Upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents, by a federal employee, a state employee, or any other person, the individual making the observation or receiving information must contact the IRS Office of Safeguards immediately, but no later than 24 hours after identification of a possible issue involving FTI. See Publication 1075, Office of Safeguards Notification ProcessPDF (Section 10.2). Office of Safeguards Notification Process The agency must notify the Office of Safeguards by email to Safeguards mailbox, safeguardreports@irs.gov. To notify the Office of Safeguards, the agency must document the specifics of the incident known at that time into a data incident report, including but not limited to: Name of agency and agency Point of Contact for resolving data incident with contact information Date and time the incident occurred Date and time the incident was discovered How the incident was discovered Description of the incident and the data involved, including specific data elements, if known Potential number of FTI records involved; if unknown, provide a range if possible Address where the incident occurred IT involved (e.g., laptop, server, mainframe) Reports must be sent electronically and encrypted via IRS-approved encryption techniques. Use the term data incident report in the subject line of the email. Do not include any FTI in the data Incident report. Even if all information is not available, immediate notification is the most important factor, not the completeness of the data incident report. Additional information must be provided to the Office of Safeguards as soon as it is available. The agency will cooperate with TIGTA and Office of Safeguards investigators, providing data and access as needed to determine the facts and circumstances of the incident. Incident Response Procedures The agency must not wait to conduct an internal investigation to determine if FTI was involved in an unauthorized disclosure or data breach. If FTI may have been involved, the agency must contact TIGTA and the IRS immediately. Incident response policies and procedures required in Section 9.3.8, Incident Response, must be used when responding to an identified unauthorized disclosure or data breach incident. The Office of Safeguards will coordinate with the agency regarding appropriate follow- up actions required to be taken by the agency to ensure continued protection of FTI. Once the incident has been addressed, the agency will conduct a post-incident review to ensure the incident response policies and procedures provide adequate guidance. Any identified deficiencies in the incident response policies and procedures should be resolved immediately. Additional training on any changes to the incident response policies and procedures should be provided to all employees, including contractors and consolidated data center employees, immediately. Incident Response Notification to Impacted Individuals Notification to impacted individuals regarding an unauthorized disclosure or data breach incident is based upon the agency’s internal incident response policy since the FTI is within the agency’s possession or control. However, the agency must inform the Office of Safeguards of notification activities undertaken before release to the impacted individuals. In addition, the agency must inform the Office of Safeguards of any pending media releases, including sharing the text, prior to distribution. FTI Suspension, Termination, and Administrative Review The federal tax regulation 26 CFR 301.6103(p)(7)-1 establishes a process for the suspension or termination of FTI and an administrative review if an authorized recipient has failed to safeguard returns or return information. For more information, refer to Exhibit 3, U.S.C Title 26, CFR 301.6103(p)(7)-1. References/Related Topics Safeguards Program Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and EntitiesPDF
