10.5.4 Incident Management Program

Manual Transmittal

October 22, 2019

Purpose

(1) This transmits revised IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Material Changes

(1) Throughout, made editorial changes and updated text to improve clarity.

(2) Throughout, reviewed and updated links and citations, website addresses, legal references and IRM references as necessary.

(3) Throughout, removed the URLs for internal links in the text as requested by IT/Cyber Policy because of security risks.

(4) Throughout, when referring to an official publication title, including IRS forms, publications, and IRMs, updated the title from italics to regular text per the IRS Style Guide.

(5) Throughout, updated "Personally Identifiable Information (PII) and sensitive information" , and "PII/sensitive information" , to"Sensitive But Unclassified (SBU) data, including Personally Identifiable Information (PII) and tax information" , or"SBU data, including PII and tax information" , as applicable, to conform with updated PGLD IRM language in PGLD IRMs.

(6) IRM 10.5.4.1 - In (3), added new c) with information regarding the IRS Acquisition Policy; old c) now d). In (7), spelled out BYOD (Bring Your Own Device).

(7) IRM 10.5.4.1.1 - Added "and electronic" to (1) a) and (2) a) per IT/Cyber Policy’s request. In (2) b) and c), eliminated some wording to eliminate redundancy as some of the text is already included in (2) a).

(8) IRM 10.5.4.1.2 - Updated (2) to include the Executive Order that established the President’s Identity Theft Task Force; added a link to the President’s Identity Theft Task Force Report of September 2008; added verbiage from Recommendation 4 of the Task Force Report; and added a reference to the Privacy Act of 1974. Moved the part of the paragraph regarding OMB M-17-12 to new (3); moved the last sentence of old (2) with the reference to Related Resources in 10.5.4.1.7 to new (4). Old (3) is now (5).

(9) IRM 10.5.4.1.3 - Added a bullet to (1) a) regarding weekly reporting of lost, stolen or destroyed records to Records and Information Management. Updated (2) c) from "Mitigation" to"Mitigation/Prevention" and added "to mitigate or lessen the impact of the incident/breach" to clarify the section per IT/Cyber Policy’s request. Added new (3) with a statement concerning the Breach Response Team (BRT) and the Data Breach Response Playbook; subsequent paragraph renumbered.

(10) IRM 10.5.4.1.5 - In (2) b), updated the common examples of a data breach. Added new (3) to define "Major Incident" ; added a new (4) and (4) a), b) and c) to define "Records Loss" , "Records" , "Unauthorized Destruction" and "Reporting to NARA" ; subsequent paragraphs renumbered.

(11) IRM 10.5.4.1.6 - Added "FTI" to the Acronym List.

(12) IRM 10.5.4.1.7 - In (1), added new d) and e) with links to Document 13056 and Document 13144. In (3), added references to TD 25-08, TD 85-01, TD P 85-01, and the Departmental Incident Response Plan. In (4), added a reference to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD) and IRM 11.3.14, Disclosure of Official Information, Privacy Act General Provisions. In (6), deleted the second sentence at the top of the Table; embedded the internal links in the Links column in the Arbortext anchor tags and marked all but the two IRM references as Internal Link. Also updated IRM 1.2.25 to IRM 1.2.1 per IMD communication of 6/24/2019.

(13) IRM 10.5.4.2 - In (2) added the Records Management Mandatory Briefing which is also managed by PGLD.

(14) IRM 10.5.4.3 - In (1), updated "within one hour" to"immediately upon discovery" per IT Cyber Policy’s request and to comply with language in TD P 85-01, Appendix A. In (1), Note, added additional examples of SBU data and a reference to IRM 10.5.1.2.2.1. In (2), added "All IRS personnel" to clarify that all IRS personnel, including contractors, must be aware of their responsibilities under the law to safeguard SBU data, including PII and tax information, and the procedures to follow when data is lost or compromised and the penalties for unauthorized disclosure of SBU data, including PII and tax information.

(15) IRM 10.5.4.3.1 - Updated the title of the sub-section from "Timely Reporting: Within One Hour" to"Timely Reporting: Immediately Upon Discovery" per IT Cyber Policy Request and to comply with language in TD P 85-01, Appendix A. In (1), updated "within one hour" to"immediately upon discovery" . In (1) and (2), added, "and all suspected security incidents, including any incidents of loss or mishandling of IRS information technology resources and lost or stolen IRS ITassets and BYOD assets..." per IT Cyber Policy.

(16) IRM 10.5.4.3.3 - In (2), updated "within one hour" to "immediately upon discovery" and eliminated some wording to eliminate redundancy. In (2) b), added additional examples of inadvertent unauthorized disclosures of SBU data, including PII and tax information. Also added "or destroyed" in reference to hardcopy records and documents as they must also be reported to PGLD. In (2) b) Note, added "or unauthorized destruction" to the first sentence and "or destroyed" to the second sentence and added a second Note regarding reporting SBU/PII/FTI in IRMs to SPIIDE. In (2) c), expanded the situations reportable to SAMC to include: building access cards, building or room keys, legacy ID cards, government property, and equipment per request from FMSS. In (2) d), added a second Note stating, "All suspected security incidents, including any incidents of loss or mishandling of IRS information technology resources and lost or stolen IRS IT assets and BYOD assets, must be reported to CSIRC." Added new (5) for reporting to GSOC as necessary per request from IT/Cyber Policy; subsequent paragraph renumbered. In old (5), deleted the Note and moved it to new (6).

(17) IRM 10.5.4.3.4 - Added new (4) stating the forms must be signed and dated and given to the employee’s manager. Also added a suggested timeframe for retention of the Employee copy by the employee once returned to the employee by the employee’s manager.

(18) IRM 10.5.4.4.1 - In (1), added the name of the reporting forms for CSIRC, OTC and PGLD/IM. In (1) a), added additional examples of inadvertent unauthorized disclosures of SBU data, including PII and tax information. In (3), restructured the first sentence and clarified the actions taken after the data breach is input via the e-Trak online reporting form or otherwise.

(19) IRM 10.5.4.4.2 - In (1), updated the definition of a high-risk data breach. Added new (2) with examples of channels through which high-risk data breaches may be identified. Added new (3) with responsibilities of Business Unit representatives for high-risk data breaches. Added new (4) with PGLD responsibilities for high-risk data breaches. Old (2) renumbered to (5). Added new (6) to define the composition of a high-risk data breach Working Group and formation reason. Old (3) renumbered to (7). Old (4) renumbered to (8). Updated language in (8) concerning resources for high-risk data breaches and updated the links in (8) a) and b).

(20) IRM 10.5.4.4.6.3 - In (2), updated FY18 to FY19. In (2) a), added PPC Measure. In (2) b), added Enterprise Measure. In (2) c), added OMB Measure.

(21) IRM 10.5.4.4.7.1 - In (5), corrected the Exhibit number from 3.13.16-1 to 3.13.6-1 and added the Image Control Team (ICT) link. In (5) a), updated the IRM reference from 10.2.13 to 10.5.1 as IRM 10.2.13 is obsolete and added links to the PGLD Shipping page, Document 13056, and Document 13144.

(22) IRM 10.5.4.4.7.4 - In (1) Note, added a timeframe from the date of the letter during which the individual must enroll to receive the free identity protection service.

(23) IRM 10.5.4.4.7.5 - Deleted (5) as there’s no longer a basis for saying the fraud alert must be placed within 90 days of receipt of Letter 4281C; and deleted (6) as fraud alert guidance is part of the standard resource guidance provided by AM CSRs to callers.

(24) Exhibit 10.5.4-1 - Added the source for the definition of Sensitive But Unclassified (SBU) Information (TD P 15-71) in the Glossary. Also added the terms "Disclosure" , "National Archives and Records Administration (NARA)" , "Records" , "Federal Tax Information (FTI)" , and "Tax Information" to the list of terms in the Glossary.

Effect on Other Documents

This IRM supersedes IRM 10.5.4 dated August 29, 2018.

Audience

The provisions in this manual apply to all IRS personnel in all divisions and functional units. It includes managers, employees, IRS contractors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, Flexiplace (Telework) employees (Occupational or Situational) and Mobile employees.

Effective Date

(10-22-2019)

Peter C. Wade
Director, Privacy Policy and Compliance
Privacy, Governmental Liaison and Disclosure

Program Scope and Objectives

  1. Overview. This Internal Revenue Manual (IRM) section defines the mission, objectives, and governance structure of the Privacy Policy and Compliance Incident Management Program. It provides the organizational framework for carrying out specific policies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS data losses, thefts, and inadvertent unauthorized disclosures involving Sensitive But Unclassified (SBU) data, including Personally Identifiable Information (PII) and tax information.

  2. Purpose. This IRM provides procedural guidance for reporting IRS data losses, thefts, and inadvertent unauthorized disclosures involving SBU data, including PII and tax information.

  3. Audience. The provisions in this manual apply Servicewide whenever SBU data, including PII and tax information, is collected, created, transmitted, used, processed, stored, or disposed of, in support of the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and any other outsourced providers doing business with the IRS. This manual also applies to all Flexiplace (Telework) employees (Occupational or Situational) as well as Mobile employees.

    1. All IRS employees, contractors/vendors, and persons with authorized access to SBU data, including PII and tax information, are responsible and accountable for complying with federal and IRS privacy, information protection, and data security, policies and procedures. Safeguarding and preventing the unauthorized disclosure of SBU data, including PII and tax information, is a responsibility that is shared by all IRS employees, contractors/vendors, and persons with authorized access to SBU data, including PII and tax information. Lost, stolen or disclosed SBU data, including PII and tax information, may be used to perpetrate identity theft or other forms of harm, if the information falls into unauthorized hands.

    2. All tax, privacy, and security clauses must be included in contracts as required by IRM 11.3.24, Disclosure of Official Information, Disclosures to Contractors, and IRM 11.3.14, Disclosure of Official Information, Privacy Act General Provisions.. Contractor employees must be trained about SBU data protection requirements, including PII and tax information, as required in Treasury Regulation 301.6103(n)-1(d).

    3. Internal Revenue Service Acquisition Policy (IRSAP) Part 1004, Administrative Matters, and IRSAP Part 1024, Protection of Privacy and Freedom of Information, provide instructions with respect to procedures to be followed where contractual procurement will be subject to the Privacy Act, the provisions of IRC §6103(n) or where access by a contractor to Sensitive But Unclassified material is contemplated.

    4. For additional information about security controls, see IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and Pub 4812, Contractor Security Controls.

  4. Policy Owner. The Director, Privacy Policy and Compliance (PPC) is responsible for the policy in this IRM. PPC is under the Office of Privacy, Governmental Liaison and Disclosure (PGLD), which is under the Office of the Deputy Commissioner for Operations Support (OS).

  5. Program Owner. The Incident Management Office under the Office of Privacy Policy and Compliance (PPC) under PGLD is the program office responsible for this IRM.

  6. Primary Stakeholders. All employees and contractors of the Internal Revenue Service (IRS), in all divisions and functional units, including Flexiplace (Telework) employees (Occupational or Situational) and Mobile employees, are affected by the procedures in this IRM.

  7. Program Goals. This IRM provides the fundamental knowledge and procedural guidance for timely reporting IRS data losses, thefts, and inadvertent unauthorized disclosures involving SBU data, including PII and tax information. The timely reporting of all inadvertent unauthorized disclosures of SBU data, including PII and tax information, and all losses or thefts of SBU data, including PII and tax information, and IT assets and Bring Your Own Device (BYOD) assets is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility that the SBU data, including PII and tax information, will be compromised and used to perpetrate identity theft or other forms of harm.

  8. Contact Information. To recommend changes to this IRM section, email the PII Mailbox.

Background

  1. Privacy, Governmental Liaison and Disclosure (PGLD). Privacy, Governmental Liaison and Disclosure (PGLD), previously known as Privacy, Information Protection and Data Security (PIPDS), is responsible for ensuring consistency in all processes and procedures affecting the ways the Service handles privacy information protected by statute, regulation, Executive Order, or internal policy.

    1. PGLD works with other business units to provide the IRS with the tools and resources necessary to protect sensitive taxpayer and employee data from potential identity theft due to IRS incidents involving the loss or theft of IRS and BYOD assets containing SBU data, including PII and tax information; the loss or theft of physical and electronic documents that include SBU data, including PII and tax information; and inadvertent unauthorized disclosures of SBU data, including PII and tax information.

    2. PGLD also leads IRS privacy and records policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS.

  2. PGLD Incident Management (IM) Office. IM was established to ensure Servicewide implementation of federal directives to protect taxpayers and government employees against IRS data losses and misuse of sensitive personal data.

    1. Since September 2007, the IM Office (previously known as the ITIM Office) in PGLD (previously known as PIPDS) has been responsible for administering and managing agency program requirements by ensuring IRS incidents involving the loss or theft of IRS and BYOD assets containing SBU data, including PII and tax information; the loss or theft of physical and electronic documents that include SBU data, including PII and tax information; and inadvertent unauthorized disclosures of SBU data, including PII and tax information, are investigated, analyzed and resolved by the IM Team.

    2. IM is dedicated to assisting taxpayers and government employees potentially impacted by IRS incidents involving SBU data, including PII and tax information, by working quickly and thoroughly to investigate the incidents to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm.

    3. IM manages the reporting, risk assessment, and tracking of IRS incidents involving SBU data, including PII and tax information, as well as notification to potentially impacted individuals.

Authority

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information (PII).

  2. Executive Order 13402, May 10, 2006, established the President’s Identity Theft Task Force. The Task Force recommended that Federal agencies reduce the incidence and impact of identity theft and improve their capacity to respond to PII data breaches. The Task Force recognized that any comprehensive information security program - whether in the public or private sector - must include policies for responding to a data breach. Although every breach is different, experience has shown that having policies in place in advance is critical in ensuring a proper response. Such policies should address whether, how, and when to inform affected individuals of the loss of their data, and whether to offer services such as free credit monitoring to those individuals. The Task Force developed guidance that OMB issued to all agencies and departments on September 20, 2006 on responding to data breaches that pose a risk of identity theft. The guidance provided agencies with a framework for conducting an analysis of the breach to determine whether the incident posed a significant risk of identity theft and offered practical advice on implementing a breach response plan, including how and when to provide effective notice to affected individuals. To further the goals of the Task Force guidance, in May 2007, the Office of Management and Budget (OMB) issued Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, which emphasized agencies’ responsibilities under existing laws, such as the Privacy Act of 1974, to safeguard PII, and instructed Federal agencies to enhance their safeguards for PII and to enact data breach handling and data breach notification policies. The President’s Identity Theft Task Force Report of September 2008, located athttps://www.ftc.gov/sites/default/files/documents/reports/presidents-identity-theft-task-force-report/081021taskforcereport.pdf, documented the Task Force’s efforts to implement the Strategic Plan’s recommendations.

  3. In January 2017, OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf, rescinded and replaced OMB M-07-16, updated existing OMB data breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (FISMA), and implemented recommendations included in OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government.

  4. See IRM 10.5.4.1.7, Related Resources, for a list of other relevant OMB Memoranda, Federal Guidance, and Internal Revenue Manuals, and details about where to locate them.

  5. The Incident Management Program was created in response to OMB directives and the President's Identity Theft Task Force recommendations, and to ensure IRS compliance with OMB requirements for data breach management and data breach notification. Consistent with the OMB directives, the IRS notifies potentially impacted individuals when the data breach risk assessment results in a likelihood of harm to the potentially impacted individuals.

Responsibilities

  1. Incident Management Program. The Incident Management Program includes the management of the IRS data breach reporting process, as well as the risk assessment and tracking of IRS data breaches and notification to individuals potentially impacted by IRS data breaches. The Incident Management Program also includes output from Cybersecurity’s Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) application. IM receives events for investigation, addresses applicable receipts within established procedures, and collaborates on referred events not meeting IM’s criterion.

    1. IM has the following responsibilities related to administering the Incident Management Program in the IRS:

    • Interpreting federal laws, regulations, and policies relating to the protection of Personally Identifiable Information (PII). See IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure, for more information about the Disclosure program and the protection of official information including personal information and tax records.

    • Coordinating with other program areas in the IRS to ensure compliance with OMB Memorandum M-17-12 and related directives

    • Receiving SPIIDE events for investigation and addressing accordingly when received

    • Identifying and tracking IRS data breaches

    • Reporting weekly to the Records and Information Management (RIM) Program Office any incidents of lost, stolen or destroyed records

    • Conducting risk assessments of IRS data breaches

    • Mitigating risks associated with IRS data breaches before substantial damage occurs

    • Preparing all reporting documentation pertaining to IRS data breaches

    • Making notification recommendations about potentially impacted individuals based on assessed risk and consulting with appropriate law enforcement officials and other offices or authorities if necessary

    • Identifying emerging trends and developing appropriate strategies and responses

    • Improving procedures to reduce the occurrence of IRS incidents and data breaches

    • Developing, defining, monitoring, and executing IM policies and procedures

    • Overseeing the maintenance, publication, and conveyance of the Servicewide Incident Management Internal Revenue Manual

    • Communicating and coordinating with internal stakeholders to ensure consistency about data breach policy and issues

  2. Reporting Employees and Business Unit (BU) Data Owners. In addition to timely reporting so the PGLD IM team can begin its risk assessment process, reporting employees and BU data owners have other responsibilities:

    1. Containment. The BU data owner must take steps to contain the data breach. For example, if employee or taxpayer data is inadvertently exposed on the internet, the BU data owner must immediately take steps to remove the data and/or close the access; or, if DVDs have been shared with material that should have been redacted, the BU must take steps to immediately recover them and request the recipient remove public access (if the information was made publicly available) and replace it with the proper data. The BU should contact Cybersecurity’s Online Fraud Detection and Prevention Office if assistance is required to contain a data breach involving an electronic transmission such as email or a data breach involving the posting of information on the internet.

      Note:

      If the employee reporting the data breach is not the BU data owner, the reporting employee must collaborate with the BU and PGLD/IM to determine the best approach for managing containment.

    2. Providing Requested Information. Any information requested by PGLD/IM (i.e., SSN’s, names, dates, etc.) must be provided as quickly as possible to ensure timely reporting and taxpayer notification. If a delay is likely, contact IM at 267-466-0777 to facilitate next steps.

    3. Mitigation/Prevention. The BU data owner must analyze the event circumstances to mitigate or lessen the impact of the incident/breach and to determine the necessary steps to prevent similar data breaches in the future. This could entail investigating the cause of the data breach and developing a prevention plan if necessary. A prevention plan may include a security audit of both physical and technical security; a review and/or development of policies and procedures; and a review of employee training.

    4. Disciplinary Actions. Discipline can result for failure to protect equipment or information, as well as for a managers' failure to supervise and train as it pertains to PII information. A BU data owner whose employee experiences a data loss, theft, or disclosure, or asset loss or theft, because he or she did not properly safeguard the data or asset, must contact the servicing Labor Relations Specialist to discuss the appropriateness of any disciplinary action. For disciplinary actions related to losses or thefts of laptops or other electronic devices, or the loss, theft or disclosure of SBU data, including PII and tax information, and improperly safeguarding electronic or paper records, see Document 11500, IRS Manager’s Guide to Penalty Determinations, and IRM 6.751.1, Discipline and Disciplinary Actions: Policies, Responsibilities, Authorities, and Guidance.

    5. Contacting Potentially Impacted Individuals. It is the responsibility of the IRS Business Unit/data owner to contact the potentially impacted individual of a data breach in which a document, or remittance in the form of a personal check, was lost or stolen, to explain that the original document or remittance was lost/stolen, and to request that the individual resend the document/remittance. Established functional taxpayer contact processes must be followed when requesting replacement documents or remittances from the potentially impacted individual.

      Note:

      Contact with the potentially impacted individual may include a brief explanation of the data breach, e.g., "a package was lost in shipment" . If the Business Unit/data owner has any questions about contacting the potentially impacted individual about the data breach, he or she may call PGLD/IM at 267-466-0777, or email the PII mailbox. Do not share the telephone number or mailbox address with the potentially impacted individual.

  3. In the event you or your Business Unit is called upon to participate as part of a Breach Response Team (BRT), there are specific activities you may be required to conduct based on your specific Business Unit and/or role in the organization. See the High-Risk Breach Quick Reference Guide, and the Data Breach Response Playbook, in the Other Related Resources section of the Report Losses, Thefts or Disclosures page in the Disclosure and Privacy Knowledge Base Site for additional information on the activities you may be required to conduct. Also see IRM 10.5.4.4.2, High-Risk Data Breaches, for additional information concerning high-risk data breaches.

  4. For the definition of Reporting Employee and Data Owner, see IRM 10.5.4.1.5, Terms, and Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Measures and Reports

  1. PGLD/IM has established Business and Organizational measures to measure the timeliness of IRS data breach notifications to potentially impacted individuals of IRS data breaches. See IRM 10.5.4.4.6.3, Timeliness of the Data Breach Notification.

  2. PGLD/IM provides reports on Business Performance as it relates to IRS data breaches to Points of Contact within each Business Unit.

    1. Quarterly Scorecard Report. This report lists the number of reported data breaches received by PGLD/IM per quarter per Business Operating Division (BOD).

    2. Annual Trend Analysis Report. This report contains an analysis of the data breaches that involved the disclosure of PII or the loss or theft of IRS assets containing PII reported to PGLD/IM to identify trends and identify areas where actions can be taken, such as employee education and training, to reduce the number of data breaches, thereby reducing the potential exposure of PII.

Terms

  1. Incident. OMB M-17-12 defines an incident as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    1. An incident involving the loss or theft of an IRS asset containing PII, or the loss or theft of a physical document that includes PII, or the inadvertent unauthorized disclosure of PII, is known as a data breach. See the Data Breach definition below. Often, an occurrence may be first identified as an incident, but later identified as a data breach once it is determined that the incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device.

  2. Data Breach. A data breach is a type of incident involving a loss, theft, or inadvertent unauthorized disclosure of PII. OMB M-17-12 defines a data breach as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or, (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.

    1. A data breach is not limited to an occurrence where a person other than an authorized user potentially accesses PII by means of a network intrusion, a targeted attack that exploits website vulnerabilities, or an attack executed through an email message or attachment. A data breach may also include the loss or theft of physical documents that include PII and portable electronic storage media that store PII, the inadvertent disclosure of PII on a public website, or an oral disclosure of PII to a person who is not authorized to receive that information. It may also include an authorized user accessing PII for an other than authorized purpose. Often, an occurrence may be first identified as an incident, but later identified as a data breach once it is determined that the incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device.

    2. Some common examples of a data breach include:

    • A laptop or electronic storage media containing PII is lost or stolen.

    • A document containing PII is lost or stolen, or lost or stolen during shipping.

    • A verbal disclosure of PII to an individual not authorized to receive it.

    • An email containing PII is sent to the wrong person or not properly encrypted.

    • An IT system that maintains PII is accessed by a malicious actor.

    • An inadvertent disclosure of PII on a public website.

    • An authorized user accesses PII for other than an authorized purpose.

  3. Major Incident. OMB 17-05 defines a "major incident" as "any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people...A breach constitutes a "major incident" when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals' PII constitutes a major incident."

  4. Records Loss."Records loss" is defined as the theft or unauthorized destruction, deletion, or removal of any record (or device containing records) under an employee’s control, which cannot be recreated or restored.

    1. Records. The term "records" includes all recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them. (44 U.S.C., Section 3301).

    2. Unauthorized Destruction. Unauthorized destruction is the removal from the legal custody of the Federal Government or the alienation, alteration, or mutilation of records without regard to the provisions of IRS Records Control Schedules (RCS 8 through 37) located in IRS Document 12990, Catalog 57910D, and General Records Schedules (GRS) located in IRS Document 12829, Catalog 54713E.

    3. Reporting to NARA. Per 36 C.F.R., Section 1230.14, all federal agencies must report promptly any unlawful or accidental removal, defacing, alteration, or destruction of records in the custody of that agency to the National Archives and Records Administration (NARA). The IRS Records Officer reports any IRS incidents of erroneous records destruction to NARA.

  5. Personally Identifiable Information (PII). The definition of personally identifiable information is provided by the Office of Management and Budget (OMB) in OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf.

    1. The term PII refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

    2. For more information about PII, visit the Personally Identifiable Information page in the Disclosure and Privacy Knowledge Base Site; see IRM 10.5.1, Privacy and Information Protection, Privacy Policy; and IRM 10.8.1, Information Technology (IT), Security, Policy and Guidance, Personally Identifiable Information (PII).

  6. Sensitive But Unclassified (SBU) Data. Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act.

    1. SBU data includes, but is not limited to: Federal Tax Information (FTI), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, systems information, enforcement procedures, and investigation information.

    2. SBU data includes subsets of protected information which many IRS personnel handle on a daily basis, such as PII and tax information. It also includes other subsets, such as procurement and systems information.

    3. For more information about SBU, visit the Sensitive But Unclassified (SBU) Data page in the Disclosure and Privacy Knowledge Base Site and IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

  7. Tax Information. The term tax information refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC § 6103. The law defines return information as any information the IRS has about a tax return or liability determination.

    1. Return information includes, but is not limited to, a taxpayer’s: identity; income, payments, deductions, exemptions, or credits; assets, liabilities, or net worth; and tax liability investigation status (whether the IRS ever investigates or examines the return).

    2. Redacting, masking, truncating, or sanitizing tax information does not change its nature. It’s still tax information.

    3. Tax information in IRS business processes comes under many names, such as FTI, IRC § 6103-protected information, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII.

    4. Tax information is SBU data. IRC § 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC § 6103(b)(2)].

    5. Release of tax information (whether of an individual or business) is restricted by the confidentiality provisions of IRC § 6103(a).

    6. For more information about tax information, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

  8. Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) Automated Data Loss Prevention (DLP) Tool. SPIIDE is a Data Loss Prevention (DLP) tool within the IRS Cybersecurity toolkit.

  9. Data Owner. The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data breach. For example, if a Power of Attorney (POA) tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporting employee is the RO, but W&I is the data owner and carries the responsibility for mitigation and containment.

  10. Reporting Employee. The reporting employee is the employee who identifies/recognizes a data breach and reports the data breach as required. The reporting employee is responsible for reporting all pertinent information relative to the data breach.

  11. For a full listing of IM terms and their definitions, see Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Acronyms

  1. The table below lists commonly used acronyms and their definitions:

    Acronym Definition
    BRT Breach Response Team
    BU Business Unit
    BYOD Bring Your Own Device
    FTI Federal Tax Information
    IM Incident Management
    OMB Office of Management and Budget
    PGLD Privacy, Governmental Liaison and Disclosure
    PII Personally Identifiable Information
    PIIWG PII Working Group
    PIPDS Privacy, Information Protection and Data Security (name changed to Privacy, Governmental Liaison and Disclosure (PGLD)
    PPC Privacy Policy and Compliance
    SPIIDE Safeguarding Personally Identifiable Information Data Extracts
    SBU Sensitive But Unclassified
  2. For a full listing of IM terms, definitions, and acronyms, see Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Related Resources

  1. For additional information and guidance concerning incident/data breach reporting, see the following internal resources (for IRS use only):

    1. The Disclosure and Privacy Knowledge Base Site

    2. The Report Losses, Thefts or Disclosures page in the Disclosure and Privacy Knowledge Base Site

    3. The If/Then Guide for Reporting Incidents and Breaches in the Other Related Resources section of the Report Losses, Thefts or Disclosures page in the Disclosure and Privacy Knowledge Base Site

    4. Document 13056, Employee Toolkit: Shipping Procedures for Personally Identifiable Information (PII)

    5. Document 13144, Proper PII Shipping Procedures

  2. OMB Memoranda. OMB Memoranda are available on the Office of Management and Budget page at https://www.whitehouse.gov/omb/information-for-agencies/memoranda/.

    1. M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006

    2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

    3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

    4. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

    5. M-12-18, Managing Government Records Directive, November 28, 2011

    6. M-15-01, Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices, October 3, 2014

    7. M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, October 30, 2015

    8. M-17-05, Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements, November 4, 2016

    9. M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 3, 2017. This Memorandum rescinded and replaced OMB M-07-16, OMB M-06-19, OMB M-06-15 and Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006).

  3. Other Federal Guidance.

    1. The Federal Information Security Modernization Act of 2014 (FISMA) (Pub. L. No. 113-283, Title II), December 2014, amended the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

    2. The President’s Identity Theft Task Force created a strategic plan to combat identity theft. The documents are available on the Federal Trade Commission website under News and Events/Press Releases at https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive.

    3. Treasury Directive 85-01, Department of the Treasury Information Technology (IT) Security Program, dated March 10, 2008, https://www.treasury.gov/about/role-of-treasury/orders-directives/Pages/td85-01.aspx, authorized the issuance of Treasury Department Publication (TD P) 85-01, Treasury Information Technology Security Program, which contains Department-wide IT security requirements and supporting guidance. Per TD P 85-01, dated December 12, 2017, "The primary purpose of the Treasury IT Security Program is to establish comprehensive, uniform cybersecurity policies and standards for the protection of Departmental assets. The IT Security Program serves as a foundation for the bureaus to use for their cybersecurity programs and in developing supplemental, bureau-specific policies, requirements, and operating directives." See also TD P 85-01 Appendix A, Minimum Standard Parameters for Non-National Security Information and Information Systems.

    4. Treasury Directive 25-08, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated December 22, 2009, https://www.treasury.gov/about/role-of-treasury/orders-directives/Pages/td25-08.aspx, established the Department of the Treasury’s PII protection and breach response and notification policy and plan. This directive also authorized the issuance of a handbook or other guidance to implement this policy.

    5. Treasury’s Departmental Incident Response Plan, dated October 10, 2018, established Departmental incident response (IR) procedures. Section 1.4, Authority Establishment, states, "IR procedures for addressing incidents concerning a breach of personally identifiable information (PII) are established in accordance with OMB-M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information."

  4. IRS Internal Revenue Manuals.

    1. IRM 10.5.1, Privacy and Information Protection, Privacy Policy

    2. IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

    3. IRM 1.15, Records and Information Management

    4. IRM 11.3, Disclosure of Official Information

    5. IRM 11.3.14, Disclosure of Official Information, Privacy Act General Provisions

    6. IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD)

  5. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues are provided in the table below.

    # Title Description Link Owner
    1 Internal Revenue Service (IRS) Website IRS Identity Protection home page https://www.irs.gov/identity-theft-fraud-scams IRS
    2 Internal Revenue Service (IRS) Website Taxpayer Guide to Identity Theft https://www.irs.gov/newsroom/taxpayer-guide-to-identity-theft IRS
    3 Federal Trade Commission (FTC) Identity Theft Website Visit ftc.gov/idtheft for prevention tips and free resources. https://www.consumer.ftc.gov/features/feature-0014-identity-theft FTC
    4 Federal Trade Commission (FTC) Identity Theft Website IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide taxpayers through the recovery process. It also allows taxpayers to file Form 14039 online. https://www.identitytheft.gov/ FTC
    5 Federal Trade Commission (FTC) data breach information The FTC provides specific guidance for when a data breach involves SSNs, payment card information, bank accounts, driver’s licenses; children’s information, and account credentials. https://www.identitytheft.gov/Info-Lost-or-Stolen FTC
    6 Internal Revenue Service (IRS) Form 14039, Identity Theft Affidavit Direct link to IRS Identity Theft Affidavit (Form 14039). This form is used by taxpayers who want to report to the IRS that someone used his or her information to file taxes or to report that he/she is a victim of identity theft. https://www.irs.gov/pub/irs-pdf/f14039.pdf IRS
    7 United States Department of Justice Website Identity Theft and Identity Fraud Information https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud DOJ
    8 Taxpayer Advocate Service (TAS) Website Taxpayer Advocate Service home page https://www.irs.gov/advocate TAS
    9 Social Security Administration (SSA) Website Social Security Administration (SSA) home page https://www.ssa.gov SSA
    10 Social Security Administration (SSA) Publication - Identity Theft and Your Social Security Number Social Security Administration (SSA) Publication https://www.ssa.gov/pubs/EN-05-10064.pdf SSA
    11 Identity Theft Task Force Webpage on the Federal Trade Commission (FTC) Website President's Task Force on Identity Theft https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive Identity Theft Task Force
    12 IRS Phishing Website Instructions on how to report and identify phishing, email scams, and bogus IRS websites https://www.irs.gov/uac/report-phishing IRS
    13 Credit Bureaus/Credit Reporting Agencies Direct links to the three recognized credit bureaus/credit reporting agencies: Equifax, Experian, and TransUnion http://www.equifax.com
    http://www.experian.com
    http://www.transunion.com/
    Equifax, Experian, and TransUnion
    14 IRS Pub 4523 Beware of Phishing Schemes https://www.irs.gov/pub/irs-pdf/p4523esp.pdf IRS
    15 IRS Pub 4524 Security Awareness for Taxpayers https://www.irs.gov/pub/irs-pdf/p4524.pdf IRS
    16 IRS Pub 5027 Identity Theft Information for Taxpayers IRS
    17 Identity Theft Resource Center® (ITRC) Website Nonprofit organization dedicated exclusively to the understanding and prevention of identity theft http://www.idtheftcenter.org/ ITRC
    18 OnGuard Online Website Identity theft prevention tips from the federal government and technology industry https://www.consumer.ftc.gov/features/feature-0038-onguardonline FTC
    19 IRS Pub 1075 Tax Information Security Guidelines for Federal, State and Local Agencies https://www.irs.gov/pub/irs-pdf/p1075.pdf IRS
  6. Internal IRS intranet links that provide information on identity theft, identity theft-related issues, and data breaches are provided in the table below.

    # Title Description Link Owner
    1 Disclosure and Privacy Knowledge Base Site Disclosure and Privacy homepage in the Disclosure and Privacy Knowledge Base Site Disclosure and Privacy Knowledge Base Site (Internal Link) PGLD
    2 Disclosure and Privacy Knowledge Base Site, Report Losses, Thefts or Disclosures page Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets page in the Disclosure and Privacy Knowledge Base Site Report Losses, Thefts or Disclosures page (Internal Link) PGLD
    3 Privacy, Governmental Liaison and Disclosure (PGLD) e-Trak Privacy online application Privacy, Governmental Liaison and Disclosure (PGLD) PII Breach Reporting Form PII Breach Reporting Form (Internal Link) PGLD
    4 Privacy, Governmental Liaison and Disclosure (PGLD) If/Then Guide for Reporting Incidents and Breaches Privacy, Governmental Liaison and Disclosure (PGLD) If/Then Guide (pdf) for Reporting Incidents and Breaches in the Disclosure and Privacy Knowledge Base Site If/Then Guide for Reporting Incidents and Breaches (Internal Link) PGLD
    5 Computer Security Incident Response Center (CSIRC) Website Computer Security Incident Response Center (CSIRC) Computer Security Incident Reporting Form CSIRC Computer Security Incident Reporting Form (Internal Link) IT (Information Technology)
    6 Situational Awareness Management Center (SAMC) Situational Awareness Management Center (SAMC) Incident Reporting Link for Reporting Physical Security Incidents (SAMC) Incident Reporting Link (Internal Link) SAMC
    7 IRM 1.2.1, Servicewide Policy Statements Policy Statement P-10-1, IRS Policy Statement on assisting taxpayers who report they are victims of identity theft IRM 1.2.1, P-10-1, (formerly P-25-1) IRS
    8 IRM 25.23, Identity Protection and Victim Assistance Identity Protection and Victim Assistance IRM IRM 25.23 IRS

Awareness Training and Education

  1. The Incident Management Program develops and implements initiatives to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, theft, or disclosure of of SBU data, including PII and tax information.

    Note:

    Failure to properly protect SBU data, including PII and tax information, can result in disciplinary actions including admonishment, written reprimand, suspension or removal.

  2. The Incident Management Program supports the annual Information Protection and Disclosure Mandatory Briefing, the Unauthorized Access (UNAX) Mandatory Briefing, and the Records Management Mandatory Briefing which are all managed by PGLD. These briefings provide information about privacy, disclosure, records management, computer security, and UNAX to all employees.

Reporting Losses, Thefts and Disclosures

  1. All IRS personnel are required to report the loss or theft of an IRS IT asset, or an asset in the Bring Your Own Device (BYOD) program, or hardcopy record or document containing SBU data, including PII and tax information, or the inadvertent unauthorized disclosure of SBU data, including PII and tax information, whether it be electronically, verbally or in hardcopy form, immediately upon discovery.

    Note:

    SBU data includes, but is not limited to, taxpayer correspondence, tax information, tax returns, transcripts, faxes, email messages, passwords, sensitive guidance, and personnel and job application information. See IRM 10.5.1.2.2.1 , Examples of SBU Data, for additional information and examples.

  2. All IRS personnel, including contractors and their employees, must be aware of their responsibilities under the law to safeguard SBU data, including PII and tax information, the procedures to follow when data is lost or compromised and the penalties for unauthorized disclosure of SBU data, including PII and tax information. Contractors should refer to Data Breach Information for IRS Contractors on irs.gov at https://www.irs.gov/about-irs/procurement/data-breach-information-for-irs-contractors, Pub 4465-A, Protecting Federal Tax Information for Contractors, and Pub 4812, Contractor Security Controls, for information about a contractor’s responsibilities to protect Federal Tax Information (FTI) and incident/data breach response and reporting procedures.

Timely Reporting: Immediately Upon Discovery

  1. All IRS data breaches involving personally identifiable information, and all suspected security incidents, including any incidents of loss or mishandling of IRS information technology resources and lost or stolen IRS IT assets and BYOD assets, must be reported immediately upon discovery.

  2. The timely reporting of all inadvertent unauthorized disclosures of SBU data, including PII and tax information, all losses or thefts of hardcopy records or documents containing SBU data, including PII and tax information, and all suspected security incidents, including any incidents of loss or mishandling of IRS information technology resources and lost or stolen IRS IT assets and BYOD assets, is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility the information will be compromised and used to perpetrate identity theft or other forms of harm.

Intentional Unauthorized Disclosures of Tax Information

  1. Data breaches involving intentional unauthorized disclosures of SBU data, including PII and tax information, must be reported to the Treasury Inspector General for Tax Administration (TIGTA) . See IRM 11.3.1.10, Reporting Unauthorized Accesses or Disclosures, and IRM 11.3.38.5, Reporting Suspected Willful Unauthorized Accesses or Disclosures, for additional information. See also Section 7213 of Title 26 which imposes fines and/or other punishment for the willful unauthorized disclosure of a return or return information.

Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets, BYOD Assets and Hardcopy Records/Documents

  1. It is critical to report an incident/data breach as soon as actionable information is available so a response/reaction can be initiated. Incident/data breach updates and any additional notifications to TIGTA and/or Law Enforcement (see (3) and (4) below) can be completed after the initial report to the Office of Taxpayer Correspondence (OTC), Privacy, Governmental Liaison and Disclosure/Incident Management Office (PGLD/IM), or the Computer Security Incident Response Center (CSIRC) is submitted.

  2. IRS employees are required to report incidents and breaches immediately upon discovery to their manager and to one of the following offices based on what was lost, stolen, destroyed or disclosed:

    1. The Office of Taxpayer Correspondence (OTC). If the data breach involves taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, EEFaxes, and other electronic transmissions such as email, report it to OTC using the Servicewide Notice Information Program's (SNIP) Erroneous Taxpayer Correspondence Reporting Form. The Erroneous Taxpayer Correspondence Reporting Form is also available on the SERP website, under SNIP. OTC will notify the Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM) as necessary after an initial analysis of the data breach. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of data breaches to PGLD/IM, lessens the operational impact of reporting a data breach, and focuses resources on correcting the error to prevent additional data breaches/losses.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Report Erroneous Correspondence Process, for additional information about erroneous correspondence procedures and the instructions to follow when handling erroneous taxpayer correspondence sent to the wrong person.

    2. The Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM). If the data breach involves an inadvertent unauthorized disclosure of SBU data, including PII and tax information, that is not taxpayer correspondence (see OTC above), such as a verbal disclosure, or an electronic disclosure such as SBU data or PII or FTI in IRMs, Training Materials, PowerPoints, IRWeb, live test data uploaded to a system, etc., or lost, stolen, or destroyed hardcopy records or documents, or packages lost/stolen during shipment, or lost/stolen remittances, report it to PGLD/IM, using the PII Breach Reporting Form. Call 267-466-0777 if you have any problems with the online form or any questions about completing the online form.

      Note:

      The loss, theft, or unauthorized destruction of official records (whether the records contain PII or not) are also reported via the PII Breach Reporting Form. PGLD/IM reviews all PII Breach Reporting Forms and alerts the Records and Information Management (RIM) Program Office if official records have been reported as lost, stolen, or destroyed on the PII Breach Reporting Form in accordance with IRM 1.15.3.4, Unauthorized or Accidental Destruction of Records, which states any unauthorized unlawful, or accidental destruction, defacing, or alteration of records in an employee’s custody or the IRS custody must be reported to the Records Specialist (formerly Area Records Managers (ARM) or the IRS Records Officer.

      Note:

      Breaches involving disclosures of SBU data or PII or FTI in IRMs must also be reported to the Office of Servicewide Policy, Directives and Electronic Resources (SPDER) via the SPDER Mailbox.

    3. The Situational Awareness Management Center (SAMC). If the incident involves lost or stolen Smart-ID cards, pocket commissions (credentials), building access cards, building or room keys, legacy ID cards, government property, or equipment, report it to SAMC (within 30 minutes) using SAMC’s Incident Reporting Link. Note all physical security incidents and/or threats are also reported to SAMC. Visit the FMSS Incident Reporting page to learn more about SAMC.

    4. The Computer Security Incident Response Center (CSIRC). If the incident/data breach involves the loss or theft of an IRS IT asset, e.g., an IRS issued computer, laptop, router, printer, cell phone, BlackBerry, etc., or removable media (CD/DVD, flash drive, floppy, etc.), or a non-government furnished/personally owned mobile device that accesses, processes, transmits, or stores IRS information, in support of the Bring Your Own Device (BYOD) program, report it to CSIRC using the Computer Security Incident Reporting Form, or by calling 240-613-3606.

      Note:

      If the incident/data breach involves both the loss or theft of an IRS IT asset, e.g., the loss or theft of an IRS issued laptop, flash drive, etc., or BYOD asset, and the loss or theft of hardcopy records or documents containing SBU data, including PII and tax information, packages lost during shipment, etc., report the data breach to CSIRC. Do not report it to PGLD/IM.

      Note:

      All suspected security incidents, including any incidents of loss or mishandling of IRS information technology resources and lost or stolen IRS IT assets and BYOD assets, must be reported to CSIRC immediately upon discovery.

  3. The Treasury Inspector General for Tax Administration (TIGTA). You must also report the incident/data breach to the Treasury Inspector General for Tax Administration (TIGTA), if the incident/data breach involves a loss or theft of an IRS IT asset, e.g., computer, laptop, router, printer, removable media (CD/DVD, flash drive, floppy, etc.), or non-IRS IT asset (BYOD device), or a loss or theft of hardcopy records/documents containing SBU data, including PII and tax information, by calling 800-366-4484.

  4. Local Law Enforcement. If the incident/data breach involves a theft, file a Police Report with your Local Law Enforcement authority, but do not disclose sensitive data and/or taxpayer data.

  5. Treasury Government Security Operations Center (GSOC). The applicable reporting office - either PGLD/IM or CSIRC - will report to TCSIRC for further submission to GSOC as necessary.

  6. Visit the Report Losses, Thefts or Disclosures page in the Disclosures and Privacy Knowledge Base Site and see the If/Then Guide for Reporting Incidents and Breaches in the Other Related Resources section of the Report Losses, Thefts or Disclosures page for additional information and guidance. If you are a Flexiplace (Telework) employee (Occupational or Situational) or a Mobile employee, print a copy of the If/Then Guide for the office and one to keep at home in case your IT asset is lost or stolen, and you can’t access IRS Source.

Inadvertent Accesses of Tax Information

  1. Inadvertent accesses of taxpayer information are reported on the hard copy Form 11377, Taxpayer Data Access, or the fillable Form 11377-E, Taxpayer Data Access.

  2. Form 11377 or Form 11377-E may be used by employees Servicewide to document accesses to taxpayer return information when the accesses are not supported by direct case assignment, were performed in error (inadvertent access), or when the access may raise a suspicion of an unauthorized access.

  3. Some examples of an inadvertent access include accidentally entering an incorrect Taxpayer Identification Number or unintentionally retrieving other taxpayer information while working an assigned case. Inadvertent accesses are not reported to PGLD/IM, CSIRC or OTC.

  4. Employees who complete either the online or printed version of this form are required to sign and date the IRS and Employee copies and give both to their managers no later than the end of the work day that the accesses occurred. The manager will review the form, sign and date both copies and return the Employee Copy to the employee. Employees are encouraged to retain their copy for six years.

"No Reporting" Situations

  1. The following are examples of situations which require no reporting to PGLD/IM, CSIRC, OTC, etc., as they are not considered erroneous correspondence or unauthorized disclosures:

    1. An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find that he or she is not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

    2. An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing SBU data, including PII and tax information, only to later find that the fax number provided by the taxpayer or authorized representative was incorrect.

    3. An IRS employee follows all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    4. The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    5. An IRS employee follows procedures in IRM 21.1.3.12, Suicide Threats, to disclose a taxpayer's name, address/location, and/or telephone number to Law Enforcement because the taxpayer threatened suicide and/or threatened harm to another individual. In this situation, the disclosure of this information is not prohibited by law; therefore, although the Suicide Threat must be reported to Disclosure, TIGTA, SAMC, and the Office of Employee Protection, no reporting to PGLD/IM is necessary unless directed to do so by Disclosure. See IRM 21.1.3.12, Suicide Threats, IRM 10.2.8, Incident Reporting, IRM 11.3.34.3, Expedited Procedures in Emergency Situations, and the Governmental Liaison, Disclosure and Safeguards (GLDS) Unique Situations page for the procedures to follow when a taxpayer threatens suicide or when it is appropriate to contact the local Law Enforcement authority versus federal or State Law Enforcement authorities.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Report Erroneous Correspondence Process, for additional information about erroneous correspondence procedures and the instructions to follow when handling erroneous taxpayer correspondence sent to the wrong person.

PGLD/Incident Management Intake, Risk Assessment and Notification

  1. This section covers the intake and risk assessment of IRS data breaches by PGLD/IM as well as notification to potentially impacted individuals.

PGLD/Incident Management Intake

  1. When an IRS data breach or incident occurs, depending on what was lost, stolen, or disclosed, employees report the data breach or incident to the Computer Security Incident Response Center (CSIRC) via the Computer Security Incident Reporting Form, the Office of Taxpayer Correspondence (OTC) via the Erroneous Taxpayer Correspondence Reporting Form, or to PGLD/IM via the PII Breach Reporting Form. The PII Breach Reporting Form is an online reporting form that uploads directly to e-Trak.

    1. A data breach is reported to PGLD/IM if the breach involves an inadvertent unauthorized disclosure of SBU data, including PII and tax information, that is not taxpayer correspondence (see b) below), such as a verbal disclosure, or an electronic disclosure such as SBU data or PII or FTI in IRMs, Training Materials, PowerPoints, IRWeb, live test data uploaded to a system, etc., or lost, stolen, or destroyed hardcopy records or documents, or packages lost/stolen during shipment, or lost/stolen remittances.

    2. A data breach is reported to OTC if the breach involves taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, EEFaxes, and other electronic transmissions such as email.

    3. An incident/data breach is reported to CSIRC if the incident/breach involves the loss or theft of an IRS IT asset or an asset in the Bring Your Own Device (BYOD) program, or if it involves multiple assets, i.e., an IRS IT asset and hardcopy records or documents containing SBU data, including PII and tax information. Note that the form and instructions for incidents/data breaches involving IT assets are different from the forms and instructions for all other data breaches.

  2. After a data breach is reported, members of the IM team receive notification via email (delivered to the PII mailbox) from either CSIRC or e-Trak. The email contains the information necessary to conduct a risk assessment and also to determine if the data breach meets high-risk breach criteria.

    1. The PII mailbox (*PII) is a centralized communication tool used by the IM Team to send and receive all communications throughout the data breach intake process. Data breach summaries with a brief description of the data breach are automatically sent via email to the PII mailbox whenever data breaches are reported to CSIRC via the Computer Security Incident Reporting Form or to PGLD/IM via the PII Breach Reporting Form.

      Note:

      Incident Management Intake may also include events received from SPIIDE for investigation.

  3. After PGLD/IM reviews the information submitted and performs an initial assessment of the data breach, if PII or SBU data is involved, PGLD/IM will, if necessary, request additional information to fully assess the data breach to complete the risk assessment. If the data breach is input through the e-Trak online reporting form (PII Breach Reporting Form) and the employee indicated an SSN or EIN was disclosed, the reporting employee and the employee’s manager will receive an Impacted Individuals and/or Business Excel Spreadsheet as an attachment to the email received from e-Trak. If the data breach is input through other than the e-Trak online reporting form, PGLD/IM will send an Impacted Individuals Excel Spreadsheet to the reporting employee and the employee’s manager if an SSN is needed for notification. The reporting employee is responsible for providing the tax identification numbers of the potentially impacted individuals and emailing the spreadsheet via secure email to *PII.

    1. The PGLD/IM and CSIRC Breach/Incident Reporting Forms provide an inventory of possible compromised data elements, the source of the data, whether the data was encrypted, and any other special factors that need to be considered, such as data being used in a criminal or grand jury investigation.

    2. The Impacted Individuals and/or Business Excel Spreadsheet provides an inventory of the names and TINs of all the individuals potentially impacted by the data breach.

High-Risk Data Breaches

  1. A high-risk data breach includes any breach that meets the OMB definition of a major incident or includes any special circumstances requiring an enhanced response because of significant risk to:

    1. Customers: Affects a significant number of individuals or high-profile individuals;

    2. Business Results: Overwhelming increase of phone traffic, reduced taxpayer access to IRS systems or online applications, negative affect on revenue protection; or,

    3. IRS Reputation: Potential for extensive media involvement or negative exposure.

  2. High-risk data breaches may be identified through several different channels. For example:

    1. Cybersecurity may identify a potential breach of an IRS system or application.

    2. PGLD or other Business Units may identify a disclosure, loss, or theft with unusual circumstances.

    3. A third-party data owner may identify a breach of SBU data, including PII and tax information.

      Note:

      A third-party data owner is defined as a data owner external to the IRS. An external third-party breach is an event that results from the unauthorized use or loss of SBU data (including PII and tax information) that does not involve IRS systems, applications, or online services. Third-party breaches can be reported to the IRS by external sources, such as practitioners, software developers, state and local agencies, or others.

  3. Business Unit data owners will:

    1. Notify PGLD and IRS senior management as needed.

    2. Take immediate action to contain potential data leakage and mitigate risk, such as engaging Online Fraud Detection and Prevention (within IT Cybersecurity) to deactivate a fraudulent website, recovering hardcopy documents, or coordinating with TIGTA to ensure all recovery options are considered.

  4. PGLD will:

    1. Identify members needed for a Breach Response Team (BRT) or Working Group (WG).

    2. Notify the Department of Treasury as applicable.

  5. A Breach Response Team (BRT) will be convened for high-risk data breaches and for any data breach that constitutes a major incident (as defined in OMB guidance) to address the additional concerns and communication issues that may be involved with these types of data breaches. The purpose of the BRT is to provide a swift, effective and orderly response to these types of data breaches. The team is led by the Breach Coordinator (BC) and is composed of cross-functional representatives authorized to take the necessary steps to contain, mitigate or rectify a data breach, mitigate the vulnerability of taxpayer data, and rebuild trust. Participating members of the BRT can vary based on the nature and scope of the data breach and the potential risk to taxpayers.

  6. A Working Group (WG) is comprised of members from several different components of a BRT to address the specifics of an investigation prior to the formation of a full BRT. WGs are commonly formed for investigations into suspicious behavior on IRS systems and applications.

  7. PGLD/IM reports high-risk data breaches to the Facilities Management and Security Services (FMSS) Threat Information and Critical Incident Response Initiative (TIRC). The TIRC is comprised of staff from FMSS, the Treasury Inspector General for Tax Administration-Criminal Intelligence and Counterterrorism Group (TIGTA-CICT), Criminal Investigation (CI), Federal Protective Service (FPS), the Computer Security Incident Response Center (CSIRC), and the Office of Privacy, Governmental Liaison and Disclosure (PGLD), including the Records and Information Management (RIM) Program Office. The mission of the TIRC is to identify and mitigate threats and record countermeasures and mitigation strategies as it pertains to Federal tax administration and the IRS for the protection of service operations. Reporting to SAMC may also be required if the reporting does not lead to SAMC Leadership messaging and communication is warranted based on the circumstances of the event.

  8. See the following resources regarding high-risk data breaches. Both are located in the Other Related Resources section of the Report Losses, Thefts or Disclosures page in the Disclosure and Privacy Knowledge Base Site.

    1. The High-Risk Breach Quick Reference Guide contains the high-level process to follow when a high-risk data breach is identified.

    2. The Data Breach Response Playbook contains detailed procedures on the proper steps to take if your area has a high-risk data breach to help you minimize harm to taxpayers, document the data breach, and manage the risk assessment process.

OMB Major Incidents

  1. FISMA 2014 requires the Office of Management and Budget (OMB) to define the term "major incident" and directs agencies to report major incidents to Congress within 7 days of identification.

  2. A "major incident" as defined by OMB M-17-05 is "any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people."

  3. A data breach constitutes a "major incident" when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals' PII constitutes a major incident..

  4. PGLD/IM coordinates with Treasury for the appropriate actions and reporting, including reporting to Congress, whenever a data breach is identified as an OMB major incident.

PGLD/Incident Management Risk Assessment

  1. PGLD/IM assesses the risk of harm to individuals potentially impacted by data breaches involving the disclosure, loss, or theft of PII. When assessing the risk of harm to individuals potentially impacted by a data breach, the potential harms that could result from the loss or compromise of PII must be considered. Such harms may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, financial harm, the disclosure of contact information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem. Additionally, the Privacy Act requires the IRS to protect against any anticipated threats or hazards to the security or integrity of records which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. The IRS must consider any and all risks relevant to the data breach, which may include risks to the IRS, IRS information systems, IRS programs and operations, other Treasury Bureaus, the Federal Government, or national security. These additional risks may properly influence the IRS’ overall response to a data breach and the steps the IRS must take to notify individuals.

  2. PGLD/IM performs a risk assessment to evaluate the likely risk of harm for all reported IRS data breaches, based on standardized factors and ratings criteria. The end result of the assessment is a categorization of the data breach into one of four levels - No Impact; Low Impact; Moderate Impact; and High Impact. Categorization into levels dictates a recommended level of response and determines when, what, how, and to whom notification of a data breach must be given.

  3. PGLD/IM uses the following three-step methodology to assess the risk of harm for all reported IRS data breaches:

    1. Step 1: Examine key factors. Each of the three factors identified by OMB M-17-12 (the nature and sensitivity of the PII potentially compromised by the data breach; the likelihood of access and use of the PII potentially compromised by the data breach; and the type of data breach) is assessed in relation to the specific data breach to determine the potential likelihood of harm to individuals. See (4) below for additional information on the risk assessment factors.

    2. Step 2: Determine risk factor ratings. Each of the three factors is rated based on its impact level (high, moderate, low, or no impact) with corresponding points from 3 to 0 assigned to each impact level.

    3. Step 3: Categorize or classify the data breach. Based on the total factor rating points the data breach is categorized into one of four levels. Data breaches with a total factor rating point between 8 and 9 are considered Level Three (High Impact). Potentially impacted individuals involved in a data breach categorized as Level Three (High Impact) will be sent a data breach letter.

  4. PGLD/IM considers the following key factors and considerations when conducting a risk assessment to determine the potential likelihood of harm to potentially impacted individuals. Identifying the data elements involved in the data breach, i.e., the PII that was lost or disclosed, and assessing the impact of the data breach are key elements that must be considered when determining if, when, and how notification will be provided to potentially impacted individuals.

    1. Nature and Sensitivity of the PII. The nature and sensitivity of the PII potentially compromised by the data breach, including the potential harms that an individual could experience from the loss or compromise of the type of PII. At a minimum, the following items are considered when assessing the nature and sensitivity of the PII potentially compromised by a data breach: Data Elements, including an analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together; Context, including the purpose for which the PII was collected, maintained, and used; Private Information, including the extent to which the PII, in a given context, may reveal particularly private information about an individual or constitutes information that an individual would generally keep private; Vulnerable Populations, including the extent to which the PII identifies or disproportionately impacts a particularly vulnerable population; and Permanence, including the continued relevance and utility of the PII over time and whether the information is easily replaced or substituted or will permanently identify an individual.

    2. Likelihood of Access and use of the PII. The likelihood of access and use of the PII potentially compromised by the data breach, including whether the PII was properly encrypted, or rendered partially or completely inaccessible by other means. The following items are considered when assessing the likelihood of access and use of PII potentially compromised by a data breach: Security Safeguards, including whether the PII was properly encrypted, or rendered partially or completely inaccessible by other means; Format and Media, including whether the format of the PII or the media on which it is maintained may make it difficult and resource-intensive to use; Duration of Exposure, including how long the PII was exposed; and Evidence of Misuse, including any evidence confirming that the PII is being misused, or that it was never accessed.

    3. Type of Data Breach. The type of data breach, including the circumstances of the data breach, as well as the actors involved and their intent. The following items are considered when determining the type of data breach: Intent, including whether the PII was compromised intentionally, unintentionally, or whether the intent is unknown; and, Recipient, including whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient.

  5. After IM has completed its risk analysis of a data breach and developed a recommendation with regard to the appropriate response, data breaches categorized as "High Impact" are included in a Code Red Recommendations Report and presented to the Incident Management Associate Director for review and action if necessary.

  6. If the recommendation is to notify, then potentially impacted individuals are notified of the data breach via Letter 4281C, IM Breach Notification Letter.

The PII Working Group (PIIWG)

  1. The PII Working Group (PIIWG) consists of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security. A Code Red Recommendations Report is presented to the PIIWG weekly by PGLD/IM for information only; no concurrence or approval by the PIIWG is required.

  2. The Privacy Policy and Compliance Advisory Committee (PPCAC) no longer exists. It was a committee comprised of executives from all key business and functional unit stakeholders. It was originally established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and data breach policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives.

PGLD/Incident Management Data Breach Notification - Letter 4281C

  1. The IRS, through PGLD/IM, will notify potentially impacted individuals if the evaluation of an IRS data breach results in a likelihood of harm to these individuals.

  2. The IRS, through PGLD/IM, will notify these individuals via Letter 4281C, IM Breach Notification Letter.

  3. The IRS, through PGLD/IM, will identify individuals who have been sent Letter 4281C by marking each entity (on CC ENMOD and/or CC IMFOLE) with the IRS data breach (data loss) indicator TC 971 AC 505 (only if the account is on the Master File (MF)). See IRM 10.5.4.5.1.1, Applying the IRS Breach Tracking Indicator to IRS Data Breaches, for additional information.

  4. The objectives of communications in the event of a possible compromise of SBU data, including PII and tax information, within the IRS are as follows:

    1. To comply with the Office of Management and Budget (OMB) and Treasury Department directives which mandate notification to potentially impacted individuals if there is a potential risk that the compromised data may be used by someone other than the owner of the information to commit a crime or fraud.

    2. To minimize the possible negative impact of the compromised data on the taxpayer/victim.

    3. To ensure the IRS' relationship with the impacted individual(s) will not be so damaged as a result of the data breach that it negatively impacts his or her tax filing and paying obligations.

Contents of the Data Breach Notification
  1. The IRS will notify individuals potentially impacted by IRS data breaches using Correspondex Letter 4281C, IM Breach Notification Letter; however, the IRS may use a unique letter when deemed necessary and appropriate.

    Note:

    These procedures apply only to data breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e). See IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  2. Remedial services such as identity protection services are offered to potentially impacted individuals of an IRS data breach as part of the overall OMB requirement regarding implementation of a data breach response program to mitigate the likely risk of harm.

  3. Data breach notifications will be written plainly and clearly, and will generally include the following information:

    1. A brief description of what happened, including the date of the data breach;

    2. To the extent possible, a description of the type of PII disclosed as a result of the data breach (e.g., name, SSN, date of birth, address, etc.);

    3. Actions that potentially impacted individuals should take to protect themselves from potential harm;

    4. A toll-free telephone number that potentially impacted individuals can contact for more information;

    5. A statement that the IRS has provided or will provide potentially impacted individuals with an identity protection service at no cost, and the contact information for the vendor providing the service.

      Note:

      The IRS does not auto-enroll potentially impacted individuals. The potentially impacted individual must contact the vendor in order to sign up for the free identity protection service.

  4. The Privacy and Information Protection (PIP) toll-free telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

Data Breach Notification Signature
  1. The signature on the IRS data breach notification letter shall be that of the Director, Privacy Policy and Compliance (PPC).

Timeliness of the Data Breach Notification
  1. The IRS will notify individuals potentially impacted by IRS data breaches without unreasonable delay following the completion of the risk assessment process.

    Note:

    The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any potentially impacted individuals.

  2. Business measures and lapse time goals were established to track/assess PGLD/IM and IRS performance. The FY19 measures and goals are:

    1. Measure 1: PPC Measure: Lapse time (# of days) from Data Breach Report Date to the Data Breach Notification Letter Date. Goal: Median of 10 days or less.

    2. Measure 2: Enterprise Measure: Lapse time (# of days) from the Data Breach Date to the Data Breach Notification Letter Date. Goal: Median of 24 days or less.

    3. Measure 3: OMB Measure: Percentage of data breaches with a lapse time (# of days) of 30 days or less from the Data Breach Report Date to the Data Breach Notification Letter Date. Goal: Percentage of data breaches equal to or more than 94%. Measure 3 is reported to Treasury as part of OMB required reporting.

Means of Providing Data Breach Notifications
  1. The IRS will provide written notification to the individual's address of record on IDRS.

  2. Based on the number of potentially impacted individuals and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as newspapers or other media outlets.

  3. At the discretion of the BRT, and consistent with applicable law, the IRS may notify external entities. In making its decision, the BRT will consider whether notifying external entities would result in any of the following:

    1. Aiding the public in its response to the data breach (e.g., whether constructive notification via media channels would help the IRS alert potentially impacted individuals more effectively and expeditiously than via notification letter alone)

    2. Facilitating the IRS’ ability to mitigate the potential harm resulting from the data breach (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries)

    3. Contributing to unnecessary public alarm

    4. Creating an unnecessary burden on the public, external entities, or potentially impacted individuals

Ongoing Support

  1. Based on the circumstances of the data breach, the IRS will provide ongoing support to potentially impacted individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free telephone number staffed by trained IRS personnel to respond to general data breach-related inquiries

    2. Information on websites and other resources providing information about identity theft prevention and protection

    3. Coordination with business units on IRS data breaches that affect an individual's tax account, such as phishing schemes

  2. The PGLD/Incident Management Program is supported by Wage and Investment's (W&I) Accounts Management (AM). AM Customer Service Representatives (CSR)s support PGLD/IM by assisting individuals who call the Privacy and Information Protection (PIP) toll-free telephone number (866-225-2009) provided in Letter 4281C, IM Breach Notification Letter. AM CSRs are trained to respond to IRS data breach questions and questions about Letter 4281C.

Handling Inquiries About IM Data Breach Notification Letters
  1. These procedures apply only to data breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e). See IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  2. The contact telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. The 4281C Letter does not require individuals to contact the Internal Revenue Service; however, some individuals may call with questions or concerns about the letter. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

  3. In some instances, individuals who receive Letter 4281C may call an IRS telephone number other than the number provided in the letter (866-225-2009). If an IRS phone assistor other than an AM Customer Service Representative (CSR) receives a call from an individual in response to Letter 4281C, or the individual asks to speak to the employee whose number appears on Letter 4281C (0847999999), transfer the call to extension 1161 (for callers needing assistance in Spanish, use extension 1162).

  4. AM CSRs answer general data breach-related inquiries about the IRS data breach and prepare a Form 4442, Inquiry Referral Form, if the caller requests specific information about the data breach that the AM CSR is unable to answer. The Form 4442 is directed to PGLD's IM office in Philadelphia for resolution. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office.

  5. Correspondence (and any attachments) received in response to Letter 4281C, or addressed to employee 0847999999, must be forwarded to the local Image Control Team (ICT) for scanning and controlling. See IRM Exhibit 3.10.72-2, Correspondex C Letters - Routing Guide; IRM Exhibit 3.13.6-1, Appendix A - Document Types, Category Codes, IMF; IRM Exhibit 3.13.6-14, Appendix N - Document Types, Category Codes, Priority Codes, IDT - IMF, Doc Type: ID Theft: IDT5; and IRM 21.5.1.4.2.3, Clerical Function for the Image Control Team (ICT) Correspondence Imaging System (CIS), for information about ICT. See IRM 21.5.1.5, Correspondence Imaging System (CIS) Procedures, for information about CIS procedures and the Image Control Team (ICT) link in the Miscellaneous section of the Campus Program Locator Guide (located under the Who/Where tab) to determine the address for your local ICT function. ICT will review the correspondence and determine if a Referral to the IM office in Philadelphia is necessary.

    1. If scanning is not available, route the correspondence and any attachments received in response to Letter 4281C, or addressed to employee 0847999999, to AM. See the address table below; IRM 10.5.1.6.7.3, Shipping; the PGLD Shipping page on the Disclosure and Privacy Knowledge Base Site; Document 13056, Employee Toolkit: Shipping Procedures for Personally Identifiable Information (PII); and Document 13144, Proper PII Shipping Procedures, for policy and procedures relating to protecting and handling SBU data, including PII and tax information.

    2. If the correspondence appears to be time sensitive, fax it to the Image Control Team (ICT) at 855-807-5720. ICT will review the correspondence and determine if a Referral to the IM office in Philadelphia is necessary.

    United States Postal Service (USPS) Mailing Address Private Delivery Service (PDS) Mailing Address
    Internal Revenue Service
    Accounts Management
    Fresno, CA 93888-0025
    Internal Revenue Service
    Accounts Management
    5045 East Butler Avenue, Fresno, CA 93727
  6. See the IRS Data Breach Frequently Asked Questions (FAQs) on SERP for a list of frequently asked questions about the IRS Breach Notification Letter (Letter 4281C) and general questions about IRS data breaches/data losses.

IMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview
  1. When taking calls from impacted individuals, a consistent and proper greeting is required. Refer to procedures in IRM 21.1.1.4, Communication Skills.

  2. Employees are required to authenticate callers to ensure the person calling is the individual impacted by the data breach. See IRM 25.23.12.3, Identity Theft Telephone General Guidance, for required use of the Integrated Automation Technologies (IAT) Disclosure tool and the High-Risk Authorization (HRA) IAT tool to perform authentication; IRM 21.1.3.2.3, Required Taxpayer Authentication; and IRM 21.1.3.2.4, Additional Taxpayer Authentication.

  3. If the caller is not the impacted individual, but claims to represent the individual, determine whether the individual provided a Power of Attorney (POA) in connection with the data breach. Do not recognize a representative when the POA on file only identifies tax matters and does not specifically identify the data breach as a matter for which the POA has authority.

  4. High-risk authentication per IRM 21.1.3.2.4, Additional Taxpayer Authentication, is also required. Ask the caller for the Breach Date and Breach Number as part of the authentication process. The Breach Date, if included in the letter, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Breach Number is located to the right and just above the Salutation (Dear Taxpayer).

  5. In some situations, a caller may want to receive as much information as possible about the data breach but is not willing to provide his or her SSN/TIN. In these situations, the CSR may still answer general questions about the data breach and answer all the taxpayer's questions using the Frequently Asked Questions (FAQ), but a referral may not be made for any specific questions about the data breach. CSRs must be sensitive to the caller's tone and ensure they are given as much information as they are entitled to receive without the caller providing their TIN. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office, and IRM 10.5.4.4.7.8, Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters.

  6. In some data breaches, impacted individuals receiving notices may be IRS employees. In these cases, follow guidance in IRM 21.1.3.8, Inquiries from IRS Employees.

BMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview
  1. Some of the impacted individuals may be business entities and letters sent may be to business related entities (sole proprietorships, corporations, LLCs, etc.). A caller may be required to be an owner of a small business or an officer of a corporation before employees are able to talk to him or her about the data breach. To ensure a caller is the appropriate individual that is allowed to receive information about the data breach, AM CSRs will need to conduct an identity check with the caller to determine if he or she is allowed to receive the information. See IRM 21.1.3.2.3, Required Taxpayer Authentication, for required use of the IAT Disclosure tool to perform authentication.

  2. In addition to the authentication probes outlined in IRM 21.1.3.2.3, Required Taxpayer Authentication, ask the caller for the BMF entity to provide the following information:

    • The Breach Number, located to the right and just above the Salutation (Dear Taxpayer) on Letter 4281C, and

    • The Breach Date, located in the first paragraph of Letter 4281C.

  3. If the caller is not able to, or unwilling to provide the EIN, tell the caller that a Referral may not be made for any specific questions about the data breach. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office and IRM 10.5.4.4.7.8, Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters.

    Note:

    It will not be necessary to access any tax account information on the BMF case to assist the caller. If at any time you feel the caller is not entitled to receive general information, and the caller is insistent on receiving as much information as he or she can, be sure not to disclose any specific account information.

Free Identity Protection Service
  1. The IRS is offering an identity protection service at no cost to individuals potentially impacted by an IRS data breach if the result of the risk assessment results in a likelihood of harm.

    Note:

    The IRS assigns a unique enrollment code via Letter 4281C, IM Breach Notification Letter, to each individual potentially impacted by an IRS data breach if the result of the risk assessment results in a likelihood of harm. The potentially impacted individuals must contact the identity protection vendor within 90 days from the date of the letter to sign up for the free identity protection service.

    Note:

    A POA cannot sign up for the free identity protection service on behalf of his or her client.

  2. AM CSRs do not have access to the vendor’s system; therefore, CSRs cannot assist the caller with the enrollment.

  3. AM CSRs can assist with:

    • Providing the toll-free number for the vendor. See Note below.

    • Reviewing the online and telephone enrollment instructions included in Letter 4281C, IM Breach Notification Letter. See Note below.

    • Informing the individual if he or she is having difficulty enrolling in the vendor’s system, he or she has the option of speaking with a live agent by calling the vendor. Remind the individual he or she will need to have his or her unique enrollment code (assigned in Letter 4281C) available when contacting the vendor. See Note below.

    • Ensuring the individual understands what he or she needs to do to monitor his or her credit report and other financial information. See Note below.

    Note:

    See the IRS Data Breach Frequently Asked Questions (FAQs) on SERP for a list of frequently asked questions about the IM Breach Notification Letter (Letter 4281C) and general questions about IRS data breaches/data losses and the identity protection vendors.

Fraud Alerts
  1. A fraud alert is a statement that a credit reporting agency adds to an individual’s credit file at the individual’s request. It alerts creditors that the individual may be a victim of fraud.

  2. The fraud alert statement requires creditors to take certain steps to verify the individual’s identity before establishing any new credit accounts in his or her name, issuing a new card on an existing account, or increasing the credit limit on an existing account.

  3. All three credit reporting agencies (Equifax, Experian, and TransUnion) have fraud reporting services. The individual only needs to contact one of them. The agency initially contacted will notify the other two.

  4. An individual can place a fraud alert on his or her credit file by contacting:

    • Equifax at 800-525-6285 or www.equifax.com

    • Experian at 888-397-3742 or www.experian.com

    • TransUnion at 800-680-7289 or www.transunion.com

Referrals to PGLD’s Incident Management Office
  1. If a caller states he or she received a letter from the IRS about a data breach but lost, misplaced the letter, etc., refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  2. If a caller states he or she attempted to redeem the enrollment code included in the data breach letter but was told the enrollment code is expired, invalid, or does not work, refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  3. If the caller is requesting additional information or details about the data breach, and is unsatisfied with the limited information you can provide and is insistent that he or she would like additional information, more than what was already provided, about the data breach, refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  4. In addition to the required fields as noted in IRM 21.3.5.4.2, if available, include the Breach Date and Breach Number, as shown on the caller's letter, in the Referring To field (Box #5) of Form 4442/e-4442. The Breach Date, if included in the Letter 4281C, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Breach Number is located to the right and just above the Salutation (Dear Taxpayer).

  5. A brief narrative must be completed in the Taxpayer Inquiry/Proposed Resolution section (Part III, Section B) of Form 4442/e-4442. Include in the Taxpayer Inquiry/Proposed Resolution section of the Form 4442/e-4442 the IRM reference (IRM 10.5.4.4.7.6) directing the referral, the reason you are making the referral, and a complete description of the caller’s issue. Also document the response time frame provided to the caller and the fax number for PGLD/IM.

  6. Inform the caller a referral has been completed in response to his or her inquiry. Tell the caller he or she will hear from us within 30 calendar days. See IRM 21.3.5.4, Referral Procedures.

  7. Document AMS with the details of the Referral. See IRM 10.5.4.4.7.8, Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters. EXCEPTION: If the AMS or CIS system is down, then narratives and/or case notes will not be required.

  8. All Forms 4442 will be collected by the Lead CSR at the beginning of each business day and faxed to the IM Office in Philadelphia. The IM EEfax number is listed on the Form 4442Referral Fax Numbers list (Site: Philadelphia and Function: PGLD: Incident Management) located on the SERP Who/Where tab.

  9. An analyst from PGLD/IM will contact the sender via secure email confirming receipt of the faxed Forms 4442. Once confirmation is made, the original Form 4442 can be destroyed. If no confirmation email is received within 48 hours from the fax date, re-faxing the Form 4442 will be required.

Caller Indicates He/She is a Victim of Identity Theft as a Result of an IRS Data Breach
  1. A caller who has already been notified of an IRS data breach via Letter 4281C may indicate he or she is already a victim of identity theft as a result of the IRS data breach and would like the IRS to assist him or her in dealing with the identity theft.

    Note:

    As part of the Identity Theft Program, AM will generally assist taxpayers whose situations meet TAS criteria 5 - 7 AND involve identity theft. See IRM 25.23.3.2.6, Identity Theft Assistance Request (ITAR) - General Information.

  2. AM CSRs will:

    • Apologize to the caller for any inconvenience.

    • Research the taxpayer's TIN thoroughly to see if there is a tax related issue related to the ID theft as defined in IRM 25.23.2.3.4, Identity Theft Research.

    • If a tax related issue is involved, see IRM 25.23.12.5, Tax-Related Identity Theft.

    • Input an Identity Theft Tracking Indicator as directed in IRM 25.23.2.4.4, Initial Allegation or Suspicion of Tax-Related identity Theft - IMF Identity Theft Indicators.

  3. If the taxpayer is threatening litigation or legal action because the IRS data breach resulted in identity theft, in addition to the above actions, prepare a Form 4442, Inquiry Referral, to alert the IM Office of the possible litigation or legal action. See the referral procedures in IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office.

Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters
  1. The Privacy and Information Protection (PIP) toll-free number, 866-225-2009, is included in Letter 4281C, IM Breach Notification Letter, as well as the family of letters (Letter 4281-A, Letter 4281-B, Letter 4281-E, Letter 4281-F, and Letter 4281-G) developed for the Get Transcript data breach. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162). AM CSRs working programs related to IM data breach notification letters are required to add an issue to identify the type of inquiry as well as leave a brief narrative of what was covered with the caller.

    Exception:

    If the AMS or CIS system is down, then narratives and/or case notes will not be required.

    Note:

    Although the SSN is not shown on Letter 4281C, IM Breach Notification Letter, employees will need to secure the caller's SSN in order to update AMS. If the caller is unwilling to provide the employee with his or her SSN, it will not be possible to update AMS.

Undelivered Letter 4281C
  1. Undeliverable procedures must be followed. Refer to (3) of IRM 21.3.3.4.12.1.1, Undelivered Mail Procedures for Accounts Management, for research procedures for undeliverable mail.

  2. If a new address is found, address an envelope with the new address and mail the undeliverable Letter 4281C, IM Breach Notification Letter to the new address.

  3. If a new address is not found, treat Letter 4281C, as Classified Waste.

    Note:

    Because this process has to do with IRS data breaches, and not specifically tax related issues, a representative or a POA must not be contacted when referring to the Undeliverable procedures unless a POA specifically identifies the data breach.

Retention and Disposition

  1. IM will adhere to all document retention schedules in accordance with IRM 1.15, Records and Information Management. This applies to all materials in electronic or hard copy format that are created in response to an IRS data breach.

IRS Data Breach Tracking Indicator - Objectives

  1. The Incident Management Program tracks IRS data breaches to support the following objectives:

    1. Reduce taxpayer burden while addressing IRS data breaches.

    2. Increase operational efficiency of the IRS by detecting and processing reported IRS data breaches as early and consistently as possible.

IRS Data Breach Tracking Indicator - Development and Implementation

  1. PGLD developed an IRS data breach tracking indicator to centrally track IRS data breaches.

  2. The IRS data breach tracking indicator was implemented by PGLD to identify individuals whose PII was lost, stolen, or disclosed as a result of an IRS data breach.

  3. The IRS data breach tracking indicator is input as a Transaction Code (TC) 971 with Action Code (AC) 505. The TC 971 AC 505 is displayed on the Integrated Data Retrieval System (IDRS) on the entity portion of each affected individual's account (CC ENMOD and CC IMFOLE).

Applying the IRS Data Breach Tracking Indicator to IRS Data Breaches
  1. The TC 971 AC 505 is an IRS Data Breach Tracking Indicator (also known as a Data Loss Tracking Indicator) - not an identity theft indicator.

  2. The TC 971 AC 505:

    1. Will not block, or prevent, online system access.

    2. Will not stop registration for online services, including registration for Get Transcript or an Identity Protection Personal Identification Number (IP PIN).

    3. Will not stop paper requests for a transcript (Form 4506/T).

  3. PGLD/IM inputs a TC 971 AC 505 on the entity portion of an individual's account (as long as the entity is established on the Master File) when all of the following occur:

    1. An individual's IRS-held PII was lost, disclosed, or stolen.

    2. The data breach risk assessment results in a likelihood of harm to the potentially impacted individuals.

    3. The IRS notifies the individual of the data breach via Letter 4281C, IM Breach Notification Letter, or similar letter in some circumstances (such as letters developed for the Get Transcript data breach).

    Example:

    Case files containing PII were lost while being shipped from one location to another. Since the data breach risk assessment resulted in a likelihood of harm, IM will send data breach notification letters to the potentially impacted individuals.

  4. Input of TC 971 AC 505 is limited and reserved for use by PGLD/IM employees; however, this indicator is visible and available for reference on the entity portion (CC ENMOD or CC IMFOLE) of an individual’s account. See Exhibit 10.5.4-2, TC 971 AC 505 — IRS Data Breach (Data Loss) Indicator, for more information about this indicator.

    Note:

    At the request of PGLD/IM, for large scale data breaches, the TC 971 AC 505 may be uploaded directly to CC IMFOLE by Return Integrity and Compliance Services (RICS).

  5. PGLD/IM inputs TC 971 AC 505 on an account regardless of the existence of any identity theft indicator codes that may be present on the account.

  6. There can be multiple IRS data breach indicators input/present on an individual's account. Each TC 971 AC 505 represents a different IRS data breach.

  7. In some instances, it may be necessary for PGLD/IM personnel to manually reverse the TC 971 AC 505. Although input of the TC 972 AC 505 is limited and reserved for use by PGLD/IM employees, Exhibit 10.5.4-3, TC 972 AC 505 — Reversal of TC 971 AC 505, is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field.

Glossary of Incident Management Terms, Definitions, and Acronyms

TERM DEFINITION
Access The authority granted to employees and contractors that provide opportunity to physically come into contact with (including, but not limited to reading, transporting, and/or transcribing/interpreting) Sensitive But Unclassified (SBU) data in the performance of official duties; entering an IRS facility without escort; and/or to login to IRS systems with approved credentials.
Accounts Management (AM) Customer Service Representatives (CSR)s AM CSRs assist individuals impacted by IRS data breaches by answering general data breach related inquiries or preparing a Form 4442, Inquiry Referral, if the caller requests specific information about the data breach that the AM CSR is unable to answer. AM CSRs also provide assistance to individuals impacted by identity theft or individuals who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by AM CSRs even if the individual has not experienced any problems with, or received communications from, the IRS.
Audience The employees responsible for taking action or who require knowledge about the program, process or activity.
Bring Your Own Device (BYOD) Bring Your Own Device is a concept that allows employees to use their personally owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer-provided services and/or data on their personal tablets/eReaders, smartphones, and other devices.
Computer Security Incident Response Center (CSIRC) Responsible for monitoring the IRS network 24 hours a day year-round for cyber attacks and computer vulnerabilities and for various security incidents such as the theft of a laptop computer.
Data Breach OMB M-17-12, defines a data breach as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person, other than an authorized user accesses or potentially accesses personally identifiable information, or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.

Note:

See also the definition of "Incident" .

Data Breach Incident An incident involving a loss, theft, or inadvertent unauthorized disclosure of personally identifiable information. A few common examples include: a laptop or portable storage device storing PII is lost or stolen; an email containing PII is inadvertently sent to the wrong person; or a box of documents with PII is lost or stolen during shipping.
Data Breach Management The process of managing data breaches involving the loss, theft, or inadvertent unauthorized disclosure of PII.
Data Breach Notification The process of notifying potentially impacted individuals following the evaluation of a data breach which results in a likelihood of harm to these individuals.
Data Breach Risk Assessment A risk assessment conducted on an IRS data breach, theft, or inadvertent unauthorized disclosure of personally identifiable information. The risk assessment includes factors that must be considered, specifically the context of the data breach and the data that was disclosed. Example: An IRS employee in the field loses a taxpayer case file. The case file contained PII data such as name, address, social security number, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to determine if notification must be given to the potentially impacted individual.
Data Owner The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data breach. For example, if a Power of Attorney (POA) tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporting employee is the RO but W&I is the data owner and carries the responsibility for mitigation and containment. Note that Data Owner is synonymous with Information Owner. Per IRM 10.8.2.2.1.6, Information Owner, The Information Owner is an IRS official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. At the IRS, the Information Owner is the Business and Functional Unit Owner.
Disclosure Making known to any person, in any manner, a return or return information. IRC 6103 governs the rules for how, when, to whom and what federal tax information can or cannot be disclosed. See IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure.
Federal Information Processing Standards (FIPS) A set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
Federal Information Processing Standards (FIPS) Publications Publications issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Tax Information (FTI) Any return or return information received from the IRS or secondary source, such as SSA etc. FTI includes any information created by the recipient that is derived from return or return information. (Internal Revenue Code (IRC) § 6103, Confidentiality and disclosure of returns and return information.) See IRM 10.5.1 for additional information.
Federal Trade Commission (FTC) An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Fraud Alert A fraud alert is a statement that a credit reporting agency adds to an individual’s credit file at the individual’s request. It alerts creditors that the individual may be a victim of fraud. This statement requires creditors to take certain steps to verify the individual’s identity before establishing any new credit accounts in his or her name, issuing a new card on an existing account, or increasing the credit limit on an existing account.
Harm Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
a) Potential for blackmail;
b) Disclosure of private facts;
c) Mental pain and emotional distress;
d) Potential for secondary uses of the information that could result in fear or uncertainty, or unwarranted exposure leading to humiliation or loss of self-esteem;
e) Identity theft; or
f) Financial loss.
Identity Protection Specialized Units (IPSU) The IPSU assists taxpayers that are, or may become, victims of identity theft. The IPSU is comprised of paper teams as part of the Accounts Management Identity Theft Victim Assistance (IDTVA) function.
Identity Theft Use of an individual’s personal information, without the individual’s permission, to commit fraud or other crimes.
Incident OMB M-17-12, defines an Incident as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. An incident is classified as an incident if it involves SBU information but doesn’t involve PII. Often, an occurrence may be first identified as an incident, but later identified as a breach once it is determined that the incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device.

Note:

See also the definition of "Data Breach"

.
Incident Management (IM) Incident Management (IM) refers to the Office within Privacy, Governmental Liaison and Disclosure responsible for the process of managing data breaches involving the loss, theft, or inadvertent unauthorized disclosure of PII by the IRS.
Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
Loss Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data, including Personally Identifiable Information (PII) and tax information, such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data. A loss involving PII is known as a Data Breach.
Major Incident OMB M-17-05, Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements, defines a major incident as any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. A data breach (see the definition of data breach above) constitutes a major incident when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII constitutes a major incident.
National Archives and Records Administration (NARA) NARA is an independent agency of the U.S. Government charged with the preservation and documentation of government and historical records. NARA establishes policies and procedures for managing U.S. Government records and assists federal agencies in administering records management programs and related activities.
National Institute of Standards and Technology (NIST) A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
The Office of Management and Budget (OMB) OMB assists the President in overseeing the preparation of the Federal budget and evaluates the effectiveness of agency programs, policies, and procedures, and works to make sure that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. In addition, OMB oversees and coordinates the Administration's regulatory, procurement, financial management, information technology, and information management policies.
Personally Identifiable Information (PII) The term PII refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. See GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008 at http://www.gao.gov/new.items/d08536.pdf, OMB 07-16, at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-16.pdf; OMB M-17-12, athttps://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf; and the PGLD webpage, Personally Identifiable Information for additional information.
Phishing Phishing is a scam where Internet fraudsters send email messages to trick unsuspecting victims into revealing personal and financial information that can be used to steal the victim's identity. See IRM 21.1.3.23, Scams (Phishing) and Fraudulent Schemes.
PII Data Breach Notification See Data Breach Notification.
PII Working Group (PIIWG) A decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security.
Policy Owner The IRS organization or the title of the executive (position only) responsible for the program.
Program Owner The office which has primary responsibility for establishing the policy, process, and procedures to implement and manage the IRS program. Directors within this office are responsible for developing and publishing IRM procedures. The program owner is the IRM owner for the program.
Records Includes all recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them. (44 U.S.C., Section 3301).
Records and Information Management In keeping with the Federal Records Act of 1950, as amended, and pursuant to Title 44, U.S.C. § 3102, the IRS established a records management program - renamed Records and Information Management (RIM) Program - to ensure the economical and efficient management of its records in the creation, maintenance, retrieval, preservation, and disposition of all records.
Reporting Employee The reporting employee is the employee who identifies/recognizes a data breach and reports the data breach as required. The reporting employee is responsible for reporting all pertinent information relative to the data breach.
Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguard Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) A Data Loss Prevention (DLP) tool within the IRS Cybersecurity toolkit. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures.
Sensitive But Unclassified (SBU) Data Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act (5 U.S.C. § 552).
Sensitive But Unclassified (SBU). See TD P 15-71, Treasury Security Manual, Chapter III Section 24, Sensitive But Unclassified Information The term “Sensitive But Unclassified” originated with the Computer Security Act of 1987. It defined SBU as "any information the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an Executive Order or an act of Congress to be kept classified in the interest of national defense or foreign policy. " Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).
Tax Information The term tax information refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC § 6103. The law defines return information as any information the IRS has about a tax return or liability determination. Tax information in IRS business processes comes under many names, such as Federal Tax Information (FTI), IRC § 6103-protected information, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII. See IRM 10.5.1 for additional information.
Theft An asset, electronic or hardcopy, thought or known to have been taken without permission from the individual who is responsible for the asset.
Treasury Inspector General for Tax Administration (TIGTA) Provides oversight of the Department of Treasury matters involving Internal Revenue Service (IRS) activities, the IRS Oversight Board and the IRS Office of Chief Counsel.
Unauthorized Access The willful unauthorized access and/or inspection of tax returns and return information.
Unauthorized Disclosure An unauthorized and unlawful release of information to an individual who is not authorized to receive the information.
Unreasonable Delay A delay in notification following the discovery of a data breach beyond that which is necessary to determine the scope of the data breach while considering the needs of law enforcement and national security, and, if applicable, to restore the reasonable integrity of the computerized data system compromised. This means if a data breach is discovered and all the information necessary to determine the scope of the data breach is gathered within 30 days, it is unreasonable to wait until the 45th day to notify the individuals whose information was breached.

TC 971 AC 505 — IRS Data Breach (Data Loss) Indicator

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure (PGLD) personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the IRS data breach occurred. The Breach Tracking Number (number assigned to the breach). This number begins with two alphas ("IR" , "CR" , or "PR" ) and is followed by 11 numeric digits. For example: IR20100211034

TC 972 AC 505 — Reversal of TC 971 AC 505

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure (PGLD) personnel.

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and must be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER