Data Breach Information for IRS Contractors


Safeguarding federal tax information (FTI) and information protected by the Privacy Act is critically important. As an IRS contractor, you and your employees are responsible for protecting all federal tax returns, return information and information subject to the Privacy Act entrusted to you. Internal Revenue Code Section (§)6103 sets forth the requirements for protecting and disclosing confidential returns and return information. The Privacy Act of 1974 applies to the requirements for protecting personal information and other information covered by the Act.

The law prohibits contractors from disclosing federal returns or return information unless allowed by statute. You and those who work for you have a responsibility to understand and apply the provisions of the law that relate to your job.

Publication 4812, Contractor Security Controls 

Contractors who have or will need access to IRS information and/or maintain or operate IRS information systems to meet their contractual obligations must follow Publication 4812, Contractor Security Controls. This publication is a layperson's guide to National Institute of Standards and Technology Special Publication 800-53 when access to IRS information or information systems under contracts for services on behalf of the IRS is outside of IRS-controlled facilities or the direct control of the IRS.

Breach Response Procedures

Contractors and their employees must be aware of their responsibilities under the law to safeguard sensitive information, the procedures to follow when data is lost or compromised and the penalties for unauthorized disclosure. Publication 4465-A, Protecting Federal Tax Information for Contractors (PDF), contains information regarding a contractor's responsibilities to protect FTI.

You must follow breach response policies and procedures as defined in Publication 4812, Section 18, Incident Response, when responding to an identified unauthorized disclosure or data breach. Section 18, Incident Responses 1-8, include:

  • Incident Response Policy and Procedures,
  • Incident Response Training,
  • Incident Response Testing,
  • Incident Handling,
  • Incident Monitoring,
  • Incident Reporting,
  • Incident Response Assistance and
  • Incident Response Plan.

Breach Reporting

Contractors must report all unintentional or inadvertent unauthorized disclosures of tax information to their IRS contracting officer's representative (COR) or project manager immediately upon detection. Your COR is the functional liaison primarily responsible for executing the contract and communicating with you. The COR will report the disclosure to IRS Incident Management using the Incident Reporting Form.

You should assign an appropriately trained point of contact (POC) to assist with mitigating the breach. To notify the COR, create a breach report of the known specifics including:

  • Name of contact for resolving data breach with contact information,
  • Date and time the breach occurred,
  • Date and time the breach was discovered,
  • How the breach was discovered,
  • Description of the breach and the data involved, including specific data elements, if known,
  • Potential number of FTI records involved; if unknown, provide a range, if possible,
  • Address where the breach occurred and
  • Any Information Technology (IT) involvement (e.g., laptop, server or mainframe).

Contact your COR immediately if FTI may have been involved in an unauthorized disclosure or data breach. Then conduct your internal investigation to confirm this determination.

Immediately report willful, unauthorized disclosures to your local Treasury Inspector General for Tax Administration (TIGTA) office or call the TIGTA hotline at 800-366-4484.

Breach Response Notification to Affected Individuals

Notification to affected individuals regarding an unauthorized disclosure or data breach is based upon the IRS Breach Response Plan.

Other Resources: