10.5.4 Incident Management Program

Manual Transmittal

October 19, 2017

Purpose

(1) This transmits revised IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Material Changes

(1) This IRM incorporates SERP IPU 16U1636 issued 11-04-2016 for IRM 10.5.4.4.5.7(2) and (3) which deleted the procedures in the 5th bullet of (2) requiring a Form 4442, Inquiry Referral, be sent to the Incident Management Office if the caller believes he or she is a victim of identity theft as a result of the IRS breach; in (3) made editorial changes to clarify that a Form 4442 is required to be sent to the Incident Management Office if a taxpayer is threatening litigation or legal action because the IRS breach resulted in identity theft; and added a see also tag for IRM 10.5.4.4.5.6, Referrals to the Incident Management Office.

(2) IRM 10.5.4 has been updated to include internal controls as it relates to the IRM authoring process and program as recommended by the Government Accountability Office (GAO) and as outlined in IRM 1.11.2, Internal Management Documents System, Internal Revenue Manual (IRM) Process, November 14, 2016 revision.

(3) IRM 10.5.4.1 - Revised IRM subsection title from Overview to Program Scope and Objectives to properly reflect the information communicated in this subsection. Updated the content to reflect internal control attributes as follows: renamed (2) from Scope/Audience to Audience; moved (3) to new (2) (a); moved (6) and (7) to new (2) (b) and (c); added new (3), Policy Owner; added new (4), Program Owner; and added new (5) Contact Information. Added Flexiplace (Telework) statement to Audience. Rearranged existing IRM content to place information involving internal controls for a program IRM under this subsection to conform to the new IRM format rules described in IRM 1.11.2. Subsections added, revised, or rearranged under Program Scope and Objectives applicable to this program include:

  1. IRM 10.5.4.1.1 - Revised title from Origins of the Incident Management Program to Background. Moved (1), (2), and (3) to IRM 10.5.4.1.2, Authority; renumbered (4) as (2); added the first sentence from deleted Exhibit 10.5.4-3, References, to (2). Added the last sentence in (3) of IRM 10.5.1.2, Introduction to Privacy, Governmental Liaison and Disclosure (PGLD), to the end of (1).

  2. IRM 10.5.4.1.2 - Revised title from PGLD/Incident Management Program Roles and Responsibilities to Authority. Moved (1) and part of (2) to IRM 10.5.4.1.1, Background. Deleted in accordance with OMB M-07-16 in (2) to eliminate redundancy; added a reference to OMB M-17-12 which rescinded M-07-16. Moved the last sentence in (3) and the list of responsibilities to IRM 10.5.4.1.3, Responsibilities. Deleted the link to OMB M-07-16 in (2); added a link to OMB M-17-12.

  3. IRM 10.5.4.1.3 - Revised the title from Definitions of Key Incident Management Terms to Responsibilities and moved the existing content in IRM 10.5.4.1.3 to IRM 10.5.4.1.5, Terms. Re-worded (1) (a) in Responsibilities per request from Cyber. Updated (1) (b), 2nd bullet, from OMB Memorandum 07-16, to OMB Memorandum 17-12 since 17-12 made 07-16 obsolete. Deleted the 4th bullet under (1) (b), Carrying out activities as required by the Privacy Policy and Compliance Advisory Committee (PPCAC); the 10th bullet under (1) (b), Presenting certain high profile and sensitive breach notification recommendations to the PPCAC; and the 11th bullet under (1) (b), Supporting communications and other follow-up actions based on PPCAC notification decisions, as the PPCAC no longer exists.

  4. IRM 10.5.4.1.4 - Added new subsection titled Measures and Reports with new (1) and (2).

  5. IRM 10.5.4.1.5 - Added new subsection titled Terms. Content previously in IRM 10.5.4.1.3 moved to this subsection. Deleted second sentence of (6) previously in IRM 10.5.4.1.3 per request from Cyber. Deleted link to OMB M-07-16 in (3) and added a link to OMB M-17-12. Updated the definition of Personally Identifiable Information to match the definition in OMB M-17-12. Added a definition for "Breach" and "Incident" as defined in OMB M-17-12.

  6. IRM 10.5.4.1.6 - Added new subsection titled Acronyms with new (1).

  7. IRM 10.5.4.1.7 - Added new subsection titled Related Resources. Content previously in IRM 10.5.4.7, IRS Data Loss and Identity Theft Information Links, and content previously in Exhibit 10.5.4-3, References, moved to this subsection. Added references to OMB M -17-05, Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; OMB M-12-18, Managing Government Records Directive; and IRM 1.15, Records and Information Management Series. Updated the link to the OMB home page in (2). Deleted #5, Federal Trade Commission (FTC) Identity Theft Victim's Complaint and Affidavit, from the Table in (5), as the link is no longer active; replaced it with a link to the FTC data breach information web page, www.IdentityTheft.gov/databreach. Modified the description of Form 14039 in (5) #6 per the revised form (Rev. April, 2017). In (6) #1 and 2, modified the title, description, and link to PGLD’s website to the Disclosure and Privacy Knowledge Base.

(4) IRM 10.5.4.2 - Deleted subsection titled Incident Management Program; moved contents to IRM 10.5.4.1.3, Responsibilities; re-titled subsection to Awareness Training and Education; moved contents of IRM 10.5.4.6, Awareness Training and Education, to IRM 10.5.4.2.

(5) IRM 10.5.4.3.3 - In (2) (a) and (b), added text and reorganized sentences for clarity. In (2) (b), changed PII Incident Reporting Form to PII Breach Reporting Form. Added new (c) regarding where to report lost or stolen Smart-ID cards and Pocket Commissions; moved existing (c) to new (d). In (4), added a statement regarding Flexiplace (Telework) employees.

(6) IRM 10.5.4.3.3.1 - Deleted subsection titled Other Responsibilities of Reporting Employees and Business Unit Data Owners, and moved the contents to IRM 10.5.4.1.3, Responsibilities, with the exception of the definitions of Reporting Employee and Data Owner which were moved to IRM 10.5.4.1.5, Terms.

(7) IRM 10.5.4.3.6 - Deleted subsection titled Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) Automated Data Loss Prevention (DLP) Tool per request from Cyber.

(8) IRM 10.5.4.4.1 - Updated text and reorganized sentences and paragraphs throughout for clarity. Added new b) regarding OTC; subsequent paragraphs renumbered. Note previously included in (1) b) now included as last sentence of new (1) c). Added new (2); subsequent paragraph renumbered. Old (1) c) moved to new (2) a). Old (2) now (3). In new (3), clarified that the spreadsheet is only sent directly from IM in some instances; otherwise, the spreadsheet is included as an attachment to the email received from e-Trak. Moved old (3) and (4) to new sub-subsection 10.5.4.4.2, High Profile and Sensitive Breaches.

(9) IRM 10.5.4.4.2 - Added new subsection titled, High Profile and Sensitive Breaches, with information previously in IRM 10.5.4.4.1. These types of breaches were previously identified as "High Impact Incidents" or "Hot Incidents" .

(10) IRM 10.5.4.4.3 - Added new subsection titled, OMB Major Incidents.

(11) IRM 10.5.4.4.4 - Added "PGLD" to the title of the subsection. Added new (1); subsequent paragraphs renumbered. Throughout, made editorial changes and updated text for clarity. In (3) (a), updated the number of factors from four to three. Added new (4) (a), (b), and (c) and (5), (6), and (7).

(12) IRM 10.5.4.4.5 - Updated text in (1) to state no concurrence or approval by the PIIWG is required. Updated (2) to state the PPCAC no longer exists.

(13) IRM 10.5.4.4.6.1 - Moved the last sentence in (1) and (a) to (e) to (3). Content previously in (3) moved to (2). Content previously in (2) moved to new (4). Removed "at a minimum" from (3), 2nd sentence (note that (1) 2nd sentence is now (3)). Reorganized paragraphs for clarity; added a note to (1) to clarify that these procedures apply only to breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e); and added a note to (3) to state that individuals are not auto-enrolled.

(14) IRM 10.5.4.4.6.2 - Clarified that the signature on the breach notification letter shall be that of the Director, Privacy Policy and Compliance (PPC) and not that the Director, PPC actually signs each letter.

(15) IRM 10.5.4.4.6.3 - Added measures/goals for FY17.

(16) IRM 10.5.4.4.6.4 - Deleted two references to the PPCAC in (3) as the group no longer exists.

(17) IRM 10.5.4.4.7.1 - Added new (1) to clarify that these procedures apply only to breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e); subsequent paragraphs renumbered. In (5), updated the link to the Campus Program Locator Guide on SERP. In (6), deleted the see also tag for Exhibit 10.5.4-2 as the Exhibit has been deleted and added a link to the IRS Information Loss FAQs on SERP.

(18) IRM 10.5.4.4.7.2 - Updated IRM citation in (2) to IRM 25.23.12.3, Identity Theft Telephone Overview and General Guidance; and updated the wording in (2) from TPP/HRA IAT tool to IAT Disclosure tool and HRA IAT tool.

(19) IRM 10.5.4.4.7.3 - Added to (1), "See IRM 21.1.3.2.3, Required Taxpayer Authentication, for required use of the IAT Disclosure tool to perform authentication." Added citation to IRM 21.1.3.2.3 to (3) and updated text to eliminate duplication of BMF authentication probes as described in IRM 21.1.3.2.3.

(20) IRM 10.5.4.4.7.4 - Deleted "Identity Theft Protection Product/Credit Monitoring Services" from the title and the text; replaced it with "Identity Monitoring Service" . Deleted references to the subscription period in (1) and the last sentence of (1). Added text for clarity; replaced "Equifax " with "the vendor" as appropriate. Deleted the last sentence in (1) first Note which contained Equifax enrollment instructions and clarified the second Note regarding POAs. In (3), deleted the telephone numbers for Equifax and added a Note to see the Information Loss FAQs on SERP for information concerning the current vendor and contact information.

(21) IRM 10.5.4.4.7.5 - Updated text and added telephone numbers to place fraud alerts.

(22) IRM 10.5.4.4.7.6 - Added a see also tag for IRM 21.3.5.4.2 to the end of (1), (2) and (3). Deleted (4); all subsequent paragraphs renumbered.

(23) IRM 10.5.4.4.7.7 - Updated (1) to clarify that this sub-section refers to individuals who have already been notified of an IRS breach via Letter 4281C. Updated IRM citations as follows: IRM 25.23.3.3.5 updated to IRM 25.23.3.2.5; IRM 25.23.2.6 updated to IRM 25.23.2.7; IRM 25.23.2.17 updated to IRM 25.23.2.16; and IRM 25.23.3.2.2 updated to IRM 25.23.12.5. Note that the 5th bullet of (2) was deleted via IPU 16U1636 and (3) was modified via the same IPU. See (1) of the Material Changes above.

(24) IRM 10.5.4.4.7.8 - Added Letter 4281 family of letters for the Get Transcript breach.

(25) IRM 10.5.4.5.1.1 - Added text to clarify what a TC 971 AC 505 does not do and a note stating that the AC 505 may be uploaded directly to IMFOLE at the request of PGLD/IM.

(26) IRM 10.5.4.6 - Deleted subsection titled, Awareness Training and Education; moved contents to IRM 10.5.4.2.

(27) IRM 10.5.4.7 - Deleted subsection titled IRS Data Loss and Identity Theft Information Links; moved contents to IRM 10.5.4.1.7, Related Resources.

(28) Exhibit 10.5.4-1 - Revised title from Glossary of Incident Management Terms and Definitions to Glossary of Incident Management Terms, Definitions, and Acronyms. Added definitions for Audience, Policy Owner, and Program Owner from IRM 1.11.2.1.5; added a definition for Fraud Alert; added a definition for "major incident" as defined in OMB M-17-05; added the definition of an "Incident" and updated the definition of a "Breach" as defined in OMB M-17-12; added a definition for Privacy Incident; updated the definition for Breach Incident and added examples; added a definition for Breach Management; updated the definition of Identity Theft; and updated the definition of Personally Identifiable Information to match the definition in OMB M-17-12 and to add a link to OMB M-17-12. Updated the definition for PPCAC. Added a definition for Sensitive Information copied from Exhibit 10.8.2-2 and a definition for Records and Information Management. Deleted the definition for Level 1 (L-1) Incidents and PPCAC.

(29) Exhibit 10.5.4-2 - Deleted the Exhibit titled IRS Information Loss Frequently Asked Questions (FAQs) as the FAQS are available on SERP at http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs_information_loss/irs_information_loss_toc.htm.

(30) Exhibit 10.5.4-3 - Deleted Exhibit titled References and moved the contents to IRM 10.5.4.1.7, Related Resources; all following Exhibits consequently renumbered.

(31) Throughout - Updated "incident" , "incidents" , "data loss" , "data losses" , and "information loss" to "breach" or "breaches" as applicable, or added "/breach" or "/breaches" if both "incident" and" breach" were applicable given the context.

(32) Throughout, updated "high risk of harm" to "likelihood of harm" .

(33) Throughout, added" /PII" after "sensitive information" to clarify that "sensitive information" may be "PII" .

(34) Throughout, replaced "Equifax" with "the vendor" as appropriate.

(35) Throughout, deleted "credit monitoring" , "identity theft protection" , "credit monitoring product" , and "identity theft protection product" and replaced it with "identity monitoring service" .

(36) Throughout, made editorial changes and updated text to improve clarity.

(37) Reviewed and updated links and citations, website addresses, legal references and IRM references as necessary. Updated links to PGLD webpages to the new Disclosure and Privacy Knowledge Base

(38) Added Flexiplace (Telework) and Mobile employees to Audience in the Material Changes to ensure it’s understood that this IRM applies to all employees of the IRS and contractors.

Effect on Other Documents

This supersedes IRM 10.5.4 dated August 15, 2016 and incorporates SERP IPU 16U1636 issued 11-04-2016 for IRM 10.5.4.4.5.7(2) and (3).

Audience

The provisions in this manual apply to all divisions, functional units, managers, employees, and contractors of the Internal Revenue Service (IRS), as well as Flexiplace (Telework) employees (Occupational or Situational) and Mobile employees.

Effective Date

(10-19-2017)

Frances W. Kleckley
Director, Privacy Policy and Compliance
Privacy, Governmental Liaison and Disclosure

Program Scope and Objectives

  1. Purpose. This Internal Revenue Manual (IRM) section defines the mission, objectives, and governance structure of the Incident Management Program. It provides the organizational framework for carrying out specific policies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS data losses, thefts, and disclosures involving Personally Identifiable Information (PII).

  2. Audience. The provisions in this manual apply Servicewide whenever PII is collected, created, transmitted, used, processed, stored, or disposed of, in support of the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and any other outsourced providers doing business with the IRS. This manual also applies to all Flexiplace (Telework) employees (Occupational or Situational) as well as Mobile employees.

    1. All IRS employees, contractors/vendors, and persons with authorized access to PII are responsible and accountable for complying with federal and IRS privacy, information protection, and data security, policies and procedures. Safeguarding and preventing the unauthorized disclosure of PII is a responsibility that is shared by all IRS employees and contractors. Lost, stolen or disclosed PII may be used to perpetrate identity theft or other forms of harm, if the information falls into unauthorized hands.

    2. All tax, privacy, and security clauses must be included in contracts as required by IRM 11.3.24, Disclosures to Contractors. Contractor employees must be trained about sensitive information protection requirements as required in Treasury Regulation 301.6103(n)-1(d).

    3. For additional information about security controls, see IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and Pub 4812, Contractor Security Controls.

  3. Policy Owner. The Office of Privacy, Governmental Liaison and Disclosure (PGLD) is under the Office of the Deputy Commissioner for Operations Support.

  4. Program Owner. The Incident Management Office under the Office of Privacy Policy and Compliance (PPC) under PGLD is the program office responsible for this IRM.

  5. Contact Information. To recommend changes or make any other suggestions to this IRM section, email Shirley.A.Bogan@irs.gov, or the *PII Mailbox at pii@irs.gov.

Background

  1. Privacy, Governmental Liaison and Disclosure (PGLD). Privacy, Governmental Liaison and Disclosure (PGLD), previously known as Privacy, Information Protection and Data Security (PIPDS), is responsible for ensuring consistency in all processes and procedures affecting the ways the Service handles privacy information protected by statute, regulation, Executive Order, or internal policy. PGLD works with other business units to provide the IRS with the tools and resources necessary to protect sensitive taxpayer and employee data from potential identity theft due to IRS incidents involving the loss or theft of IRS assets containing PII, or the loss or theft of physical documents that include PII, or inadvertent disclosures of PII to a person, or persons, not authorized to receive the information. PGLD also leads IRS privacy and records policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS.

    Note:

    An incident involving the loss or theft of an IRS asset containing PII, or the loss or theft of a physical document that includes PII, or the inadvertent disclosure of PII to a person, or persons, not authorized to receive the information, is known as a breach. See IRM 10.5.4.1.5, Terms, for additional information and examples of breaches.

  2. PGLD Incident Management (IM) Office. IM was established to ensure Servicewide implementation of federal directives to protect citizens and government employees against IRS data losses and misuse of sensitive personal data. Since September 2007, the IM Office (previously known as the ITIM Office) in PGLD (previously known as PIPDS) has been responsible for administering and managing agency program requirements by ensuring IRS incidents involving the loss or theft of IRS assets containing PII, or the loss or theft of physical documents that include PII, or inadvertent disclosures of PII to a person, or persons, not authorized to receive the information, are investigated, analyzed and resolved by the IM Team. IM is dedicated to assisting taxpayers and employees potentially impacted by IRS breaches by working quickly and thoroughly to investigate breaches to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm. IM manages the reporting, risk assessment, and tracking of IRS breaches as well as breach notification to individuals potentially impacted by IRS breaches.

Authority

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information (PII).

  2. The President’s Identity Theft Task Force recommended that Federal agencies improve their capacity to respond to PII data losses. In May 2007, the Office of Management and Budget (OMB) Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, instructed Federal agencies to enhance their safeguards for PII and to enact breach handling and breach notification policies. In January 2017, OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf, rescinded and replaced OMB M-07-16 and updated existing OMB breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (FISMA) and implemented recommendations included in OMB Memorandum M-16-04. See Related Resources, for a list of other relevant OMB Memoranda, Federal Guidance, and Internal Revenue Manuals, and details about where to locate them.

  3. The Incident Management Program was created in response to OMB directives and the President's Identity Theft Task Force recommendations, and to ensure IRS compliance with OMB requirements for breach management and breach notification. Consistent with the OMB directives, the IRS notifies potentially impacted individuals when the breach risk assessment results in a likelihood of harm to the potentially impacted individuals.

Responsibilities

  1. Incident Management Program. The Incident Management Program includes the management of the IRS breach reporting process, as well as the risk assessment and tracking of IRS breaches and notification to individuals potentially impacted by IRS breaches.

    1. The Incident Management Program also includes output from CyberSecurity’s Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) application. IM receives events for investigation and will address applicable receipts within established procedures and collaborate on referred events not meeting IM’s criterion.

    2. IM has the following responsibilities related to administering the Incident Management Program in the IRS:

    • Interpreting federal laws, regulations, and policies relating to the protection of Personally Identifiable Information (PII). See IRM 11.3.1, Introduction to Disclosure, for more information about Disclosure and the protection of personal information.

