incident, the IRS will provide ongoing support to potentially impacted individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free number staffed by trained IRS personnel to respond to general data loss incident-related inquiries

    2. Information on websites and other resources providing information about identity theft prevention and protection

    3. Coordination with business units on data loss incidents that affect taxpayers’ tax returns, such as phishing schemes

10.5.4.4.5.1  (06-25-2013)
Handling Taxpayer Inquiries Regarding Data Loss Letters

  1. The Identity Protection Specialized Unit (IPSU) receives calls from individuals who have received notification of an IRS data loss via Letter 4281C, IM Breach Notification Letter. The IPSU answers general incident related inquiries regarding the data loss and prepares an Inquiry Referral Form (Form 4442) if the caller requests specific information regarding the incident that the IPSU is unable to answer. The Form 4442 is directed to the Incident Management office in Philadelphia for resolution.

  2. In some instances, IRS phone assistors other than the assistors in the IPSU may receive calls from taxpayers that have received Letter 4281C. If an employee receives a call from an individual in response to Letter 4281C, or the individual asks to speak to the employee whose number appears on Letter 4281C (0847999999), refer the individual to 1-866-225-2009. The IPSU supports this dedicated number and is trained to respond to Letter 4281C questions.

  3. Correspondence received in response to Letter 4281C, or addressed to employee 0847999999, must be forwarded to the IPSU at the following address: IRS, Attn: IPSU, PO Box 9039, Andover, MA, 01810–9039. If the correspondence appears to be time sensitive, fax it to the Image Control Team (ICT) in Andover at (855)807-5720. The IPSU can provide further assistance regarding the data loss incident and information to protect the taxpayer's personal data.

10.5.4.4.6  (12-10-2010)
Retention and Disposition

  1. Incident Management will adhere to all document retention schedules in accordance with IRM 1.15, Records and Information Management. This applies to all materials in electronic or hard copy format that are created in response to an IRS data loss incident.

10.5.4.5  (12-10-2010)
Tracking: IRS Data Loss and Identity Theft Tracking Indicators

  1. The Incident Management Program tracks data loss related incidents to support the following objectives:

    1. Reduce taxpayer burden while addressing data loss incidents.

    2. Increase operational efficiency of the IRS by detecting and processing reported data loss incidents as early and consistently as possible.

10.5.4.5.1  (12-10-2010)
IRS Data Loss and Identity Theft Tracking Indicators

  1. PGLD developed and implemented data loss and identity theft indicator codes to centrally track IRS data loss and identity theft incidents. Each indicator is input as a Transaction Code (TC) with Action Code (AC) and displayed on the Integrated Data Retrieval System (IDRS) command code ENMOD of the affected taxpayer's account.

  2. TC 971 AC 505 was implemented by PGLD to identify taxpayers whose PII was lost, breached, stolen, or disclosed because of an IRS data loss incident.

10.5.4.5.1.1  (12-10-2010)
Applying Tracking Indicators to IRS Data Loss Incidents

  1. TC 971 AC 505 is applied to a taxpayer’s account when all of the following occur:

    1. A taxpayer’s PII was lost, breached, disclosed, or stolen.

    2. The incident risk assessment results in a high risk of harm to the potentially impacted individuals.

    3. The IRS notifies the taxpayer of this data loss incident.

    Example:

    Taxpayer case files containing PII were lost while being shipped from one location to another. Since the incident risk assessment resulted in a high risk of harm, Incident Management will send a notification letter to the potentially impacted individuals.

  2. Input of TC 971 AC 505 is limited and reserved for use by PGLD (IM) employees, however this indicator will be visible and available for reference on the individual’s account. See Exhibit 10.5.4–3 for more information about this indicator.

  3. PGLD (IM) inputs TC 971 AC 505 on an account regardless of the existence of any other identity theft indicator code (AC 501, 504, or 506) that may be present on the account. See IRM 10.5.3, Identity Protection Program, athttp://irm.web.irs.gov/link.asp?link=10.5.3 , for information on Action Codes 501, 504, and 506.

  4. In some instances, it may be necessary for PGLD (IM) personnel to manually reverse the TC 971 AC 505. Although input of the TC 972 AC 505 is limited and reserved for use by PGLD (IM) employees, Exhibit 10.5.4-4 is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field.

10.5.4.6  (12-10-2010)
Awareness Training and Education

  1. The Incident Management Program develops and implements initiatives to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, disclosure, or theft of PII.

  2. The Incident Management Program supports the annual Information Protection and Disclosure Mandatory Briefing and the Unauthorized Access (UNAX) Mandatory Briefing, which are managed by the Office of Privacy. These briefings provide information regarding privacy, disclosure, computer security, and UNAX to all employees.

10.5.4.7  (06-25-2013)
Identity Theft and Data Loss Frequently Asked Questions

  1. How will the IRS track and monitor data loss incidents?

    1. The IRS will track data loss incidents by placing a data loss indicator (TC 971 AC 505) on the entity portion of all individuals who have been sent a data loss notification letter (as long as the entity is established on the Master File).

  2. Can there be more than one IRS data loss or identity theft-related TC 971 placed on a taxpayer's account?

    1. Yes, there can be multiple data loss or identity-theft related TC 971s input/present on a taxpayer's account (e.g., different action codes, different tax years, and/or different functions). Each indicator represents an incident that meets the criteria of the specific indicator placed on the account. For further detail on the IRS data loss indicator, see IRM 10.5.4.5.1.1, Applying Tracking Indicators to IRS Data Loss Incidents, and IRM 10.5.3, Identity Protection Program, at http://irm.web.irs.gov/link.asp?link=10.5.3, for details regarding the IRS identity theft indicators.

  3. Under what circumstances can the IRS data loss or identity theft-related tracking indicators (i.e., TC 971 with AC 501, 504, 505, or 506) be reversed?

    1. In some instances, it may be necessary to manually reverse the IRS data loss or identity theft indicators. A data loss indicator may be reversed because of a keying or internal error, or an internally identified negative impact. Although input of the TC 972 AC 505 is limited and reserved for use by PGLD (IM) employees, Exhibit 10.5.4-4 is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field. For additional information on reversing the IRS identity theft indicators, see IRM 10.5.3, Identity Protection Program, at http://irm.web.irs.gov/link.asp?link=10.5.3.

  4. The IRS identified the taxpayer as being impacted by a data loss, theft, breach, or disclosure incident and placed a TC 971 AC 505 on the account. What happens next?

    1. The taxpayer will receive a data loss notification letter (Letter 4281C, IM Breach Notification Letter) from the IRS advising him/her that information controlled by the IRS may have been disclosed to unauthorized individuals. The notification letter contains information related to identity protection and a free identity theft protection product arranged for the taxpayer by the IRS. Note: The taxpayer must call the credit reporting agency in order to sign up for the product.

  5. What is the role of the Identity Protection Specialized Unit (IPSU) with regards to Incident Management?

    1. The IPSU receives calls from individuals who have received an IRS data loss letter (Letter 4281C). The IPSU answers general incident related inquiries regarding the data loss and prepares an Inquiry Referral Form (Form 4442) if the caller requests specific information regarding the incident which the IPSU is unable to answer. The Form 4442 is directed to the Incident Management office in Philadelphia for resolution.

    2. The IPSU also receives calls from taxpayers who believe they have been victims of identity theft that does not affect tax administration. After a taxpayer provides substantiation documentation, the unit applies a TC 971 AC 504 to the taxpayer's account.

    3. The IPSU also receives calls from taxpayers who believe they are victims of identify theft that does affect tax administration; however, these callers are referred to the appropriate functional business unit for resolution. See IRM 21.9.2.3.3, Tax-Related Identity Theft (IPSU Toll-Free line CSRs only), at http://irm.web.irs.gov/link.asp?link=21.9.2.3.3.. The IPSU periodically follows-up with these units to ensure the case is being worked appropriately.

    4. The IPSU also assists taxpayers whose situations meet TAS criteria 5 -7 AND involve identity theft. See IRM 21.1.3.18, Taxpayer Advocate Service (TAS) Guidelines, at http://irm.web.irs.gov/link.asp?link=21.1.3.18, and IRM 21.9.2.9, Identity Theft Assistance Request (ITAR) – General Information, at http://irm.web.irs.gov/link.asp?link=21.9.2.9.

    (6) What sources can I reference to get general information regarding identity theft and identity theft-related topics?

    1. See IRM 10.5.4.8, Identity Theft and Data Loss Information Links.

10.5.4.8  (06-25-2013)
Identity Theft and Data Loss Information Links

  1. Links to publicly available external websites and internal IRS intranet websites containing identity theft and identity theft-related information and publications are provided below as well as internal links for IRS data loss incident reporting and the PGLD website.

    1. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues:

      # Title Description Link Owner
      1 Internal Revenue Service (IRS) Website IRS Identity Protection home page http://www.irs.gov/uac/Identity-Protection IRS
      2 Federal Trade Commission (FTC) Identity Theft Website FTC Identity Theft home page http://www.consumer.ftc.gov/features/feature-0014-identity-theft FTC
      3 Federal Trade Commission (FTC) Identity Theft Victim's Complaint and Affidavit Direct link to FTC Identity Theft Affidavit; includes instructions and guidance for completing FTC Affidavit

      Note:

      This form is no longer accepted by the IRS to substantiate identity theft. However, it can still be used by individuals to substantiate identity theft with credit bureaus and/or any companies where accounts have been opened using the victim's identity.

      http://www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf FTC
      4 Internal Revenue Service (IRS) Identity Theft Affidavit (Form 14039) Direct link to IRS Identity Theft Affidavit (Form 14039). This form is used by taxpayers who want to report to the IRS that he/she is a victim of identity theft, or who may become a victim of identify theft as a result of a lost or stolen wallet or purse, or who notice suspicious activity on his/her credit card or bank statements. http://www.irs.gov/pub/irs-pdf/f14039.pdf IRS
      5 United States Department of Justice Website Identity Theft and Identity Fraud Information http://www.justice.gov/criminal/fraud/websites/idtheft.html DOJ
      6 Taxpayer Advocate Service (TAS) Website Taxpayer Advocate Service home page http://www.irs.gov/uac/Taxpayer-Advocate-Service-6 TAS
      7 Social Security Administration (SSA) Website Social Security Administration (SSA) home page http://www.ssa.gov SSA
      8 Social Security Administration (SSA) Publication - Identity Theft and Your Social Security Number on SSA Website Social Security Administration (SSA) Publication http://www.ssa.gov/pubs/EN-05-10064.pdf SSA
      9 Identity Theft Task Force Website President's Task Force on Identity Theft home page http://www.idtheft.gov Identity Theft Task Force
      10 IRS Phishing Website Instructions on how to report and identify phishing, email scams, and bogus IRS websites http://www.irs.gov/uac/Report-Phishing IRS
      11 Credit Bureaus Direct links to the three recognized credit bureaus: Equifax, Experian, and TransUnion http://www.equifax.com
      http://www.experian.com
      http://www.transunion.com/
      Equifax, Experian, and TransUnion
      12 IRS Pub 4523 Beware of Phishing Schemes http://www.irs.gov/pub/irs-pdf/p4523esp.pdf IRS
      13 IRS Pub 4524 Security Awareness and Identity Theft http://www.irs.gov/pub/irs-pdf/p4524.pdf IRS
      14 IRS Pub 4535 Identity Theft Prevention and Victim Assistance http://www.irs.gov/pub/irs-pdf/p4535.pdf IRS
      15 Identity Theft Resource Center® (ITRC) Website Nonprofit organization dedicated exclusively to the understanding and prevention of identity theft http://www.idtheftcenter.org/ ITRC
      16 OnGuard Online Website Identity theft prevention tips from the federal government and technology industry http://www.onguardonline.gov/ FTC

    2. Internal IRS intranet links that provide general information on identity theft, identity theft-related issues, and data loss incidents:

      # Title Description Link Owner
      1 Privacy, Governmental Liaison and Disclosure (PGLD) Website Office of Privacy, Governmental Liaison and Disclosure home page http://irweb.irs.gov/AboutIRS/bu/pipds/default.aspx PGLD
      2 Situation Awareness Management Center (SAMC) Website Situation Awareness Management Center (SAMC) Incident Reporting Form http://gdi.web.irs.gov/archibus/schema/ab-products/gdi/samc/csi_samc_reporter_report_incident.axvw SAMC
      3 Computer Security Incident Response Center (CSIRC) Website Computer Security Incident Response Center (CSIRC) Computer Security Incident Reporting Form https://www.csirc.web.irs.gov/incident/ IT (Information Technology)
      4 IRM 1.2.25.2 IRS Policy Statement on assisting taxpayers who report they are victims of identity theft http://irm.web.irs.gov/link.asp?link=1.2.25.2 IRS

Exhibit 10.5.4-1 
Glossary of Incident Management Terms and Definitions

Access The ability or opportunity to gain knowledge of personally identifiable information.
Breach The loss of control, disclosure, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
Data Loss (Breach) Notification The process of notifying potentially impacted individuals following the evaluation of a PII data loss incident which results in a high risk of harm to these individuals. Also known as PII data loss incident notification.
Data Loss Incident Risk Assessment A risk assessment conducted on an IRS incurred data loss, theft, breach, or disclosure incident. The risk assessment includes factors that must be considered, specifically the context of the incident and the data that was disclosed. Example - An IRS employee in the field loses a taxpayer case file assigned to him. It contained PII data such as name, address, SSN, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to determine if notification should be given to the taxpayer.
Federal Information Processing Standards (FIPS) A set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
Federal Information Processing Standards (FIPS) Publications Publications issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Trade Commission (FTC) An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Harm Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
   a) Potential for blackmail;
   b) Disclosure of private facts;
   c) Mental pain and emotional distress;
   d) Potential for secondary uses of the information that could result in fear or uncertainty, or unwarranted exposure leading to humiliation or loss of self-esteem;
   e) Identity theft; or
  f) Financial loss.
Identity Theft A fraud that is committed or attempted using a person's identifying information without authority.
Incident Management The process of managing incidents involving the loss, theft, breach or disclosure of data. This term can also be used to refer to the Office within Privacy, Governmental Liaison and Disclosure responsible for the process of managing incidents involving the loss, theft, breach or disclosure of data by the IRS.
Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
Loss Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data.
National Institute of Standards and Technology (NIST) A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
The Office of Management and Budget (OMB) OMB assists the President in overseeing the preparation of the Federal budget and evaluates the effectiveness of agency programs, policies, and procedures, and works to make sure that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. In addition, OMB oversees and coordinates the Administration's regulatory, procurement, financial management, information technology, and information management policies.
Personally Identifiable Information (PII) Personally Identifiable Information is any information that, by itself or in combination with other information, may be used to uniquely identify an individual. See OMB 07-16. and the PGLD web page PII - What is personally identifiable information? for additional information.
PII Incident An actual or suspected loss of control, disclosure, unauthorized disclosure, unauthorized acquisition of, or unauthorized access to PII. PII incidents include situations where persons other than authorized users may or do have access to PII for an unauthorized purpose. This applies to PII maintained in electronic or hard copy format.
PII Incident Notification See Data Loss (Breach) Notification.
PII Incident Management Working Group (IMWG) A decision making body chaired by the Deputy Director, Incident Management. Membership consists of senior management and key technical experts from all key business and functional unit stakeholders. Policy roles include: a) Reviewing Incident Management Program policy analyses and recommendations, b) Providing further analysis, data collection and support material for the Privacy and Information Protection Advisory Committee (PIP AC) decision making, and c) Providing recommendations to the AC for final decision making. Operational roles include: a) Reviewing Incident Management case risk analyses and recommendations, b) Providing further analysis, data collection and support material for AC decision making, c) Approving low-risk case decisions, and d) Providing medium and high-risk case recommendations for victim notification to the AC for final decision making.
Privacy and Information Protection Advisory Committee (PIP AC) A committee established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and PII data loss policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives.
Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguard Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
Sensitive But Unclassified Information Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.
Theft An asset, electronic or hardcopy, thought or known to have been taken without permission from the person who is responsible for the asset.
Unauthorized Access The willful unauthorized access and/or inspection of tax returns and return information.
Unauthorized Disclosure An unauthorized and unlawful release of information to an individual who is not authorized to receive the information.
Unreasonable Delay A delay in notification following the discovery of a data breach beyond that which is necessary to determine the scope of the breach while considering the needs of law enforcement and national security, and, if applicable, to restore the reasonable integrity of the computerized data system compromised. This means if a breach is discovered and all the information necessary to determine the scope of the breach is gathered within 30 days, it is unreasonable to wait until the 45th day to notify the individuals whose information was breached.

Exhibit 10.5.4-2 
References

The Incident Management Program was established to ensure Servicewide implementation of federal directives to protect citizens and government employees against IRS data losses and misuse of sensitive personal data. The following are the principal documents involving the Incident Management Program:
OMB Memoranda. OMB Memoranda are available on the Office of Management and Budget home page at http://www.whitehouse.gov/omb/memoranda.

  1. M-06-15, Safeguarding Personally Identifiable Information , May 22, 2006

  2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

  3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

  4. M-06-20 (M-05-15), Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 17 2006

  5. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007



Other Federal Guidance. The President’s Identity Theft Task Force documents are available on the Identity Theft Task Force website at http://www.idtheft.gov/.

  1. Combating Identity Theft: A Strategic Plan, The President’s Identity Theft Task Force Report, April 2007

  2. Combating Identity Theft, Volume II: Supplemental Information , The President’s Identity Theft Task Force Report, April 2007

  3. The President’s Identity Theft Task Force Report , September 2008




IRS Internal Revenue Manuals

  1. IRM 10.5.1, Privacy, Information Protection & Data Security Policy and Guidance, http://irm.web.irs.gov/link.asp?link=10.5.1

  2. IRM 10.5.3, Identity Protection Program, http://irm.web.irs.gov/link.asp?link=10.5.3.

Exhibit 10.5.4-3 
TC 971 AC 505 — IRS Data Loss Indicator

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the data loss incident occurred. The Incident Tracking Number (number assigned to the data loss case). This number begins with two alphas ("IR" , "CR" , or "PR" ) and is followed by 11 numeric digits. For example: IR20100211034

Exhibit 10.5.4-4 
TC 972 AC 505 — Reversal of TC 971 AC 505

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

TC 972 AC 505 Miscellaneous Field
Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and must be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER

More Internal Revenue Manual