    • Coordinating with other program areas in the IRS to ensure compliance with OMB Memorandum 17-12 and related directives

    • Receiving SPIIDE events for investigation and addressing accordingly when received

    • Identifying and tracking IRS breaches

    • Conducting risk assessments of IRS breaches

    • Mitigating risks associated with IRS breaches before substantial damage occurs

    • Preparing all reporting documentation pertaining to IRS breaches

    • Making notification recommendations regarding potentially impacted individuals based on assessed risk and consulting with appropriate law enforcement officials and other offices or authorities if necessary

    • Identifying emerging trends and developing appropriate strategies and responses

    • Improving procedures to reduce the occurrence of IRS incidents and breaches

    • Developing, defining, monitoring, and executing IM policies and procedures

    • Overseeing the maintenance, publication, and conveyance of the Servicewide Incident Management Internal Revenue Manual

    • Communicating and coordinating with internal stakeholders to ensure consistency regarding breach policy and issues

  2. Reporting Employees and Business Unit (BU) Data Owners. In addition to timely reporting so the PGLD IM team can begin its risk assessment process, reporting employees and BU data owners have other responsibilities:

    1. Containment. The BU data owners must take steps to contain the breach. For example, if employee or taxpayer data is inadvertently exposed on the internet, the BU data owner must immediately take steps to remove the data and/or close the access; or, if DVDs have been shared with material that should have been redacted, the BU must take steps to immediately recover them and request the recipient remove public access (if the information was made publicly available) and replace it with the proper data. The BU should contact Cybersecurity’s Online Fraud Detection and Prevention Office, if assistance is required to contain a breach involving an electronic transmission such as email or a breach involving the posting of information on the internet.

      Note:

      If the employee reporting the breach is not the BU data owner, the reporting employee must collaborate with the BU and PGLD/IMT to determine the best approach for managing containment.

    2. Providing Requested Information. Any information requested by PGLD/IM (i.e., SSN’s, names, dates, etc.) must be provided as quickly as possible to ensure timely reporting and taxpayer notification. If a delay is likely, contact IM at 267-466-0777 to facilitate next steps.

    3. Mitigation. The BU data owner must analyze the event circumstances and determine the necessary steps to prevent similar breaches in the future. This could entail investigating the cause of the breach and developing a prevention plan if necessary. A prevention plan may include a security audit of both physical and technical security; a review and/or development of policies and procedures; and a review of employee training.

    4. Contacting Potentially Impacted Individuals. A reporting employee may contact a potentially impacted individual of a breach in which information was lost or stolen to explain that the original information/document was lost/stolen, and to request that the individual resend the information/document. If the reporting employee has any questions about contacting the potentially impacted individual, he or she may contact PGLD/IM at 267-466-0777, or the *PII mailbox at pii@irs.gov.

  3. For the definition of Reporting Employee and Data Owner, see IRM 10.5.4.1.5, Terms, and Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Measures and Reports

  1. PGLD/IM has established Business and Organizational measures to measure the timeliness of IRS breach notifications to potentially impacted individuals of IRS breaches. See IRM 10.5.4.4.6.3, Timeliness of the Breach Notification.

  2. PGLD/IM provides reports on Business Performance as it relates to IRS breaches to Points of Contact within each Business Unit.

    1. Quarterly Scorecard Report. This report lists the number of reported breaches received by PGLD/IM per quarter per BOD.

    2. Annual Trend Analysis Report. This report contains an analysis of the breaches that involved the disclosure of PII or the loss or theft of IRS assets containing PII reported to PGLD/IM to identify trends and identify areas where actions can be taken, such as employee education and training, to reduce the number of breaches, thereby reducing the potential exposure of PII.

Terms

  1. Incident. OMB M-17-12 defines an incident as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

  2. Breach. A breach is a type of incident involving a loss, theft, or inadvertent unauthorized disclosure of PII. OMB M-17-12 defines a breach as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or, (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.

    1. A breach is not limited to an occurrence where a person other than an authorized user potentially accesses PII by means of a network intrusion, a targeted attack that exploits website vulnerabilities, or an attack executed through an email message or attachment. A breach may also include the loss or theft of physical documents that include PII and portable electronic storage media that store PII, the inadvertent disclosure of PII on a public website, or an oral disclosure of PII to a person who is not authorized to receive that information. It may also include an authorized user accessing PII for an other than authorized purpose. Often, an occurrence may be first identified as an incident, but later identified as a breach once it is determined that the incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device.

    2. Some common examples of a breach include:

    • A laptop or portable storage device storing PII is lost or stolen.

    • An email containing PII is inadvertently sent to the wrong person.

    • A box of documents with PII is lost or stolen during shipping.

    • An unauthorized third party overhears agency employees discussing PII about an individual seeking employment or Federal benefits.

    • A user with authorized access to PII sells it for personal gain or disseminates it to embarrass an individual.

    • An IT system that maintains PII is accessed by a malicious actor.

    • PII that should not be widely disseminated is posted inadvertently on a public website.

  3. Personally Identifiable Information (PII). The definition of personally identifiable information is provided by the Office of Management and Budget (OMB) in OMB Memorandum 17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf.

    1. The term PII refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

    2. For more information about PII, visit the Personally Identifiable Information page in the Disclosure and Privacy Knowledge Base, at https://portal.ds.irsnet.gov/sites/vl003/lists/pii/landingview.aspx and see IRM 10.8.1, Information Technology (IT), Security, Policy and Guidance, Personally Identifiable Information (PII).

  4. Sensitive But Unclassified (SBU) Information. Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act. For further information on SBU, see Sensitive But Unclassified (SBU) Data, on the Personally Identifiable Information page on the Disclosure and Privacy Knowledge Base, at https://portal.ds.irsnet.gov/sites/vl003/lists/pii/landingview.aspx.

  5. Controlled Unclassified Information (CUI). A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. In the future, the designation CUI will replace Sensitive But Unclassified (SBU), but the exact time frame has not been determined by the IRS or Treasury. See IRM Exhibit 10.8.40-2, Glossary and Acronym List.

  6. Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) Automated Data Loss Prevention (DLP) Tool. SPIIDE is a Data Loss Prevention (DLP) tool within the IRS CyberSecurity toolkit.

  7. Data Owner. The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the breach. For example, if a Power of Attorney (POA) tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporter is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.

  8. Reporting Employee. The reporting employee is the employee who identifies/recognizes a breach and reports the breach as required. The reporting employee is responsible for reporting all pertinent information relative to the breach.

  9. For a full listing of IM terms and their definitions, see Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Acronyms

  1. The table below lists commonly used acronyms and their definitions:

    Acronym Definition
    BRT Breach Response Team
    BU Business Unit
    IM Incident Management
    OMB Office of Management and Budget
    PGLD Privacy, Governmental Liaison and Disclosure
    PII Personally Identifiable Information
    PIIWG PII Working Group
    PIPDS Privacy, Information Protection and Data Security
    PPC Privacy Policy and Compliance
    SPIIDE Safeguarding Personally Identifiable Information Data Extracts
    SBU Sensitive But Unclassified
       
  2. For a full listing of IM terms, definitions, and acronyms, see Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Related Resources

  1. Disclosure and Privacy Knowledge Base. The Disclosure and Privacy Knowledge Base is located at: https://portal.ds.irsnet.gov/sites/VL003/Pages/default.aspx.

  2. OMB Memoranda. OMB Memoranda are available on the Office of Management and Budget home page at https://obamawhitehouse.archives.gov/omb/memoranda_default/.

    1. M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006

    2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

    3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

    4. M-06-20 (M-05-15), Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 17, 2006

    5. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

    6. M-15-01, Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices, October 3, 2014

    7. M-17-05, Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements, November 4, 2016

    8. M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 3, 2017. This Memorandum rescinded and replaced OMB M-07-16, OMB M-06-19, OMB M-06-15 and Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006).

    9. M-12-18, Managing Government Records Directive, November 28, 2011.

  3. Other Federal Guidance. The President’s Identity Theft Task Force documents are available on the Federal Trade Commission website under News and Events/Press Releases at https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive.

    1. Combating Identity Theft: A Strategic Plan, The President’s Identity Theft Task Force Report, April 2007, https://www.ftc.gov/reports/combating-identity-theft-strategic-plan

    2. Combating Identity Theft, Volume II: Supplemental Information, The President’s Identity Theft Task Force Report, April 2007, https://www.ftc.gov/reports/combating-identity-theft-strategic-plan

    3. The President’s Identity Theft Task Force Report, September 2008, https://www.ftc.gov/sites/default/files/documents/reports/presidents-identity-theft-task-force-report/081021taskforcereport.pdf

  4. IRS Internal Revenue Manuals.

    1. IRM 10.5.1, Privacy and Information Protection, Privacy Policy

    2. IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

    3. IRM 1.15, Records and Information Management series.

  5. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues are provided in the table below.

    # Title Description Link Owner
    1 Internal Revenue Service (IRS) Website IRS Identity Protection home page https://www.irs.gov/individuals/identity-protection IRS
    2 Internal Revenue Service (IRS) Website Taxpayer Guide to Identity Theft https://www.irs.gov/uac/taxpayer-guide-to-identity-theft IRS
    3 Federal Trade Commission (FTC) Identity Theft Website Visit ftc.gov/idtheft for prevention tips and free resources. https://www.consumer.ftc.gov/features/feature-0014-identity-theft FTC
    4 Federal Trade Commission (FTC) Identity Theft Website IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide you through the recovery process. https://www.identitytheft.gov/ FTC
    5 Federal Trade Commission (FTC) data breach information The FTC provides specific guidance for when a breach involves SSNs, payment card information, bank accounts, driver’s licenses; children’s information, and account credentials. https://www.identitytheft.gov/Info-Lost-or-Stolen FTC
    6 Internal Revenue Service (IRS) Form 14039, Identity Theft Affidavit Direct link to IRS Identity Theft Affidavit (Form 14039). This form is used by taxpayers who want to report to the IRS that someone used his or her information to file taxes or to report that he/she is a victim of identity theft. https://www.irs.gov/pub/irs-pdf/f14039.pdf IRS
    7 United States Department of Justice Website Identity Theft and Identity Fraud Information https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud DOJ
    8 Taxpayer Advocate Service (TAS) Website Taxpayer Advocate Service home page https://www.irs.gov/advocate TAS
    9 Social Security Administration (SSA) Website Social Security Administration (SSA) home page https://www.ssa.gov SSA
    10 Social Security Administration (SSA) Publication - Identity Theft and Your Social Security Number Social Security Administration (SSA) Publication https://www.ssa.gov/pubs/EN-05-10064.pdf SSA
    11 Identity Theft Task Force Webpage on the Federal Trade Commission (FTC) Website President's Task Force on Identity Theft https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive Identity Theft Task Force
    12 IRS Phishing Website Instructions on how to report and identify phishing, email scams, and bogus IRS websites https://www.irs.gov/uac/report-phishing IRS
    13 Credit Bureaus/Credit Reporting Agencies Direct links to the three recognized credit bureaus/credit reporting agencies: Equifax, Experian, and TransUnion http://www.equifax.com
    http://www.experian.com
    http://www.transunion.com/
    Equifax, Experian, and TransUnion
    14 IRS Pub 4523 Beware of Phishing Schemes https://www.irs.gov/pub/irs-pdf/p4523esp.pdf IRS
    15 IRS Pub 4524 Security Awareness and Identity Theft https://www.irs.gov/pub/irs-pdf/p4524.pdf IRS
    16 IRS Pub 5027 Identity Theft Information for Taxpayers IRS
    17 Identity Theft Resource Center® (ITRC) Website Nonprofit organization dedicated exclusively to the understanding and prevention of identity theft http://www.idtheftcenter.org/ ITRC
    18 OnGuard Online Website Identity theft prevention tips from the federal government and technology industry https://www.consumer.ftc.gov/features/feature-0038-onguardonline FTC
  6. Internal IRS intranet links that provide general information on identity theft, identity theft-related issues, and breaches are provided in the table below.

    # Title Description Link Owner
    1 Disclosure and Privacy Knowledge Base Disclosure and Privacy homepage in the Disclosure and Privacy Knowledge Base https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx PGLD
    2 Disclosure and Privacy Knowledge Base, Report Losses, Thefts and Disclosures page Report Losses, Thefts and Disclosures page in the Disclosure and Privacy Knowledge Base https://portal.ds.irsnet.gov/sites/vl003/lists/reportlossestheftsdisclosures/landingview.aspx PGLD
    3 Privacy, Governmental Liaison and Disclosure (PGLD) e-Trak Privacy on-line application Privacy, Governmental Liaison and Disclosure (PGLD) PII Breach Reporting Form https://vp0sentappetrk2.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2 PGLD
    4 Privacy, Governmental Liaison and Disclosure (PGLD) IF/THEN Guide Privacy, Governmental Liaison and Disclosure (PGLD) IF/THEN Guide for reporting breaches in the Disclosure and Privacy Knowledge Base https://portal.ds.irsnet.gov/sites/vl003/RelatedResources/If%20Then%20Guide%20for%20Reporting%20Breaches-Rev%2006%20-27-2017.pdf PGLD
    5 Computer Security Incident Response Center (CSIRC) Website Computer Security Incident Response Center (CSIRC) Computer Security Incident Reporting Form https://www.csirc.web.irs.gov/incident/ IT (Information Technology)
    6 IRM 1.2.25.2 IRS Policy Statement on assisting taxpayers who report they are victims of identity theft IRM 1.2.25.2 IRS

Awareness Training and Education

  1. The Incident Management Program develops and implements initiatives to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, disclosure, or theft of PII.

  2. The Incident Management Program supports the annual Information Protection and Disclosure Mandatory Briefing and the Unauthorized Access (UNAX) Mandatory Briefing, which are managed by the Office of Privacy. These briefings provide information regarding privacy, disclosure, computer security, and UNAX to all employees.

Reporting Losses, Thefts and Disclosures

  1. All IRS employees are required to report the loss or theft of an IRS IT asset, or an asset in the Bring Your Own Device (BYOD) program, or hardcopy record or document containing sensitive information/PII, or the inadvertent unauthorized disclosure of sensitive information/PII, whether it be electronically, verbally or in hardcopy form, within one hour.

    Note:

    Sensitive information in hardcopy form includes, but is not limited to, taxpayer correspondence, tax returns, transcripts, faxes, email messages (printed), and personnel and job application information.

  2. Contractors should refer to Publication 4812, Contractor Security Controls, for incident/breach handling and reporting procedures.

Timely Reporting: Within One Hour

  1. All breaches involving personally identifiable information must be reported within one hour of discovering the breach.

  2. The timely reporting, within one hour, of all inadvertent unauthorized disclosures of sensitive information/PII, and all losses or thefts of sensitive information/PII and IRS IT assets and "BYOD" assets, is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility the information will be compromised and used to perpetrate identity theft or other forms of harm.

Intentional Unauthorized Disclosures

  1. Breaches involving intentional unauthorized disclosures must be reported to the Treasury Inspector General for Tax Administration (TIGTA) as soon as possible. See IRM 11.3.1.7, Reporting Unauthorized Accesses or Disclosures, and IRM 11.3.38.6, Reporting Unauthorized Accesses or Disclosures, for additional information. See also Section 7213 of Title 26 which imposes fines and/or other punishment for the willful unauthorized disclosure of a return or return information.

Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets and Hardcopy Records/Documents

  1. It is critical to report an incident/breach as soon as actionable information is available so a response/reaction can be initiated. Incident/breach updates and any additional notifications to TIGTA and/or Law Enforcement (see (3) and (4) below) can be completed after the initial report to the Office of Taxpayer Correspondence (OTC), Privacy, Governmental Liaison and Disclosure/Incident Management Office (PGLD/IM), or the Computer Security Incident Response Center (CSIRC) is submitted.

  2. An employee who becomes aware of an inadvertent unauthorized disclosure of sensitive information/PII, or the loss or theft of an IRS IT asset or "BYOD" asset, or the loss or theft of a hardcopy record or document containing sensitive information/PII, is required to report the incident/breach within one hourto his or her manager and one of the following offices based on what was lost, stolen, or disclosed:

    1. The Office of Taxpayer Correspondence (OTC). If the breach involves taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, EEFaxes, and other electronic transmissions such as email, report it to OTC, using the Servicewide Notice Information Program's (SNIP) Erroneous Taxpayer Correspondence Reporting Form, at http://cmis.web.irs.gov/STACI/redbutton.aspx. The Erroneous Taxpayer Correspondence Reporting Form is also available on the SERP website, under SNIP. See IRM 25.13.1.3, Erroneous Correspondence Procedures - Report Erroneous Correspondence Process. The OTC will notify the Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM), as necessary after an initial analysis of the breach. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of breaches to PGLD/IM, lessens the operational impact of reporting a breach, and focuses resources on correcting the error to prevent additional breaches/losses.

    2. The Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM). If the breach involves an inadvertent unauthorized verbal disclosure of sensitive information/PII, or lost/stolen hardcopy records or documents containing sensitive information/PII, packages lost/stolen during shipment, etc., report it to PGLD/IM, using the PII Breach Reporting Form at https://vp0sentappetrk2.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2. Call 267-466-0777 if you have any problems with the online form or any questions about completing the online form.

      Note:

      If you participate in the Bring Your Own Device (BYOD) program, you must report the loss or theft of your "BYOD " asset to PGLD as well as open a KISAM ticket to report the loss or theft.

      Note:

      The loss or theft of official records (whether the records contain PII or not) must also be reported to the Records Specialist (formerly Area Records Managers (ARM) or the IRS Records Officer as per IRM 1.15.3.4, Unauthorized or Accidental Destruction of Records.

    3. The Situational Awareness Management Center (SAMC). If the incident involves lost or stolen Smart-ID cards or lost or stolen pocket commissions (credentials), report it to SAMC using SAMC’s Incident Report Form at http://vgdiw30vp005527/archibus/login.axvw. After selecting the Incident Report Form at http://vgdiw30vp005527/archibus/login.axvw, select Workplace Services; then select SAMC; then select Incident; then select Report Incident. Under Incident Type, select Lost Pocket Commissions and follow the instructions on the page.

    4. The Computer Security Incident Response Center (CSIRC). If the incident/breach involves the loss or theft of an IRS IT asset, e.g., an IRS issued computer, laptop, router, printer, cell phone, BlackBerry, etc., or removable media (CD/DVD, flash drive, floppy, etc.), report it to CSIRC using the Computer Security Incident Reporting Form at https://www.csirc.web.irs.gov/incident/, or by calling 240-613-3606.

      Note:

      If the incident/breach involves both the loss or theft of an IRS IT asset, e.g., the loss or theft of an IRS issued laptop, flash drive, etc., and the loss or theft of hardcopy records or documents containing sensitive information/PII, packages lost during shipment, etc., report the breach to CSIRC. Do not report it to PGLD/IM.

  3. The Treasury Inspector General for Tax Administration. You must also report the incident/breach to the Treasury Inspector General for Tax Administration (TIGTA), if the incident/breach involves a loss or theft of an IRS IT asset or non-IRS IT asset (BYOD device), e.g., computer, laptop, router, printer, removable media (CD/DVD, flash drive, floppy, etc.), or a loss or theft of hardcopy records/documents containing sensitive information/PII, at 800-366-4484.

  4. Local Law Enforcement. If the incident/breach involves a theft, file a Police Report with your Local Law Enforcement authority, but do not disclose sensitive data and/or taxpayer data.

    Note:

    Visit the Report Losses, Thefts or Disclosures page in the Disclosure and Privacy Knowledge Base at https://portal.ds.irsnet.gov/sites/vl003/lists/reportlossestheftsdisclosures/landingview.aspx and the IF/THEN Guide at https://portal.ds.irsnet.gov/sites/vl003/RelatedResources/If%20Then%20Guide%20for%20Reporting%20Breaches-Rev%2006%20-27-2017.pdf, for additional information and guidance. If you are a Flexiplace (Telework) employee (Occupational or Situational) or a Mobile employee, print a copy of the If/Then Guide for the office and one to keep at home in case your IT asset is lost or stolen, and you can’t access IRWeb.

Inadvertent Accesses of Taxpayer Information

  1. Inadvertent accesses of taxpayer information are reported on the hard copy Form 11377, Taxpayer Data Access, or the fillable Form 11377-E, Taxpayer Data Access.

  2. Form 11377 may be used by employees Servicewide to document accesses to taxpayer return information when the accesses are not supported by direct case assignment, were performed in error (inadvertent access), or when the access may raise a suspicion of an unauthorized access.

  3. Some examples of an inadvertent access include accidentally entering an incorrect Taxpayer Identification Number or unintentionally retrieving other taxpayer information while working an assigned case. Inadvertent accesses are not reported to PGLD/IM, CSIRC or OTC.

"No Reporting" Situations

  1. The following are examples of situations which require no reporting to PGLD/IM, CSIRC, OTC, etc., as they are not considered erroneous correspondence or unauthorized disclosures:

    1. An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find that he or she is not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

    2. An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number provided by the taxpayer or authorized representative was incorrect.

    3. An IRS employee follows all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    4. The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    5. An IRS employee follows procedures in IRM 21.1.3.12, Suicide Threats, to disclose a taxpayer's name, address/location, and/or telephone number to Law Enforcement because the taxpayer threatened suicide and/or threatened harm to another individual. In this situation, the disclosure of this information is not prohibited by law; therefore, although the Suicide Threat must be reported to Disclosure, TIGTA, SAMC, and the Office of Employee Protection, no reporting to PGLD/IM is necessary unless directed to do so by Disclosure. See IRM 21.1.3.12, Suicide Threats, IRM 10.2.8, Incident Reporting, and the Governmental Liaison, Disclosure and Safeguards (GLDS) Unique Situations webpage at https://portal.ds.irsnet.gov/sites/vl003/Lists/UniqueSituations/LandingView.aspx for the procedures to follow when a taxpayer threatens suicide or when it is appropriate to contact the local Law Enforcement authority versus federal or State Law Enforcement authorities.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process, for additional information regarding erroneous correspondence procedures.

PGLD/Incident Management Intake, Risk Assessment and Notification

  1. This section covers the intake and risk assessment of IRS breaches by PGLD/IM as well as notification to potentially impacted individuals.

PGLD/Incident Management Intake

  1. When an IRS breach occurs, depending on the information lost, stolen, or disclosed, employees report the breach to the Computer Security Incident Response Center (CSIRC), the Office of Taxpayer Correspondence (OTC), or PGLD/IM through an on-line reporting form that uploads directly to e-Trak.

    1. A breach is reported to PGLD/IM if the breach involves a verbal disclosure, or lost/stolen hardcopy records or documents containing sensitive information/PII, packages lost/stolen during shipment, etc. The breach is also reported to PGLD/IM if the breach involves a non-IRS IT asset, i.e., an asset in the Bring Your Own Device (BYOD) program.

    2. A breach is reported to OTC if the breach involves taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, EEFaxes, and other electronic transmissions such as email.

    3. An incident/breach is reported to CSIRC if the incident/breach involves the loss or theft of an IRS IT asset, or multiple assets, i.e., an IRS IT asset and hardcopy records or documents containing sensitive information/PII. Note that the form and instructions for incidents/breaches involving IT assets are different from the forms and instructions for all other breaches.

  2. After the breach is reported, members of the IM team receive notification via email (delivered to the PII mailbox) from either CSIRC or e-Trak. The email contains the information necessary to conduct a risk assessment.

    1. The PII mailbox (*PII) is a centralized communication tool used by the IM Team to send and receive all communications throughout the breach intake process. Breach summaries with a brief description of the breach are automatically sent via email to the PII mailbox whenever breaches are reported to CSIRC via the Computer Security Incident Reporting Form or to PGLD/IM via the Breach Reporting Form.

      Note:

      Incident Management Intake may also include events received from SPIIDE for investigation.

  3. PGLD/IM performs an initial assessment of the breach. If PII or SBU data is involved, PGLD/IM will review the information submitted and will, if necessary, request additional information to fully assess the breach and to complete the risk assessment. PGLD/IM will send an Impacted Individuals and/or Business Excel Spreadsheet to the reporting IRS employee and the employee's manager unless the breach is input through the online format in which case the reporting employee and manager will receive the spreadsheet as an attachment to the email received from e-Trak. The reporting employee is responsible for providing the tax identification numbers of the potentially impacted individuals and emailing the spreadsheet via secure email to *PII.

    1. The PGLD/IM and CSIRC Breach/Incident Reporting Forms provide an inventory of possible compromised data elements, the source of the data, whether the data was encrypted, and any other special factors that need to be considered, such as data being used in a criminal or grand jury investigation.

    2. The Impacted Individuals and/or Business Excel Spreadsheet provides an inventory of the names and TINs of all the individuals potentially impacted by the breach.

High Profile and Sensitive Breaches

  1. A High Profile or sensitive Breach is defined as one that represents significant risk to:

    1. Customers: Affects a significant number of individuals or high profile individuals;

    2. Business Results: Overwhelming increase of phone traffic, reduced taxpayer access to IRS systems; or,

    3. IRS Reputation: Potential for extensive media involvement or negative exposure.

  2. PGLD/IM escalates/reports all high profile and sensitive breaches involving the loss, theft, or disclosure of sensitive data to the Privacy Policy and Compliance (PPC) Leadership Team before proceeding with further reporting duties. The PPC Leadership Team consists of the Director, Privacy Policy and Compliance, the Deputy Director, Privacy Policy and Compliance, and the Associate Director, Incident Management, as well as other staff that may be designated by these officials to participate on the team and/or to receive emails about the high profile or sensitive breach. The escalation of high profile and sensitive breaches allows for the expedited development of preventative actions and gives appropriate offices a head start to work the issue.

  3. Certain high profile or sensitive breaches may require significant involvement and coordination from multiple offices. Examples include breaches involving high profile individuals, breaches which could generate a high volume of calls or with potential for media involvement, and other unusual circumstances. For these breaches, PPC Leadership is responsible for activating a Breach Response Team (BRT) in accordance with the PGLD Response Plan for High Profile and Sensitive Breaches.

  4. PGLD/IM reports High Profile and Sensitive Breaches to the AWSS Threat Information and Critical Incident Response Initiative (TIRC). The TIRC is comprised of staff from Facilities Management and Security Services (FMSS), the Treasury Inspector General for Tax Administration-Criminal Intelligence and Counterterrorism Group (TIGTA-CICT), Criminal Investigation (CI), Federal Protective Service (FPS), the Computer Security Incident Response Center (CSIRC), and the Office of Privacy, Governmental Liaison and Disclosure (PGLD). The mission of the TIRC is to identify and mitigate threats and record countermeasures and mitigation strategies as it pertains to Federal tax administration and the IRS for the protection of service operations. Reporting to SAMC may also be required if the reporting does not lead to SAMC Leadership messaging and communication is warranted based on the circumstances of the event.

OMB Major Incidents

  1. FISMA 2014 requires the Office of Management and Budget (OMB) to define the term "major incident" and directs agencies to report major incidents to Congress within 7 days of identification.

  2. A "major incident" as defined by OMB M-17-05 is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

  3. A breach constitutes a "major incident" when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals' PII constitutes a "major incident" .

  4. PGLD/IM coordinates with Treasury for the appropriate actions and reporting, including reporting to Congress, whenever a breach is identified as an OMB major incident.

PGLD/Incident Management Risk Assessment

  1. The IRS assesses the risk of harm to individuals potentially impacted by a breach. When assessing the risk of harm to individuals potentially impacted by a breach, the potential harms that could result from the loss or compromise of PII must be considered. Such harms may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, financial harm, the disclosure of contact information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem. Additionally, the Privacy Act requires the IRS to protect against any anticipated threats or hazards to the security or integrity of records which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. The IRS must consider any and all risks relevant to the breach, which may include risks to the agency, agency information systems, agency programs and operations, the Federal Government, or national security. These additional risks may properly influence the IRS’ overall response to a breach and the steps the IRS should take to notify individuals.

  2. PGLD/IM performs a risk assessment to evaluate the likely risk of harm for all reported IRS breaches, based on standardized factors and ratings criteria. The end result of the assessment is a categorization of the breach into one of four levels - No Impact; Low Impact; Moderate Impact; and High Impact. Categorization into levels dictates a recommended level of response and determines when, what, how, and to whom notification of a breach should be given.

  3. PGLD/IM uses the following three-step methodology to assess the risk of harm for all reported IRS breaches :

    1. Step 1: Key factors. Each of the three factors identified by OMB 17-12 (the nature and sensitivity of the PII potentially compromised by the breach; the likelihood of access and use of the PII potentially compromised by the breach; and the type of breach) is assessed in relation to the specific breach to determine the potential likelihood of harm to individuals. See (4) below for additional information on the risk assessment factors.

    2. Step 2: Factor ratings. Each of the three factors is rated based on its impact level (high, moderate, low, or no impact) with corresponding points from 3 to 0 assigned to each impact level.

    3. Step 3: Breach categorization. Based on the total factor rating points the breach is categorized into one of four levels. Breaches with a total factor rating point between 8 and 9 are considered Level Three (High Impact). Potentially impacted individuals involved in a breach categorized as Level Three (High Impact) will be sent a breach letter.

  4. The IRS risk assessment includes the following key factors and considerations for assessing the risk of harm to potentially impacted individuals, at a minimum:

    1. The nature and sensitivity of the PII potentially compromised by the breach, i.e., including the potential harms that an individual could experience from the loss or compromise of the type of PII. At a minimum, the following items are considered when assessing the nature and sensitivity of the PII potentially compromised by a breach: Data Elements, including an analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together; Context, including the purpose for which the PII was collected, maintained, and used; Private Information, including the extent to which the PII constitutes information that an individual would generally keep private; Vulnerable Populations, including the extent to which the PII identifies or disproportionately impacts a particularly vulnerable population; and Permanence, including the continued relevance and utility of the PII over time and whether the information will permanently identify an individual.

    2. The likelihood of access and use of the PII potentially compromised by the breach, including whether the PII was properly encrypted, or rendered partially or completely inaccessible by other means. The following items are considered when assessing the likelihood of access and use of PII potentially compromised by a breach: Security Safeguards, including whether the PII was properly encrypted, or rendered partially or completely inaccessible by other means; Format and Media, including whether the format of the PII or the media on which it is maintained may make it difficult and resource-intensive to use; Duration of Exposure, including how long the PII was exposed; and Evidence of Misuse, including any evidence confirming that the PII is being misused, or that it was never accessed.

    3. The type of breach, including the circumstances of the breach, as well as the actors involved and their intent. The following items are considered when determining the type of breach: Intent, including whether the PII was compromised intentionally, unintentionally, or whether the intent is unknown; and, Recipient, including whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient.

  5. Identifying the data elements involved in the breach and assessing the impact of the breach are key items that must be considered in determining if, when, and how notification will be provided to potentially impacted individuals.

  6. After IM has completed its risk analysis of a breach and developed a recommendation with regard to the appropriate response, if the breach has been categorized as "High Impact" , the recommendation is presented to the Incident Management Associate Director for review and approval.

  7. If the notification recommendation is to notify potentially impacted individuals, and if the IM Associate Director concurs with the recommendation, then potentially impacted individuals are notified of the breach via Letter 4281C, IM Breach Notification Letter.

The PII Working Group (PIIWG) and the Privacy Policy and Compliance Advisory Committee (PPCAC)

  1. The PII Working Group (PIIWG) is a decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security. A Code Red Recommendations Report is presented to the PIIWG weekly by PGLD/IM for information only; no concurrence or approval by the PIIWG is required.

  2. The Privacy Policy and Compliance Advisory Committee (PPCAC) no longer exists. It was a committee comprised of executives from all key business and functional unit stakeholders. It was originally established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and breach policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives.

PGLD/Incident Management Breach Notification

  1. The IRS, through PGLD/IM, will notify potentially impacted individuals if the evaluation of an IRS breach results in a likelihood of harm to these individuals.

  2. The IRS, through PGLD/IM, will notify these individuals via Letter 4281C, IM Breach Notification Letter.

  3. The IRS, through PGLD/IM, will identify individuals who have been sent Letter 4281C by marking each entity (on CC ENMOD and/or CC IMFOLE) with the IRS breach (data loss) indicator TC 971 AC 505 (only if the account is on the Master File (MF)). See IRM 10.5.4.5.1.1, Applying the IRS Breach Tracking Indicator to IRS Breaches, for additional information.

  4. The objectives of communications in the event of a possible compromise of sensitive information within the IRS are as follows:

    1. To comply with the Office of Management and Budget (OMB) and Treasury Department directives which mandate notification to potentially impacted individuals if there is a potential risk that the compromised data may be used by someone other than the owner of the information to commit a crime or fraud.

    2. To minimize the possible negative impact of the compromised data on the taxpayer/victim.

    3. To ensure the IRS' relationship with the impacted individual(s) will not be so damaged as a result of the breach that it negatively impacts his or her tax filing and paying obligations.

Contents of the Breach Notification
  1. The IRS will notify individuals potentially impacted by IRS breaches using Correspondex Letter 4281C, IM Breach Notification Letter; however, the IRS may use a unique letter when deemed necessary and appropriate.

    Note:

    These procedures apply only to breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e). See IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  2. Remedial services such as identity monitoring services are offered to potentially impacted individuals of an IRS breach as part of the overall OMB requirement regarding implementation of a breach response program to mitigate the likely risk of harm.

  3. Breach notifications will be written plainly and clearly, and will generally include the following information:

    1. A brief description of what happened, including the date of the breach;

    2. To the extent possible, a description of the type of PII disclosed as a result of the breach (e.g., name, SSN, date of birth, address, etc.);

    3. Actions that potentially impacted individuals should take to protect themselves from potential harm;

    4. A toll-free telephone number that potentially impacted individuals can contact for more information;

    5. A statement that the IRS has provided or will provide potentially impacted individuals with an identity monitoring service at no cost, and the contact information for the vendor providing the service.

      Note:

      The IRS does not auto-enroll potentially impacted individuals. The potentially impacted individual must contact the vendor in order to sign up for the free identity monitoring service.

  4. The Privacy and Information Protection (PIP) toll-free telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

Breach Notification Signature
  1. The signature on the IRS breach notification letter shall be that of the Director, Privacy Policy and Compliance (PPC) .

Timeliness of the Breach Notification
  1. The IRS will notify individuals potentially impacted by IRS breaches without unreasonable delay following the completion of the risk assessment process.

  2. Beginning with fiscal year 2012, the business measure/lapse time goal was an average of 19 days or less from the PGLD(IM)/CSIRC Report Date to the Breach Notification Letter Date. For FY16, the business measure/lapse time goal was reduced to an average of 16 days or less with the primary goal being a median of 14 days or less. For FY17, the average was reduced to 10 days or less with the primary goal being a median of 10 days or less.

  3. Also beginning in FY12, a new Organizational goal was introduced to measure the average elapsed time between the Breach Date and the Breach Notification Letter Date. The lapse time goal was established at 60 days for FY12; reduced to 54 days for FY13; reduced to 50 days for FY14; further reduced to 40 days for FY15; reduced to 32 days for FY16 with the primary goal being a median of 30 days or less; and further reduced to an average of 26 days or less with the primary goal being a median of 24 days or less for FY17.

  4. In FY16, a new OMB measure was added to the list of measures. This measure is the percentage of breaches less than or equal to 30 days from the Report Date to the Letter Date. For FY16, the goal was a percentage equal to or more than 90%; in FY17, the goal was increased to a percentage equal to or more than 94%.

  5. The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any potentially impacted individuals.

Means of Providing Breach Notifications
  1. The IRS will provide written notification to the individual's address of record on IDRS.

  2. Based on the number of potentially impacted individuals and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as newspapers or other media outlets.

  3. At the discretion of the BRT, and consistent with applicable law, the IRS may notify external entities. In making its decision, the BRT will consider whether notifying external entities would result in any of the following:

    1. Aiding the public in its response to the breach (e.g., whether constructive notification via media channels would help the IRS alert potentially impacted individuals more effectively and expeditiously than via notification letter alone)

    2. Facilitating the IRS’ ability to mitigate the potential harm resulting from the breach (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries)

    3. Contributing to unnecessary public alarm

    4. Creating an unnecessary burden on the public, external entities, or potentially impacted individuals

Ongoing Support

  1. Based on the circumstances of the breach, the IRS will provide ongoing support to potentially impacted individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free telephone number staffed by trained IRS personnel to respond to general breach-related inquiries

    2. Information on websites and other resources providing information about identity theft prevention and protection

    3. Coordination with business units on IRS breaches that affect an individual's tax account, such as phishing schemes

  2. The PGLD/Incident Management Program is supported by Wage and Investment's (W&I) Accounts Management (AM). AM CSRs support PGLD/IM by assisting individuals who call the Privacy and Information Protection (PIP) toll-free telephone number (866-225-2009) provided in Letter 4281C, IM Breach Notification Letter. AM CSRs are trained to respond to IRS breach questions and questions regarding Letter 4281C.

Handling Inquiries Regarding IM Breach Notification Letters
  1. These procedures apply only to breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e). See IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  2. The contact telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. The 4281C Letter does not require individuals to contact the Internal Revenue Service; however, some individuals may call with questions or concerns about the letter. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

  3. In some instances, individuals who receive Letter 4281C may call an IRS telephone number other than the number provided in the letter (866-225-2009). If an IRS phone assistor other than an AM Customer Service Representative (CSR) receives a call from an individual in response to Letter 4281C, or the individual asks to speak to the employee whose number appears on Letter 4281C (0847999999), transfer the call to extension 92161 (for callers needing assistance in Spanish, use extension 92162).

  4. AM CSRs answer general breach-related inquiries regarding the IRS breach and prepare a Form 4442, Inquiry Referral Form, if the caller requests specific information regarding the breach that the AM CSR is unable to answer. The Form 4442 is directed to PGLD's IM office in Philadelphia for resolution. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office.

  5. Correspondence (and any attachments) received in response to Letter 4281C, or addressed to employee 0847999999, must be forwarded to the local Image Control Team (ICT) for scanning and controlling. See IRM Exhibit 3.10.72-2, Correspondex "C" Letters - Routing Guide, IRM Exhibit 3.13.16-1, Appendix A - Document Types, Category Codes, IMF, IRM Exhibit 3.13.6-14, Appendix N - Document Types, Category Codes, Priority Codes, IDT - IMF, Doc Type: ID Theft: IDT5,, and IRM 21.5.1.4.2.3, Clerical Function for the Image Control Team (ICT) Correspondence Imaging System (CIS), for information regarding ICT; IRM 21.5.1.5, Correspondence Imaging System (CIS) Procedures, for information regarding CIS procedures; and the Miscellaneous section of the Campus Program Locator Guide (located under the Who/Where tab) (http://serp.enterprise.irs.gov/databases/who-where.dr/transshipment.dr/campus_locator_guide/ICT.htm) to determine the address for your local ICT function. ICT will review the correspondence and determine if a Referral to the IM office in Philadelphia is necessary.

    1. If scanning is not available, route the correspondence and any attachments received in response to Letter 4281C, or addressed to employee 0847999999, to AM. See the address table below, and IRM 10.2.13.4.4.1, Shipping Personally Identifiable Information (PII), for policy and guidance relating to protecting and handling sensitive information.

    2. If the correspondence appears to be time sensitive, fax it to the Image Control Team (ICT) at 855-807-5720. ICT will review the correspondence and determine if a Referral to the IM office in Philadelphia is necessary.

    United States Postal Service (USPS) Mailing Address Private Delivery Service (PDS) Mailing Address
    Internal Revenue Service
    Accounts Management
    Fresno, CA 93888-0025
    Internal Revenue Service
    Accounts Management
    5045 East Butler Avenue, Fresno, CA 93727
  6. See the IRS Information Loss/Breach Frequently Asked Questions (FAQs) on SERP at http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs_information_loss/irs_information_loss_toc.htm, for a list of frequently asked questions regarding the IRS Breach Notification Letter (Letter 4281C) and general questions regarding IRS Information Losses/Breaches.

IMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview
  1. When taking calls from impacted individuals, a consistent and proper greeting is required. Refer to procedures in IRM 21.1.1.7, Communication Skills.

  2. Employees are required to authenticate callers to ensure the person calling is the individual impacted by the breach. See IRM 25.23.12.3, Identity Theft Telephone Overview and General Guidance, for required use of the IAT Disclosure tool and the HRA IAT tool to perform authentication; IRM 21.1.3.2.3, Required Taxpayer Authentication; and IRM 21.1.3.2.4, Additional Taxpayer Authentication.

  3. If the caller is not the impacted individual, but claims to represent the individual, determine whether the individual provided a Power of Attorney (POA) in connection with the breach. Do not recognize a representative when the POA on file only identifies tax matters and does not specifically identify the breach as a matter for which the POA has authority.

  4. High risk authentication per IRM 21.1.3.2.4, Additional Taxpayer Authentication, is also required. Ask the caller for the Breach Date and Breach Number as part of the authentication process. The Breach Date, if included in the letter, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Breach Number is located to the right and just above the Salutation (Dear Taxpayer).

  5. In some situations, a caller may want to receive as much information as possible about the breach, but is not willing to provide his or her SSN/TIN. In these situations, the CSR may still answer general questions about the breach and answer all the taxpayer's questions using the Frequently Asked Questions (FAQ), but a referral may not be made for any specific questions regarding the breach. CSRs must be sensitive to the caller's tone and ensure they are given as much information as they are entitled to receive without the caller providing their TIN. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office and IRM 10.5.4.4.7.8 ,, Updating History on Accounts Management Services (AMS) for Calls Regarding IRS Breach Notification Letters.

  6. In some breaches, impacted individuals receiving notices may be IRS employees. In these cases, follow guidance in IRM 21.1.3.8, Inquiries from IRS Employees.

BMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview
  1. Some of the impacted individuals may be business entities and letters sent may be to business related entities (sole proprietorships, corporations, LLCs, etc.). A caller may be required to be an owner of a small business or an officer of a corporation before employees are able to talk to him or her about the breach. To ensure a caller is the appropriate individual that is allowed to receive information about the breach, AM CSRs will need to conduct an identity check with the caller to determine if he or she is allowed to receive the information. See IRM 21.1.3.2.3, Required Taxpayer Authentication, for required use of the IAT Disclosure tool to perform authentication.

  2. In addition to the authentication probes outlined in IRM 21.1.3.2.3, Required Taxpayer Authentication, ask the caller for the BMF entity to provide the following information:

    • The Breach Number, located to the right and just above the Salutation (Dear Taxpayer) on Letter 4281C, and

    • The Breach Date, located in the first paragraph of Letter 4281C.

  3. If the caller is not able to, or unwilling to provide the EIN, tell the caller that a Referral may not be made for any specific questions regarding the breach. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office and IRM 10.5.4.4.7.8, Updating History on Accounts Management Services (AMS) for Calls Regarding IRS Breach Notification Letters.

    Note:

    It will not be necessary to access any tax account information on the BMF case to assist the caller. If at any time you feel the caller is not entitled to receive general information, and the caller is insistent on receiving as much information as he or she can, be sure not to disclose any specific account information.

Free Identity Monitoring Service
  1. The IRS is offering an identity monitoring service at no cost to individuals potentially impacted by an IRS breach if the result of the risk assessment results in a likelihood of harm.

    Note:

    The IRS assigns a unique enrollment promotion code/verification code via Letter 4281C, IM Breach Notification Letter, to each individual potentially impacted by an IRS breach if the result of the risk assessment results in a likelihood of harm. The potentially impacted individuals must contact the vendor in order to sign up for the free identity monitoring service.

    Note:

    A POA cannot sign up for the free identity monitoring service on behalf of his or her client.

  2. AM CSRs do not have access to the vendor’s system; therefore, CSRs cannot assist the caller with the enrollment.

  3. AM CSRs can assist with:

    • Providing the toll-free number for the vendor. See Note below.

    • Reviewing the online and telephone enrollment instructions included in Letter 4281C, IM Breach Notification Letter. See Note below.

    • Informing the individual if he or she is having difficulty enrolling in the vendor’s system, he or she has the option of speaking with a live agent by calling the vendor . Remind the individual he or she will need to have his or her unique enrollment promotion code/verification code (assigned in Letter 4281C) available when contacting the vendor. See Note below.

    • Ensuring the individual understands what he or she needs to do to monitor his or her credit report and other financial information. See Note below.

    Note:

    See the IRS Information Loss FAQs on SERP at http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs_information_loss/irs_information_loss_toc.htm for current vendor name and contact information.

Fraud Alerts
  1. A Fraud Alert is a consumer statement added to an individual’s credit file that alerts creditors that the consumer may be a victim of fraud.

  2. This statement requires creditors to take certain steps to verify the consumer’s identity before establishing any new credit accounts in his or her name, issuing a new card on an existing account, or increasing the credit limit on an existing account.

  3. All three credit reporting agencies (Equifax, Experian, and TransUnion) have fraud reporting services. The consumer only needs to contact one of them. The agency initially contacted will notify the other two.

  4. A consumer can place a fraud alert on his or her credit file by contacting:

    • Equifax at 800-525-6285 or www.equifax.com

    • Experian at 888-397-3742 or www.experian.com

    • TransUnion at 800-680-7289 or www.transunion.com

  5. Callers may request a fraud alert anytime within 90 days of receipt of his or her Letter 4281C, IM Breach Notification Letter.

  6. AM CSRs will NOT suggest to the caller to solicit this service unless the caller inquires about it and expresses interest in it.

Referrals to PGLD’s Incident Management Office
  1. If a caller states he or she received a letter from the IRS regarding a breach but lost, misplaced the letter, etc., refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  2. If a caller states he or she attempted to redeem the Promotion Code included in the breach letter but was told the Promotion Code is expired, invalid, or does not work, refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  3. If the caller is requesting additional information or details about the breach, and is unsatisfied with the limited information you can provide and is insistent that he or she would like additional information, more than what was already provided, regarding the breach, refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  4. In addition to the required fields as noted in IRM 21.3.5.4.2, if available, include the Breach Date and Breach Number, as shown on the caller's letter, in the Referring To field (Box #5) of Form 4442/e-4442. The Breach Date, if included in the Letter 4281C, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Breach Number is located to the right and just above the Salutation (Dear Taxpayer).

  5. A brief narrative must be completed in the Taxpayer Inquiry/Proposed Resolution section (Part III, Section B) of Form 4442/e-4442. Include in the Taxpayer Inquiry/Proposed Resolution section of the Form 4442/e-4442 the IRM reference (IRM 10.5.4.4.5.6) directing the referral, the reason you are making the referral, and a complete description of the caller’s issue. Also document the response time frame provided to the caller and the fax number for PGLD/IM.

  6. Inform the caller a referral has been completed in response to his or her inquiry. Tell the caller he or she will hear from us within 30 calendar days. See IRM 21.3.5.4 , Referral Procedures.

  7. Document AMS with the details of the Referral. See IRM 10.5.4.4.7.8, Updating History on Accounts Management Services (AMS) for Calls Regarding IRS Breach Notification Letters. EXCEPTION: If the AMS or CIS system is down, then narratives and/or case notes will not be required.

  8. All Forms 4442 will be collected by the Lead CSR at the beginning of each business day and faxed to the IM Office in Philadelphia. The IM EEfax number is listed on the Form 4442 Referral Fax Numbers list (Site: Philadelphia and Function: PGLD: Incident Management) located on the SERP Who/Where tab at http://serp.enterprise.irs.gov/databases/who-where.dr/referral_fax_numbers.htm.

  9. An analyst from PGLD/IM will contact the sender via secure email confirming receipt of the faxed Forms 4442. Once confirmation is made, the original Form 4442 can be destroyed. If no confirmation email is received within 48 hours from the fax date, re-faxing the Form 4442 will be required.

Caller Indicates He/She is a Victim of Identity Theft as a Result of an IRS Breach
  1. A caller who has already been notified of an IRS breach via Letter 4281C may indicate he or she is already a victim of identity theft as a result of the IRS breach and would like the IRS to assist him or her in dealing with the identity theft.

    Note:

    As part of the Identity Theft Program, AM will generally assist taxpayers whose situations meet TAS criteria 5 - 7 AND involve identity theft. See IRM 25.23.3.2.5, Identity Theft Assistance Request (ITAR) - General Information.

  2. AM CSRs will:

    • Apologize to the caller for any inconvenience.

    • Research the taxpayer's TIN thoroughly to see if there is a tax related issue related to the ID theft as defined in IRM 25.23.2.7, Identity Theft Research.

    • If a tax related issue is involved, see IRM 25.23.12.5, Tax-Related Identity Theft.

    • Input an Identity Theft Tracking Indicator as directed in IRM 25.23.2.16, Initial Allegation or Suspicion of Tax-Related identity Theft - IMF Identity Theft Indicators.

  3. If the taxpayer is threatening litigation or legal action because the IRS breach resulted in identity theft, in addition to the above actions, prepare a Form 4442, Inquiry Referral, to alert the IM Office of the possible litigation or legal action. See the referral procedures in IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office.

Updating History on Accounts Management Services (AMS) for Calls Regarding IRS Breach Notification Letters
  1. The Privacy and Information Protection (PIP) toll-free number, 866-225-2009, is included in Letter 4281C, IM Breach Notification Letter, as well as the family of letters (Letter 4281-A, Letter 4281-B, Letter 4281-E, Letter 4281-F, and Letter 4281-G) developed for the Get Transcript breach. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162). AM CSRs working programs related to IM/IRS breach notification letters are required to add an issue to identify the type of inquiry as well as leave a brief narrative of what was covered with the caller.

    Exception:

    If the AMS or CIS system is down, then narratives and/or case notes will not be required.

    Note:

    Although the SSN is not shown on Letter 4281C, IM Breach Notification Letter, employees will need to secure the caller's SSN in order to update AMS. If the caller is unwilling to provide the employee with his or her SSN, it will not be possible to update AMS.

Undelivered Letter 4281C
  1. Undeliverable procedures must be followed. Refer to (3) of IRM 21.3.3.4.12.1.1, Undelivered Mail Procedures for Accounts Management, for research procedures for undeliverable mail.

  2. If a new address is found, address an envelope with the new address and mail the undeliverable Letter 4281C, IM Breach Notification Letter to the new address.

  3. If a new address is not found, treat Letter 4281C, as Classified Waste.

    Note:

    Because this process has to do with IRS breaches, and not specifically tax related issues, a representative or a POA must not be contacted when referring to the Undeliverable procedures unless a POA specifically identifies the breach.

Retention and Disposition

  1. IM will adhere to all document retention schedules in accordance with IRM 1.15, Records and Information Management. This applies to all materials in electronic or hard copy format that are created in response to an IRS breach.

IRS Breach Tracking Indicator - Objectives

  1. The Incident Management Program tracks IRS breaches to support the following objectives:

    1. Reduce taxpayer burden while addressing IRS breaches.

    2. Increase operational efficiency of the IRS by detecting and processing reported IRS breaches as early and consistently as possible.

IRS Breach Tracking Indicator - Development and Implementation

  1. PGLD developed an IRS breach indicator Action Code to centrally track IRS breaches.

  2. The IRS breach indicator was implemented by PGLD to identify individuals whose PII was lost, stolen, or disclosed as a result of an IRS breach.

  3. The IRS breach indicator is input as a Transaction Code (TC) 971 with Action Code (AC) 505. The TC 971 AC 505 is displayed on the Integrated Data Retrieval System (IDRS) on the entity portion of each affected individual's account (CC ENMOD and CC IMFOLE).

Applying the IRS Breach Tracking Indicator to IRS Breaches
  1. The TC 971 AC 505 is an IRS Breach Tracking Indicator (also known as a Data Loss Tracking Indicator) - not an identity theft indicator.

  2. The TC 971 AC 505:

    1. Will not block, or prevent, online system access.

    2. Will not stop registration for online services, including Get Transcript or IPPIN.

    3. Will not stop paper requests for a transcript (Form 4506/T).

  3. PGLD/IM inputs a TC 971 AC 505 on the entity portion of an individual's account (as long as the entity is established on the Master File) when all of the following occur:

    1. An individual's IRS-held PII was lost, disclosed, or stolen.

    2. The breach risk assessment results in a likelihood of harm to the potentially impacted individuals.

    3. The IRS notifies the individual of the breach via Letter 4281C, IM Breach Notification Letter, or similar letter in some circumstances (such as letters developed for the Get Transcript breach).

    Example:

    Case files containing PII were lost while being shipped from one location to another. Since the breach risk assessment resulted in a likelihood of harm, IM will send breach notification letters to the potentially impacted individuals.

  4. Input of TC 971 AC 505 is limited and reserved for use by PGLD/IM employees; however, this indicator is visible and available for reference on the entity portion (CC ENMOD or CC IMFOLE) of an individual’s account. See Exhibit 10.5.4-2, TC 971 AC 505 — IRS Breach (Data Loss) Indicator, for more information about this indicator.

    Note:

    At the request of PGLD/IM, for large scale breaches, the TC 971 AC 505 may be uploaded directly to CC IMFOLE by Return Integrity and Compliance Services (RICS).

  5. PGLD/IM inputs TC 971 AC 505 on an account regardless of the existence of any identity theft indicator codes that may be present on the account.

  6. There can be multiple IRS breach indicators input/present on an individual's account. Each TC 971 AC 505 represents a different IRS breach.

  7. In some instances, it may be necessary for PGLD/IM personnel to manually reverse the TC 971 AC 505. Although input of the TC 972 AC 505 is limited and reserved for use by PGLD/IM employees, Exhibit 10.5.4-3, TC 972 AC 505 — Reversal of TC 971 AC 505, is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field.

Glossary of Incident Management Terms, Definitions, and Acronyms

TERM DEFINITION
Access The ability or opportunity to gain knowledge of personally identifiable information.
Accounts Management (AM) CSRs AM CSRs assist individuals impacted by IRS breaches by answering general breach related inquiries or preparing a Form 4442, Inquiry Referral, if the caller requests specific information regarding the breach that the AM CSR is unable to answer. AM CSRs also provide assistance to individuals impacted by identity theft or individuals who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by AM CSRs even if the individual has not experienced any problems with, or received communications from, the IRS.
Audience The employees responsible for taking action or who require knowledge about the program, process or activity.
Breach OMB M-17-12, defines a breach as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person, other than an authorized user accesses or potentially accesses personally identifiable information, or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.
Controlled Unclassified Information (CUI) A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. In the future, the designation CUI will replace Sensitive But Unclassified (SBU), but the exact timeframe has not been determined by IRS or Treasury.
Breach Incident An incident involving a loss, theft, or inadvertent unauthorized disclosure of personally identifiable information. A few common examples include: a laptop or portable storage device storing PII is lost or stolen; an email containing PII is inadvertently sent to the wrong person; or a box of documents with PII is lost or stolen during shipping.
Breach Management The process of managing breaches involving the loss, theft, or inadvertent unauthorized disclosure of PII.
Breach Notification The process of notifying potentially impacted individuals following the evaluation of a breach which results in a likelihood of harm to these individuals.
Breach Risk Assessment A risk assessment conducted on an IRS data loss, theft, or inadvertent unauthorized disclosure of personally identifiable information. The risk assessment includes factors that must be considered, specifically the context of the breach and the data that was disclosed. Example - An IRS employee in the field loses a taxpayer case file. The case file contained PII data such as name, address, social security number, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to determine if notification should be given to the potentially impacted individual.
Data Owner The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the breach. For example, if a Power of Attorney (POA) tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporter is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.
Federal Information Processing Standards (FIPS) A set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
Federal Information Processing Standards (FIPS) Publications Publications issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Trade Commission (FTC) An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Fraud Alert A fraud alert is a consumer statement added to a credit file that alerts creditors that a consumer may be a victim of fraud. This statement requires creditors to take certain steps to verify the consumer’s identity before establishing any new credit accounts in his or her name, issuing a new card on an existing account, or increasing the credit limit on an existing account.
Harm Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
a) Potential for blackmail;
b) Disclosure of private facts;
c) Mental pain and emotional distress;
d) Potential for secondary uses of the information that could result in fear or uncertainty, or unwarranted exposure leading to humiliation or loss of self-esteem;
e) Identity theft; or
f) Financial loss.
Identity Protection Specialized Units (IPSU) The IPSU assists taxpayers that are, or may become, victims of identity theft. The IPSU is comprised of paper teams as part of the Accounts Management Identity Theft Victim Assistance (IDTVA) function.
Identity Theft Use of an individual’s personal information, without the individual’s permission, to commit fraud or other crimes.
Incident OMB M-17-12, defines an Incident as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
Incident Management (IM) Incident Management (IM) refers to the Office within Privacy, Governmental Liaison and Disclosure responsible for the process of managing breaches involving the loss, theft, or inadvertent unauthorized disclosure of PII by the IRS.
Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
Loss Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data. A loss involving PII is known as a Breach.
Major Incident OMB M-17-05, Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements, defines a major incident as any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. A breach (see the definition of breach above) constitutes a major incident when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII constitutes a major incident.
National Institute of Standards and Technology (NIST) A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
The Office of Management and Budget (OMB) OMB assists the President in overseeing the preparation of the Federal budget and evaluates the effectiveness of agency programs, policies, and procedures, and works to make sure that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. In addition, OMB oversees and coordinates the Administration's regulatory, procurement, financial management, information technology, and information management policies.
Personally Identifiable Information (PII) The term PII refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. See GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008 at http://www.gao.gov/new.items/d08536.pdf, OMB 07-16, at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-16.pdf; OMB M-17-12, athttps://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf; and the PGLD webpage, Personally Identifiable Information, athttps://portal.ds.irsnet.gov/sites/vl003/lists/pii/landingview.aspx for additional information.
Phishing Phishing is a scam where Internet fraudsters send e-mail messages to trick unsuspecting victims into revealing personal and financial information that can be used to steal the victim's identity. See IRM 21.1.3.23, Scams (Phishing) and Fraudulent Schemes.
PII Breach An actual or suspected loss of control, disclosure, unauthorized disclosure, unauthorized acquisition of, or unauthorized access to PII. PII breaches include situations in which individuals other than authorized users may or do have access to PII for an unauthorized purpose. This applies to PII maintained in electronic or hard copy format.
PII Breach Notification See Breach Notification.
PII Working Group (PIIWG) A decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security.
Policy Owner The IRS organization or the title of the executive (position only) responsible for the program.
Privacy Breach Security incident involving the breach of personally identifiable information (PII) whether in electronic or paper format.
Program Owner The office which has primary responsibility for establishing the policy, process, and procedures to implement and manage the IRS program. Directors within this office are responsible for developing and publishing IRM procedures. The program owner is the IRM owner for the program.
Records and Information Management In keeping with the Federal Records Act of 1950, as amended, and pursuant to Title 44, U.S.C. § 3102, the IRS established a records management program - renamed Records and Information Management (RIM) Program - to ensure the economical and efficient management of its records in the creation, maintenance, retrieval, preservation, and disposition of all records.
Reporting Employee The reporting employee is the employee who identifies/recognizes a breach and reports the breach as required. The reporting employee is responsible for reporting all pertinent information relative to the breach.
Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguard Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) A Data Loss Prevention (DLP) tool within the IRS CyberSecurity toolkit. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures.
Sensitive But Unclassified (SBU) Information Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under FOIA (5 U.S.C. 552).
Sensitive Information Information the loss, misuse, or unauthorized access to, or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an E.O. or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).
Theft An asset, electronic or hardcopy, thought or known to have been taken without permission from the individual who is responsible for the asset.
Unauthorized Access The willful unauthorized access and/or inspection of tax returns and return information.
Unauthorized Disclosure An unauthorized and unlawful release of information to an individual who is not authorized to receive the information.
Unreasonable Delay A delay in notification following the discovery of a data breach beyond that which is necessary to determine the scope of the breach while considering the needs of law enforcement and national security, and, if applicable, to restore the reasonable integrity of the computerized data system compromised. This means if a breach is discovered and all the information necessary to determine the scope of the breach is gathered within 30 days, it is unreasonable to wait until the 45th day to notify the individuals whose information was breached.

TC 971 AC 505 — IRS Breach (Data Loss) Indicator

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the IRS breach occurred. The Breach Tracking Number (number assigned to the breach). This number begins with two alphas ("IR" , "CR" , or "PR" ) and is followed by 11 numeric digits. For example: IR20100211034

TC 972 AC 505 — Reversal of TC 971 AC 505

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and must be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER