10.5.4 Incident Management Program

Manual Transmittal

August 29, 2018

Purpose

(1) This transmits revised IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Material Changes

(1) Throughout, made editorial changes and updated text to improve clarity.

(2) Throughout, reviewed and updated links and citations, website addresses, legal references and IRM references as necessary.

(3) Throughout, updated "breach" or "breaches" to "data breach" or "data breaches" as applicable.

(4) IRM 10.5.4.1 - In (1), updated the "Purpose" paragraph to an "Overview" paragraph and added "and sensitive information" to the end of the second sentence to ensure the reporting range is understood. In (2), added a new "Purpose" paragraph; subsequent paragraphs renumbered. Also added "and sensitive information" to the end of the sentence to ensure the reporting range is understood. In new (3), old (2), Audience, and (3) (a) added "or sensitive information" ; in (b) added a new citation to IRM 11.3.14. In new (4), old (3), Policy Owner, updated the text to spell out PPC. Added a new (6), Primary Stakeholders to identify offices affected by these procedures and a new (7), Program Goals to define the objectives or goals; subsequent paragraph renumbered. In new (8), old (5), Contact Information, deleted the name of the IRM author.

(5) IRM 10.5.4.1.1 - Split the content within (1) and (2) into alpha lists for easier readability and moved the Note in (1) to new (a) in 10.5.4.1.5 (1).

(6) IRM 10.5.4.1.3 - In (1), moved (a) up to become part of (1); old (b) is now (a). In (2), added new (d) Disciplinary Actions; old (d) is now (e). In (e), updated text and added guidance on requesting replacements for lost or stolen remittances; contact information for PGLD/IM previously in (e) now in (e) Note. Also added to the note in (e): "Do not share the telephone number or mailbox address with the potentially impacted individual."

(7) IRM 10.5.4.1.5 - In (1), added new (a) with content moved from 10.5.4.1.1 (1) Note. In (3)(b), added a citation to IRM 10.5.1. In (4), added new (a), (b) and (c); moved second sentence of (4) to (4)(c); and added additional information about SBU from IRM 10.5.1 to (a) and (b). Added new (5), Tax Information, with information from IRM 10.5.1; subsequent paragraphs renumbered. Deleted Controlled Unclassified Information (CUI) per the IRS CUI Program Manager; subsequent paragraphs renumbered.

(8) IRM 10.5.4.1.6 - Added "BYOD" to the list of acronyms and its definition to the Table and deleted the blank row at the bottom of the table.

(9) IRM 10.5.4.1.7 - Updated the text in (1) to generalize the statement as follows: "For additional information and guidance concerning incident/data breach reporting, see the following internal resources..." ; added (a) and moved the Disclosure and Privacy Knowledge Base link from (1) to (a); added (b) and (c) with a link to the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets or BYOD Assets page in the Disclosure and Privacy Knowledge Base and a link to the If/Then Guide for Reporting Breaches. In (1), emphasized that the resources in (1) (a), (b), and (c) are internal resources and only for IRS use by bolding the word "internal" . In (2), updated the link to OMB Memoranda; deleted M-06-20 and moved M-12-18 up to put the list in order. In (3), added a new (a) with information concerning the Federal Information Security Modernization Act of 2014; moved the sentence previously in (3) to new (b) and bulleted the items previously listed under (3) to (b). In (4), added a new (d) with a citation to IRM 11.3. Updated link in (5), #1, to https://www.irs.gov/identity-theft-fraud-scams. Updated link in (5), #2, to https://www.irs.gov/newsroom/taxpayer-guide-to-identity-theft. Added text to (5), #4, about the availability of filing Form 14039 online via identitytheft.gov and added a link to Pub 1075 in new #19. In (6), added verbiage stating the resources are for internal use only; taxpayers won’t be able to access them via the links provided. In (6), #4, updated the link to the If/Then Guide to https://portal.ds.irsnet.gov/sites/vl003/RelatedResources/IfThen%20Guide%20for%20Reporting%20Breaches%20-%20Rev08222018.pdf; added a new #6 for SAMC; the following entry was consequently renumbered; and added a new #8 with a citation to IRM 25.23.

(10) IRM 10.5.4.2 - Inserted new Note in (1) to advise of possible disciplinary actions for failure to properly protect PII/sensitive information. In (2), updated Office of Privacy to PGLD.

(11) IRM 10.5.4.3 - Updated the text in (2) to further define contractor responsibilities; spelled out FTI; and added Publication 4465-A and the link to the Data Breach Information for IRS Contractors page on irs.gov as additional references.

(12) IRM 10.5.4.3.1 - Updated "sensitive information/PII" to "PII and sensitive information" for consistency.

(13) IRM 10.5.4.3.2 - Updated title of subsection from Intentional Unauthorized Disclosures to Intentional Unauthorized Disclosures of Tax Information.

(14) IRM 10.5.4.3.3 - Added BYOD Assets to the title of section 10.5.4.3.3. In (2) (a), added a Note and a citation to see IRM 25.13.1.3 for the instructions to follow when handling erroneous taxpayer correspondence sent to the wrong person. In (2) (b), added: "containing PII/sensitive information " to further define packages lost/stolen during shipment; and "lost/stolen remittances containing PII/sensitive information" to further define reporting to PGLD; deleted the first Note about having to report lost/stolen BYOD assets to PGLD/IM; and updated the Note in (2) (b) to state that the loss or theft of official records (whether the records contain PII or not) are also reported via the PII Breach Reporting Form. In (2) (c), updated the SAMC Incident Reporting Link from http://vgdiw30vp005527/archibus/login.axvw to https://tscc.enterprise.irs.gov/irc/; added a sentence stating that all physical security incidents and/or threats are also reported to SAMC; and added a link to the FMSS Incident Reporting page. In (2) (d), and (2) (d) Note, added guidance for reporting lost/stolen BYOD devices to CSIRC. In (4), Note, updated the link for the If/Then Guide to https://portal.ds.irsnet.gov/sites/vl003/RelatedResources/IfThen%20Guide%20for%20Reporting%20Breaches%20-%20Rev08222018.pdf.

(15) IRM 10.5.4.3.4 - Updated title of subsection from Inadvertent Accesses of Taxpayer Information to Inadvertent Accesses of Tax Information.

(16) IRM 10.5.4.3.5 - Updated title of IRM 25.13.1.3 in (1) (e) Note and added text to (1) (e) regarding the instructions to follow in IRM 25.13.1.3 when handling erroneous taxpayer correspondence sent to the wrong person.

(17) IRM 10.5.4.4.1 - Throughout, made some editorial changes to improve clarity. In (1) (a), deleted the second sentence about having to report lost/stolen BYOD assets to PGLD and moved it to (1) (c) as lost/stolen BYOD assets are reported to CSIRC. In (2), added additional verbiage about the information contained in the email.

(18) IRM 10.5.4.4.2 - Updated title of the subsection from High Profile and Sensitive Breaches to High-Risk Data Breaches. Updated text in (1) and (1) (b); moved some of the text concerning the BRT in (3) up to (2) and deleted the text in (2) concerning the Leadership Team; deleted (3); (4) moved up as new (3) and updated AWSS to Facilities Management and Security Services (FMSS). New (4) added with text and links to the High-Risk Breach Quick Reference Guide and the Data Breach Response Playbook.

(19) IRM 10.5.4.4.4 - Throughout, updated text to improve clarity. Deleted (5); included sentence from (5) in (4). Updated text in (6) and deleted the words "and approval" . Updated text in (7) and deleted the words "and if the Associate Director concurs with the recommendation" .

(20) IRM 10.5.4.4.5 - Removed Privacy Policy and Compliance Advisory Committee (PPCAC) from title. Updated text in (1) to remove the words "is a decision making body consisting" .

(21) IRM 10.5.4.4.6 - Added "Data" and "Letter 4281C" to the title of the subsection.

(22) IRM 10.5.4.4.6.1 - Added "Data" to the title of the subsection. Throughout, updated text from "monitoring" to "protection" .

(23) IRM 10.5.4.4.6.2 - Added "Data" to the title of the subsection.

(24) IRM 10.5.4.4.6.3 - Added "Data" to the title of the subsection. Moved (5) up to (1) as a Note; deleted (3), (4) and (5). Updated (2) to only include FY18 measures and goals.

(25) IRM 10.5.4.4.6.4 - Added "Data" to the title of the subsection.

(26) IRM 10.5.4.4.7.1 - Updated "Regarding" to "About" in the title of the subsection and added "Data" as part of the title. In (6), updated the link to the Frequently Asked Questions (FAQs) from http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs_information_loss/irs_information_loss_toc.htm to http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs-breach-data-loss/faq.html and updated the text.

(27) IRM 10.5.4.4.7.2 - Spelled out "IAT" and "HRA" in (2).

(28) IRM 10.5.4.4.7.4 - Changed title of subsection from Free Identity Monitoring Service to Free Identity Protection Service. Updated the text throughout from "monitoring" to "protection" and "promotion code" to "enrollment code" . In (3), updated the link to the Frequently Asked Questions (FAQs) from http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs_information_loss/irs_information_loss_toc.htm to http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs-breach-data-loss/faq.html and updated the text.

(29) IRM 10.5.4.4.7.6 - Updated "promotion code" to "enrollment code" in (2).

(30) IRM 10.5.4.4.7.7 - Added "Data" to the title of the subsection.

(31) IRM 10.5.4.4.7.8 - Updated "Regarding" to "About" and added "Data" in the title of the subsection.

(32) Exhibit 10.5.4-1 - Added the following terms and their definitions: "Bring Your Own Device (BYOD)" ; "Computer Security Incident Response Center (CSIRC)" ; and "Treasury Inspector General for Tax Administration (TIGTA)" . Updated the definition for "Access" . Deleted "PII Data Breach" and "Privacy Breach" as the definitions are essentially the same as that of "Data Breach" . Added a note to "Data Breach" to see also "Incident" and a note to" Incident" to see also "Data Breach" . Added an example to "Incident" . Deleted Controlled Unclassified Information (CUI) per the IRS CUI Program Manager. Also alphabetized some out of alpha order terms and definitions.

Effect on Other Documents

This supersedes IRM 10.5.4 dated October 19, 2017.

Audience

The provisions in this manual apply to all divisions, functional units, managers, employees, and contractors of the Internal Revenue Service (IRS), including Flexiplace (Telework) employees (Occupational or Situational) and Mobile employees.

Effective Date

(08-29-2018)

Frances W. Kleckley
Director, Privacy Policy and Compliance
Privacy, Governmental Liaison and Disclosure

Program Scope and Objectives

  1. Overview. This Internal Revenue Manual (IRM) section defines the mission, objectives, and governance structure of the Privacy Policy and Compliance Incident Management Program. It provides the organizational framework for carrying out specific policies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS data losses, thefts, and inadvertent unauthorized disclosures involving Personally Identifiable Information (PII) and sensitive information.

  2. Purpose. This IRM provides procedural guidance for reporting IRS data losses, thefts, and inadvertent unauthorized disclosures involving PII and sensitive information.

  3. Audience. The provisions in this manual apply Servicewide whenever PII or sensitive information is collected, created, transmitted, used, processed, stored, or disposed of, in support of the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and any other outsourced providers doing business with the IRS. This manual also applies to all Flexiplace (Telework) employees (Occupational or Situational) as well as Mobile employees.

    1. All IRS employees, contractors/vendors, and persons with authorized access to PII or sensitive information are responsible and accountable for complying with federal and IRS privacy, information protection, and data security, policies and procedures. Safeguarding and preventing the unauthorized disclosure of PII and sensitive information is a responsibility that is shared by all IRS employees, contractors/vendors, and persons with authorized access to PII or sensitive information. Lost, stolen or disclosed PII or sensitive information may be used to perpetrate identity theft or other forms of harm, if the information falls into unauthorized hands.

    2. All tax, privacy, and security clauses must be included in contracts as required by IRM 11.3.24, Disclosures to Contractors, and IRM 11.3.14 , Disclosure of Official Information, Privacy Act General Provisions. Contractor employees must be trained about PII and sensitive information protection requirements as required in Treasury Regulation 301.6103(n)-1(d).

    3. For additional information about security controls, see IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and Pub 4812, Contractor Security Controls.

  4. Policy Owner. The Director, Privacy Policy and Compliance (PPC) is responsible for the policy in this IRM. PPC is under the Office of Privacy, Governmental Liaison and Disclosure (PGLD), which is under the Office of the Deputy Commissioner for Operations Support (OS).

  5. Program Owner. The Incident Management Office under the Office of Privacy Policy and Compliance (PPC) under PGLD is the program office responsible for this IRM.

  6. Primary Stakeholders. All employees and contractors of the Internal Revenue Service (IRS), in all divisions and functional units, including Flexiplace (Telework) employees (Occupational or Situational) and Mobile employees, are affected by the procedures in this IRM.

  7. Program Goals. This IRM provides the fundamental knowledge and procedural guidance for timely reporting IRS data losses, thefts, and inadvertent unauthorized disclosures involving PII and sensitive information. The timely reporting of all inadvertent unauthorized disclosures of PII or sensitive information, and all losses or thefts of PII and sensitive information and IT assets and BYOD assets is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility that the PII or sensitive information will be compromised and used to perpetrate identity theft or other forms of harm.

  8. Contact Information. To recommend changes to this IRM section, email the *PII Mailbox at pii@irs.gov.

Background

  1. Privacy, Governmental Liaison and Disclosure (PGLD). Privacy, Governmental Liaison and Disclosure (PGLD), previously known as Privacy, Information Protection and Data Security (PIPDS), is responsible for ensuring consistency in all processes and procedures affecting the ways the Service handles privacy information protected by statute, regulation, Executive Order, or internal policy.

    1. PGLD works with other business units to provide the IRS with the tools and resources necessary to protect sensitive taxpayer and employee data from potential identity theft due to IRS incidents involving the loss or theft of IRS assets containing PII or sensitive information; the loss or theft of physical documents that include PII or sensitive information; or inadvertent unauthorized disclosures of PII or sensitive information.

    2. PGLD also leads IRS privacy and records policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS.

  2. PGLD Incident Management (IM) Office. IM was established to ensure Servicewide implementation of federal directives to protect taxpayers and government employees against IRS data losses and misuse of sensitive personal data.

    1. Since September 2007, the IM Office (previously known as the ITIM Office) in PGLD (previously known as PIPDS) has been responsible for administering and managing agency program requirements by ensuring IRS incidents involving the loss or theft of IRS assets containing PII/sensitive information; the loss or theft of physical documents that include PII/sensitive information; or inadvertent unauthorized disclosures of PII/sensitive information, are investigated, analyzed and resolved by the IM Team.

    2. IM is dedicated to assisting taxpayers and government employees potentially impacted by IRS incidents involving the loss or theft of IRS assets containing PII/sensitive information, or the loss or theft of physical documents that include PII/sensitive information, or inadvertent unauthorized disclosures of PII/sensitive information, by working quickly and thoroughly to investigate the incidents to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm.

    3. IM manages the reporting, risk assessment, and tracking of IRS incidents involving the loss or theft of IRS assets containing PII/sensitive information, or the loss or theft of physical documents that include PII/sensitive information, or inadvertent unauthorized disclosures of PII/sensitive information, as well as notification to potentially impacted individuals.

Authority

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information (PII).

  2. The President’s Identity Theft Task Force recommended that Federal agencies improve their capacity to respond to PII data losses. In May 2007, the Office of Management and Budget (OMB) Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, instructed Federal agencies to enhance their safeguards for PII and to enact data breach handling and data breach notification policies. In January 2017, OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf, rescinded and replaced OMB M-07-16, updated existing OMB data breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (FISMA), and implemented recommendations included in OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. See IRM 10.5.4.1.7, Related Resources, for a list of other relevant OMB Memoranda, Federal Guidance, and Internal Revenue Manuals, and details about where to locate them.

  3. The Incident Management Program was created in response to OMB directives and the President's Identity Theft Task Force recommendations, and to ensure IRS compliance with OMB requirements for data breach management and data breach notification. Consistent with the OMB directives, the IRS notifies potentially impacted individuals when the data breach risk assessment results in a likelihood of harm to the potentially impacted individuals.

Responsibilities

  1. Incident Management Program. The Incident Management Program includes the management of the IRS data breach reporting process, as well as the risk assessment and tracking of IRS data breaches and notification to individuals potentially impacted by IRS data breaches. The Incident Management Program also includes output from CyberSecurity’s Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) application. IM receives events for investigation, addresses applicable receipts within established procedures, and collaborates on referred events not meeting IM’s criterion.

    1. IM has the following responsibilities related to administering the Incident Management Program in the IRS:

    • Interpreting federal laws, regulations, and policies relating to the protection of Personally Identifiable Information (PII). See IRM 11.3.1, Introduction to Disclosure, for more information about the Disclosure program and the protection of official information including personal information and tax records.

    • Coordinating with other program areas in the IRS to ensure compliance with OMB Memorandum 17-12 and related directives

    • Receiving SPIIDE events for investigation and addressing accordingly when received

    • Identifying and tracking IRS data breaches

    • Conducting risk assessments of IRS data breaches

    • Mitigating risks associated with IRS data breaches before substantial damage occurs

    • Preparing all reporting documentation pertaining to IRS data breaches

    • Making notification recommendations about potentially impacted individuals based on assessed risk and consulting with appropriate law enforcement officials and other offices or authorities if necessary

    • Identifying emerging trends and developing appropriate strategies and responses

    • Improving procedures to reduce the occurrence of IRS incidents and data breaches

    • Developing, defining, monitoring, and executing IM policies and procedures

    • Overseeing the maintenance, publication, and conveyance of the Servicewide Incident Management Internal Revenue Manual

    • Communicating and coordinating with internal stakeholders to ensure consistency about data breach policy and issues

  2. Reporting Employees and Business Unit (BU) Data Owners. In addition to timely reporting so the PGLD IM team can begin its risk assessment process, reporting employees and BU data owners have other responsibilities:

    1. Containment. The BU data owners must take steps to contain the data breach. For example, if employee or taxpayer data is inadvertently exposed on the internet, the BU data owner must immediately take steps to remove the data and/or close the access; or, if DVDs have been shared with material that should have been redacted, the BU must take steps to immediately recover them and request the recipient remove public access (if the information was made publicly available) and replace it with the proper data. The BU should contact Cybersecurity’s Online Fraud Detection and Prevention Office, if assistance is required to contain a data breach involving an electronic transmission such as email or a data breach involving the posting of information on the internet.

      Note:

      If the employee reporting the data breach is not the BU data owner, the reporting employee must collaborate with the BU and PGLD/IM to determine the best approach for managing containment.

    2. Providing Requested Information. Any information requested by PGLD/IM (i.e., SSN’s, names, dates, etc.) must be provided as quickly as possible to ensure timely reporting and taxpayer notification. If a delay is likely, contact IM at 267-466-0777 to facilitate next steps.

    3. Mitigation. The BU data owner must analyze the event circumstances and determine the necessary steps to prevent similar data breaches in the future. This could entail investigating the cause of the data breach and developing a prevention plan if necessary. A prevention plan may include a security audit of both physical and technical security; a review and/or development of policies and procedures; and a review of employee training.

    4. Disciplinary Actions. Discipline can result for failure to protect equipment or information, as well as for a managers' failure to supervise and train as it pertains to PII information. A BU data owner whose employee experiences a data loss, theft, or disclosure, or asset loss or theft, because he or she did not properly safeguard the data or asset, must contact the servicing Labor Relations Specialist to discuss the appropriateness of any disciplinary action. For disciplinary actions related to losses or thefts of laptops or other electronic devices, or the loss, theft or disclosure of PII/sensitive information, and improperly safeguarding electronic or paper records, see Document 11500, IRS Manager’s Guide to Penalty Determinations, and IRM 6.751.1, Discipline and Disciplinary Actions: Policies, Responsibilities, Authorities, and Guidance.

    5. Contacting Potentially Impacted Individuals. It is the responsibility of the IRS Business Unit/data owner to contact the potentially impacted individual of a data breach in which a document, or remittance in the form of a personal check, was lost or stolen, to explain that the original document or remittance was lost/stolen, and to request that the individual resend the document/remittance. Established functional taxpayer contact processes must be followed when requesting replacement documents or remittances from the potentially impacted individual.

      Note:

      Contact with the potentially impacted individual may include a brief explanation of the data breach, e.g., "a package was lost in shipment" . If the Business Unit/data owner has any questions about contacting the potentially impacted individual about the data breach, he or she may contact PGLD/IM at 267-466-0777, or the *PII mailbox at pii@irs.gov. Do not share the telephone number or mailbox address with the potentially impacted individual.

  3. For the definition of Reporting Employee and Data Owner, see IRM 10.5.4.1.5, Terms, and Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Measures and Reports

  1. PGLD/IM has established Business and Organizational measures to measure the timeliness of IRS data breach notifications to potentially impacted individuals of IRS data breaches. See IRM 10.5.4.4.6.3 , Timeliness of the Data Breach Notification.

  2. PGLD/IM provides reports on Business Performance as it relates to IRS data breaches to Points of Contact within each Business Unit.

    1. Quarterly Scorecard Report. This report lists the number of reported data breaches received by PGLD/IM per quarter per BOD.

    2. Annual Trend Analysis Report. This report contains an analysis of the data breaches that involved the disclosure of PII or the loss or theft of IRS assets containing PII reported to PGLD/IM to identify trends and identify areas where actions can be taken, such as employee education and training, to reduce the number of data breaches, thereby reducing the potential exposure of PII.

Terms

  1. Incident. OMB M-17-12 defines an incident as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

    1. An incident involving the loss or theft of an IRS asset containing PII, or the loss or theft of a physical document that includes PII, or the inadvertent unauthorized disclosure of PII, is known as a data breach. See the Data Breach definition below. Often, an occurrence may be first identified as an incident, but later identified as a data breach once it is determined that the incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device.

  2. Data Breach. A data breach is a type of incident involving a loss, theft, or inadvertent unauthorized disclosure of PII. OMB M-17-12 defines a data breach as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or, (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.

    1. A data breach is not limited to an occurrence where a person other than an authorized user potentially accesses PII by means of a network intrusion, a targeted attack that exploits website vulnerabilities, or an attack executed through an email message or attachment. A data breach may also include the loss or theft of physical documents that include PII and portable electronic storage media that store PII, the inadvertent disclosure of PII on a public website, or an oral disclosure of PII to a person who is not authorized to receive that information. It may also include an authorized user accessing PII for an other than authorized purpose. Often, an occurrence may be first identified as an incident, but later identified as a data breach once it is determined that the incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device.

    2. Some common examples of a data breach include:

    • A laptop or portable storage device storing PII is lost or stolen.

    • An email containing PII is inadvertently sent to the wrong person.

    • A box of documents with PII is lost or stolen during shipping.

    • An unauthorized third party overhears agency employees discussing PII about an individual seeking employment or Federal benefits.

    • A user with authorized access to PII sells it for personal gain or disseminates it to embarrass an individual.

    • An IT system that maintains PII is accessed by a malicious actor.

    • PII that should not be widely disseminated is posted inadvertently on a public website.

  3. Personally Identifiable Information (PII). The definition of personally identifiable information is provided by the Office of Management and Budget (OMB) in OMB Memorandum 17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf.

    1. The term PII refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

    2. For more information about PII, visit the Personally Identifiable Information page in the Disclosure and Privacy Knowledge Base, at https://portal.ds.irsnet.gov/sites/vl003/lists/pii/landingview.aspx and see IRM 10.5.1 , Privacy and Information Protection, Privacy Policy, and IRM 10.8.1, Information Technology (IT), Security, Policy and Guidance, Personally Identifiable Information (PII).

  4. Sensitive But Unclassified (SBU) Information. Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act.

    1. SBU data includes, but is not limited to: Tax information (Federal Tax Information (FTI)), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, systems information, enforcement procedures, and investigation information.

    2. SBU data includes subsets of protected information which many IRS personnel handle on a daily basis, such as PII and tax information. It also includes other subsets, such as procurement and systems information.

    3. For more information about SBU, see Sensitive But Unclassified (SBU) Data, on the Personally Identifiable Information page on the Disclosure and Privacy Knowledge Base, at https://portal.ds.irsnet.gov/sites/vl003/lists/pii/landingview.aspx and IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

  5. Tax Information. The term tax information refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC § 6103. The law defines return information as any information the IRS has about a tax return or liability determination.

    1. Return information includes, but is not limited to, a taxpayer’s: identity; income, payments, deductions, exemptions, or credits; assets, liabilities, or net worth; and tax liability investigation status (whether the IRS ever investigates or examines the return).

    2. Redacting, masking, truncating, or sanitizing tax information does not change its nature. It’s still tax information.

    3. Tax information in IRS business processes comes under many names, such as FTI, IRC § 6103-protected information, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII.

    4. Tax information is SBU data. IRC § 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC § 6103(b)(2)].

    5. Release of tax information (whether of an individual or business) is restricted by the confidentiality provisions of IRC § 6103(a).

    6. For more information about tax information, see IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

  6. Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) Automated Data Loss Prevention (DLP) Tool. SPIIDE is a Data Loss Prevention (DLP) tool within the IRS CyberSecurity toolkit.

  7. Data Owner. The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data breach. For example, if a Power of Attorney (POA) tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporting employee is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.

  8. Reporting Employee. The reporting employee is the employee who identifies/recognizes a data breach and reports the data breach as required. The reporting employee is responsible for reporting all pertinent information relative to the data breach.

  9. For a full listing of IM terms and their definitions, see Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Acronyms

  1. The table below lists commonly used acronyms and their definitions:

    Acronym Definition
    BRT Breach Response Team
    BU Business Unit
    BYOD Bring Your Own Device
    IM Incident Management
    OMB Office of Management and Budget
    PGLD Privacy, Governmental Liaison and Disclosure
    PII Personally Identifiable Information
    PIIWG PII Working Group
    PIPDS Privacy, Information Protection and Data Security (name changed to Privacy, Governmental Liaison and Disclosure (PGLD)
    PPC Privacy Policy and Compliance
    SPIIDE Safeguarding Personally Identifiable Information Data Extracts
    SBU Sensitive But Unclassified
  2. For a full listing of IM terms, definitions, and acronyms, see Exhibit 10.5.4-1, Glossary of Incident Management Terms, Definitions, and Acronyms.

Related Resources

  1. For additional information and guidance concerning incident/data breach reporting, see the following internal resources (for IRS use only):

    1. The Disclosure and Privacy Knowledge Base located at https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx

    2. The Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets or BYOD Assets page located on the Disclosure and Privacy Knowledge Base athttps://portal.ds.irsnet.gov/sites/vl003/lists/reportlossestheftsdisclosures/landingview.aspx.

    3. The If/Then Guide for Reporting Breaches located at https://portal.ds.irsnet.gov/sites/vl003/RelatedResources/IfThen%20Guide%20for%20Reporting%20Breaches%20-%20Rev08222018.pdf.

  2. OMB Memoranda. OMB Memoranda are available on the Office of Management and Budget home page at https://www.whitehouse.gov/omb/memoranda/.

    1. M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006

    2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

    3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

    4. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

    5. M-12-18, Managing Government Records Directive, November 28, 2011.

    6. M-15-01, Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices, October 3, 2014

    7. M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government, October 30, 2015.

    8. M-17-05, Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements, November 4, 2016

    9. M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 3, 2017. This Memorandum rescinded and replaced OMB M-07-16, OMB M-06-19, OMB M-06-15 and Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006).

  3. Other Federal Guidance.

    1. The Federal Information Security Modernization Act of 2014 (FISMA) (Pub. L. No. 113-283, Title II), December 2014, amended the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

    2. The President’s Identity Theft Task Force created a strategic plan to combat identity theft. The documents are available on the Federal Trade Commission website under News and Events/Press Releases at https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive.

  4. IRS Internal Revenue Manuals.

    1. IRM 10.5.1, Privacy and Information Protection, Privacy Policy

    2. IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

    3. IRM 1.15, Records and Information Management series.

    4. IRM 11.3, Disclosure of Official Information.

  5. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues are provided in the table below.

    # Title Description Link Owner
    1 Internal Revenue Service (IRS) Website IRS Identity Protection home page https://www.irs.gov/identity-theft-fraud-scams IRS
    2 Internal Revenue Service (IRS) Website Taxpayer Guide to Identity Theft https://www.irs.gov/newsroom/taxpayer-guide-to-identity-theft IRS
    3 Federal Trade Commission (FTC) Identity Theft Website Visit ftc.gov/idtheft for prevention tips and free resources. https://www.consumer.ftc.gov/features/feature-0014-identity-theft FTC
    4 Federal Trade Commission (FTC) Identity Theft Website IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide taxpayers through the recovery process. It also allows taxpayers to file Form 14039 online. https://www.identitytheft.gov/ FTC
    5 Federal Trade Commission (FTC) data breach information The FTC provides specific guidance for when a data breach involves SSNs, payment card information, bank accounts, driver’s licenses; children’s information, and account credentials. https://www.identitytheft.gov/Info-Lost-or-Stolen FTC
    6 Internal Revenue Service (IRS) Form 14039, Identity Theft Affidavit Direct link to IRS Identity Theft Affidavit (Form 14039). This form is used by taxpayers who want to report to the IRS that someone used his or her information to file taxes or to report that he/she is a victim of identity theft. Form 14039 IRS
    7 United States Department of Justice Website Identity Theft and Identity Fraud Information https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud DOJ
    8 Taxpayer Advocate Service (TAS) Website Taxpayer Advocate Service home page https://www.irs.gov/advocate TAS
    9 Social Security Administration (SSA) Website Social Security Administration (SSA) home page https://www.ssa.gov SSA
    10 Social Security Administration (SSA) Publication - Identity Theft and Your Social Security Number Social Security Administration (SSA) Publication https://www.ssa.gov/pubs/EN-05-10064.pdf SSA
    11 Identity Theft Task Force Webpage on the Federal Trade Commission (FTC) Website President's Task Force on Identity Theft https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive Identity Theft Task Force
    12 IRS Phishing Website Instructions on how to report and identify phishing, email scams, and bogus IRS websites https://www.irs.gov/uac/report-phishing IRS
    13 Credit Bureaus/Credit Reporting Agencies Direct links to the three recognized credit bureaus/credit reporting agencies: Equifax, Experian, and TransUnion http://www.equifax.com
    http://www.experian.com
    http://www.transunion.com/
    Equifax, Experian, and TransUnion
    14 IRS Pub 4523 Beware of Phishing Schemes https://www.irs.gov/pub/irs-pdf/p4523esp.pdf IRS
    15 IRS Pub 4524 Security Awareness and Identity Theft https://www.irs.gov/pub/irs-pdf/p4524.pdf IRS
    16 IRS Pub 5027 Identity Theft Information for Taxpayers IRS
    17 Identity Theft Resource Center® (ITRC) Website Nonprofit organization dedicated exclusively to the understanding and prevention of identity theft http://www.idtheftcenter.org/ ITRC
    18 OnGuard Online Website Identity theft prevention tips from the federal government and technology industry https://www.consumer.ftc.gov/features/feature-0038-onguardonline FTC
    19 IRS Pub 1075 Tax Information Security Guidelines for Federal, State and Local Agencies https://www.irs.gov/pub/irs-pdf/p1075.pdf IRS
  6. Internal IRS intranet links that provide information on identity theft, identity theft-related issues, and data breaches are provided in the table below. Do not share these resources with taxpayers as they are for internal use only; taxpayers won’t be able to access them via the links provided in the table below.

    # Title Description Link Owner
    1 Disclosure and Privacy Knowledge Base Disclosure and Privacy homepage in the Disclosure and Privacy Knowledge Base https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx PGLD
    2 Disclosure and Privacy Knowledge Base, Report Losses, Thefts and Disclosures page Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets or BYOD Assets page in the Disclosure and Privacy Knowledge Base https://portal.ds.irsnet.gov/sites/vl003/lists/reportlossestheftsdisclosures/landingview.aspx PGLD
    3 Privacy, Governmental Liaison and Disclosure (PGLD) e-Trak Privacy on-line application Privacy, Governmental Liaison and Disclosure (PGLD) PII Breach Reporting Form https://vp0sentappetrk2.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2 PGLD
    4 Privacy, Governmental Liaison and Disclosure (PGLD) IF/THEN Guide Privacy, Governmental Liaison and Disclosure (PGLD) IF/THEN Guide for reporting data breaches in the Disclosure and Privacy Knowledge Base https://portal.ds.irsnet.gov/sites/vl003/RelatedResources/IfThen%20Guide%20for%20Reporting%20Breaches%20-%20Rev08222018.pdf PGLD
    5 Computer Security Incident Response Center (CSIRC) Website Computer Security Incident Response Center (CSIRC) Computer Security Incident Reporting Form https://www.csirc.web.irs.gov/incident/ IT (Information Technology)
    6 Situational Awareness Management Center (SAMC) Situational Awareness Management Center (SAMC) Incident Reporting Form for Reporting Physical Security Incidents https://tscc.enterprise.irs.gov/irc/ SAMC
    7 IRM 1.2.25, Servicewide Policies and Authorities, Policy Statements for Security, Privacy and Assurance Activities IRS Policy Statement on assisting taxpayers who report they are victims of identity theft IRM 1.2.25.2, P-10-1, (formerly P-25-1) IRS
    8 IRM 25.23, Identity Protection and Victim Assistance Identity protection and victim assistance IRM IRM 25.23 IRS

Awareness Training and Education

  1. The Incident Management Program develops and implements initiatives to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, disclosure, or theft of PII and sensitive information.

    Note:

    Failure to properly protect PII and sensitive information can result in disciplinary actions including admonishment, written reprimand, suspension or removal.

  2. The Incident Management Program supports the annual Information Protection and Disclosure Mandatory Briefing and the Unauthorized Access (UNAX) Mandatory Briefing, which are managed by PGLD. These briefings provide information about privacy, disclosure, computer security, and UNAX to all employees.

Reporting Losses, Thefts and Disclosures

  1. All IRS employees are required to report the loss or theft of an IRS IT asset, or an asset in the Bring Your Own Device (BYOD) program, or hardcopy record or document containing PII or sensitive information, or the inadvertent unauthorized disclosure of PII or sensitive information, whether it be electronically, verbally or in hardcopy form, within one hour.

    Note:

    Sensitive information in hardcopy form includes, but is not limited to, taxpayer correspondence, tax returns, transcripts, faxes, email messages (printed), and personnel and job application information.

  2. Contractors and their employees must be aware of their responsibilities under the law to safeguard PII and sensitive information, the procedures to follow when data is lost or compromised and the penalties for unauthorized disclosure of PII and sensitive information. Contractors should refer to Data Breach Information for IRS Contractors on irs.gov at https://www.irs.gov/about-irs/procurement/data-breach-information-for-irs-contractors, Pub 4465-A , Protecting Federal Tax Information for Contractors, and Publication 4812, Contractor Security Controls, for information about a contractor’s responsibilities to protect Federal Tax Information (FTI) and incident/data breach response and reporting procedures.

Timely Reporting: Within One Hour

  1. All data breaches involving personally identifiable information must be reported within one hour of discovery.

  2. The timely reporting, within one hour, of all inadvertent unauthorized disclosures of PII and sensitive information, and all losses or thefts of PII and sensitive information and IRS IT assets and "BYOD" assets, is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility the information will be compromised and used to perpetrate identity theft or other forms of harm.

Intentional Unauthorized Disclosures of Tax Information

  1. Data breaches involving intentional unauthorized disclosures of PII and sensitive information must be reported to the Treasury Inspector General for Tax Administration (TIGTA) as soon as possible. See IRM 11.3.1.10, Reporting Unauthorized Accesses or Disclosures, and IRM 11.3.38.5, Reporting Suspected Willful Unauthorized Accesses or Disclosures, for additional information. See also Section 7213 of Title 26 which imposes fines and/or other punishment for the willful unauthorized disclosure of a return or return information.

Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets, BYOD Assets and Hardcopy Records/Documents

  1. It is critical to report an incident/data breach as soon as actionable information is available so a response/reaction can be initiated. Incident/data breach updates and any additional notifications to TIGTA and/or Law Enforcement (see (3) and (4) below) can be completed after the initial report to the Office of Taxpayer Correspondence (OTC), Privacy, Governmental Liaison and Disclosure/Incident Management Office (PGLD/IM), or the Computer Security Incident Response Center (CSIRC) is submitted.

  2. An employee who becomes aware of an inadvertent unauthorized disclosure of PII or sensitive information, or the loss or theft of an IRS IT asset or "BYOD" asset, or the loss or theft of a hardcopy record or document containing PII or sensitive information, is required to report the incident/data breach within one hourto his or her manager and one of the following offices based on what was lost, stolen, or disclosed:

    1. The Office of Taxpayer Correspondence (OTC). If the data breach involves taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, EEFaxes, and other electronic transmissions such as email, report it to OTC, using the Servicewide Notice Information Program's (SNIP) Erroneous Taxpayer Correspondence Reporting Form, at http://cmis.web.irs.gov/STACI/redbutton.aspx. The Erroneous Taxpayer Correspondence Reporting Form is also available on the SERP website, under SNIP. See IRM 25.13.1.3, Erroneous Correspondence Procedures - Report Erroneous Correspondence Process. The OTC will notify the Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM), as necessary after an initial analysis of the data breach. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of data breaches to PGLD/IM, lessens the operational impact of reporting a data breach, and focuses resources on correcting the error to prevent additional data breaches/losses.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process, for additional information about erroneous correspondence procedures and the instructions to follow when handling erroneous taxpayer correspondence sent to the wrong person.

    2. The Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM). If the data breach involves an inadvertent unauthorized verbal disclosure of PII/sensitive information, or lost/stolen hardcopy records or documents containing PII/sensitive information, or packages containing PII/sensitive information lost/stolen during shipment, or lost/stolen remittances containing PII/sensitive information, report it to PGLD/IM, using the PII Breach Reporting Form at https://vp0sentappetrk2.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2. Call 267-466-0777 if you have any problems with the online form or any questions about completing the online form.

      Note:

      The loss or theft of official records (whether the records contain PII or not) are also reported via the PII Breach Reporting Form athttps://vp0sentappetrk2.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2. PGLD/IM reviews all PII Breach Reporting Forms and alerts the Records and Information Management (RIM) Program Office if official records have been reported as lost or stolen on the PII Breach Reporting Form in accordance with IRM 1.15.3.4, Unauthorized or Accidental Destruction of Records, which states any unauthorized unlawful, or accidental destruction, defacing, or alteration, of records in an employee’s custody or the IRS custody must be reported to the Records Specialist (formerly Area Records Managers (ARM) or the IRS Records Officer.

    3. The Situational Awareness Management Center (SAMC). If the incident involves lost or stolen Smart-ID cards or lost or stolen pocket commissions (credentials), report it to SAMC (within 30 minutes) using SAMC’s Incident Reporting Link at https://tscc.enterprise.irs.gov/irc/.Note all physical security incidents and/or threats are also reported to SAMC. Visit FMSS Incident Reporting at http://awss.web.irs.gov/FMSS/Incident-Reporting.html to learn more about SAMC.

    4. The Computer Security Incident Response Center (CSIRC). If the incident/data breach involves the loss or theft of an IRS IT asset, e.g., an IRS issued computer, laptop, router, printer, cell phone, BlackBerry, etc., or removable media (CD/DVD, flash drive, floppy, etc.), or a non-government furnished/personally owned mobile device that accesses, processes, transmits, or stores IRS information, in support of the Bring Your Own Device (BYOD) program, report it to CSIRC using the Computer Security Incident Reporting Form at https://www.csirc.web.irs.gov/incident/, or by calling 240-613-3606.

      Note:

      If the incident/data breach involves both the loss or theft of an IRS IT asset, e.g., the loss or theft of an IRS issued laptop, flash drive, etc., or BYOD asset, and the loss or theft of hardcopy records or documents containing PII/sensitive information, packages lost during shipment, etc., report the data breach to CSIRC. Do not report it to PGLD/IM.

  3. The Treasury Inspector General for Tax Administration (TIGTA). You must also report the incident/data breach to the Treasury Inspector General for Tax Administration (TIGTA), if the incident/data breach involves a loss or theft of an IRS IT asset or non-IRS IT asset (BYOD device), e.g., computer, laptop, router, printer, removable media (CD/DVD, flash drive, floppy, etc.), or a loss or theft of hardcopy records/documents containing PII/sensitive information, at 800-366-4484.

  4. Local Law Enforcement. If the incident/data breach involves a theft, file a Police Report with your Local Law Enforcement authority, but do not disclose sensitive data and/or taxpayer data.

    Note:

    Visit the Report Losses, Thefts or Disclosures page in the Disclosure and Privacy Knowledge Base at https://portal.ds.irsnet.gov/sites/vl003/lists/reportlossestheftsdisclosures/landingview.aspx and the IF/THEN Guide at https://portal.ds.irsnet.gov/sites/vl003/RelatedResources/IfThen%20Guide%20for%20Reporting%20Breaches%20-%20Rev08222018.pdf, for additional information and guidance. If you are a Flexiplace (Telework) employee (Occupational or Situational) or a Mobile employee, print a copy of the If/Then Guide for the office and one to keep at home in case your IT asset is lost or stolen, and you can’t access IRWeb.

Inadvertent Accesses of Tax Information

  1. Inadvertent accesses of taxpayer information are reported on the hard copy Form 11377, Taxpayer Data Access, or the fillable Form 11377-E, Taxpayer Data Access.

  2. Form 11377 may be used by employees Servicewide to document accesses to taxpayer return information when the accesses are not supported by direct case assignment, were performed in error (inadvertent access), or when the access may raise a suspicion of an unauthorized access.

  3. Some examples of an inadvertent access include accidentally entering an incorrect Taxpayer Identification Number or unintentionally retrieving other taxpayer information while working an assigned case. Inadvertent accesses are not reported to PGLD/IM, CSIRC or OTC.

"No Reporting" Situations

  1. The following are examples of situations which require no reporting to PGLD/IM, CSIRC, OTC, etc., as they are not considered erroneous correspondence or unauthorized disclosures:

    1. An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find that he or she is not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

    2. An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing PII/sensitive information, only to later find that the fax number provided by the taxpayer or authorized representative was incorrect.

    3. An IRS employee follows all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    4. The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    5. An IRS employee follows procedures in IRM 21.1.3.12, Suicide Threats, to disclose a taxpayer's name, address/location, and/or telephone number to Law Enforcement because the taxpayer threatened suicide and/or threatened harm to another individual. In this situation, the disclosure of this information is not prohibited by law; therefore, although the Suicide Threat must be reported to Disclosure, TIGTA, SAMC, and the Office of Employee Protection, no reporting to PGLD/IM is necessary unless directed to do so by Disclosure. See IRM 21.1.3.12, Suicide Threats, IRM 10.2.8, Incident Reporting, IRM 11.3.34.3 , Expedited Procedures in Emergency Situations, and the Governmental Liaison, Disclosure and Safeguards (GLDS) Unique Situations webpage at https://portal.ds.irsnet.gov/sites/vl003/Lists/UniqueSituations/LandingView.aspx for the procedures to follow when a taxpayer threatens suicide or when it is appropriate to contact the local Law Enforcement authority versus federal or State Law Enforcement authorities.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Report Erroneous Correspondence Process, for additional information about erroneous correspondence procedures and the instructions to follow when handling erroneous taxpayer correspondence sent to the wrong person.

PGLD/Incident Management Intake, Risk Assessment and Notification

  1. This section covers the intake and risk assessment of IRS data breaches by PGLD/IM as well as notification to potentially impacted individuals.

PGLD/Incident Management Intake

  1. When an IRS data breach or incident occurs, depending on what was lost, stolen, or disclosed, employees report the data breach or incident to the Computer Security Incident Response Center (CSIRC), the Office of Taxpayer Correspondence (OTC), or PGLD/IM through an on-line reporting form that uploads directly to e-Trak.

    1. A data breach is reported to PGLD/IM if the breach involves an inadvertent unauthorized verbal disclosure of PII or sensitive information, or lost/stolen hardcopy records or documents containing PII or sensitive information, packages containing PII or sensitive information lost/stolen during shipment, etc.

    2. A data breach is reported to OTC if the breach involves taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, EEFaxes, and other electronic transmissions such as email.

    3. An incident/data breach is reported to CSIRC if the incident/breach involves the loss or theft of an IRS IT asset or an asset in the Bring Your Own Device (BYOD) program, or if it involves multiple assets, i.e., an IRS IT asset and hardcopy records or documents containing PII/sensitive information. Note that the form and instructions for incidents/data breaches involving IT assets are different from the forms and instructions for all other data breaches.

  2. After a data breach is reported, members of the IM team receive notification via email (delivered to the PII mailbox) from either CSIRC or e-Trak. The email contains the information necessary to conduct a risk assessment and also to determine if the data breach meets high-risk breach criteria.

    1. The PII mailbox (*PII) is a centralized communication tool used by the IM Team to send and receive all communications throughout the data breach intake process. Data breach summaries with a brief description of the data breach are automatically sent via email to the PII mailbox whenever data breaches are reported to CSIRC via the Computer Security Incident Reporting Form or to PGLD/IM via the Breach Reporting Form.

      Note:

      Incident Management Intake may also include events received from SPIIDE for investigation.

  3. After PGLD/IM performs an initial assessment of the data breach, if PII or SBU data is involved, PGLD/IM will review the information submitted and will, if necessary, request additional information to fully assess the data breach to complete the risk assessment. PGLD/IM will send an Impacted Individuals and/or Business Excel Spreadsheet to the reporting IRS employee and the employee's manager unless the data breach is input through the online format in which case the reporting employee and manager will receive the spreadsheet as an attachment to the email received from e-Trak. The reporting employee is responsible for providing the tax identification numbers of the potentially impacted individuals and emailing the spreadsheet via secure email to *PII.

    1. The PGLD/IM and CSIRC Breach/Incident Reporting Forms provide an inventory of possible compromised data elements, the source of the data, whether the data was encrypted, and any other special factors that need to be considered, such as data being used in a criminal or grand jury investigation.

    2. The Impacted Individuals and/or Business Excel Spreadsheet provides an inventory of the names and TINs of all the individuals potentially impacted by the data breach.

High-Risk Data Breaches

  1. A high-risk data breach is defined as one that represents significant risk to:

    1. Customers: Affects a significant number of individuals or high profile individuals;

    2. Business Results: Overwhelming increase of phone traffic, reduced taxpayer access to IRS systems or online applications, negative affect on revenue protection; or,

    3. IRS Reputation: Potential for extensive media involvement or negative exposure.

  2. A Breach Response Team (BRT) will be convened for high-risk data breaches and for any data breach that constitutes a major incident (as defined in OMB guidance) to address the additional concerns and communication issues that may be involved with these types of data breaches. The purpose of the BRT is to provide a swift, effective and orderly response to these types of data breaches. The team is led by the Breach Coordinator (BC) and is composed of cross-functional representatives authorized to take the necessary steps to contain, mitigate or rectify a data breach, mitigate the vulnerability of taxpayer data, and rebuild trust. Participating members of the BRT can vary based on the nature and scope of the data breach and the potential risk to taxpayers.

  3. PGLD/IM reports high-risk data breaches to the Facilities Management and Security Services (FMSS) Threat Information and Critical Incident Response Initiative (TIRC). The TIRC is comprised of staff from FMSS, the Treasury Inspector General for Tax Administration-Criminal Intelligence and Counterterrorism Group (TIGTA-CICT), Criminal Investigation (CI), Federal Protective Service (FPS), the Computer Security Incident Response Center (CSIRC), and the Office of Privacy, Governmental Liaison and Disclosure (PGLD). The mission of the TIRC is to identify and mitigate threats and record countermeasures and mitigation strategies as it pertains to Federal tax administration and the IRS for the protection of service operations. Reporting to SAMC may also be required if the reporting does not lead to SAMC Leadership messaging and communication is warranted based on the circumstances of the event.

  4. Managers have tools to help them take the proper steps if their area of control has a high-risk data breach.

    1. The High-Risk Breach Quick Reference Guide contains the high-level process to follow when a high-risk data breach is identified.

    2. The Data Breach Response Playbook contains detailed procedures on the proper steps to take if your area of control has a high-risk data breach to help you minimize harm to taxpayers, document the data breach, and manage the risk assessment process.

OMB Major Incidents

  1. FISMA 2014 requires the Office of Management and Budget (OMB) to define the term "major incident" and directs agencies to report major incidents to Congress within 7 days of identification.

  2. A "major incident" as defined by OMB M-17-05 is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

  3. A data breach constitutes a "major incident" when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals' PII constitutes a "major incident" .

  4. PGLD/IM coordinates with Treasury for the appropriate actions and reporting, including reporting to Congress, whenever a data breach is identified as an OMB major incident.

PGLD/Incident Management Risk Assessment

  1. PGLD/IM assesses the risk of harm to individuals potentially impacted by data breaches involving the disclosure, loss, or theft of PII. When assessing the risk of harm to individuals potentially impacted by a data breach, the potential harms that could result from the loss or compromise of PII must be considered. Such harms may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, financial harm, the disclosure of contact information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem. Additionally, the Privacy Act requires the IRS to protect against any anticipated threats or hazards to the security or integrity of records which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. The IRS must consider any and all risks relevant to the data breach, which may include risks to the IRS, IRS information systems, IRS programs and operations, other Treasury Bureaus, the Federal Government, or national security. These additional risks may properly influence the IRS’ overall response to a data breach and the steps the IRS must take to notify individuals.

  2. PGLD/IM performs a risk assessment to evaluate the likely risk of harm for all reported IRS data breaches, based on standardized factors and ratings criteria. The end result of the assessment is a categorization of the data breach into one of four levels - No Impact; Low Impact; Moderate Impact; and High Impact. Categorization into levels dictates a recommended level of response and determines when, what, how, and to whom notification of a data breach must be given.

  3. PGLD/IM uses the following three-step methodology to assess the risk of harm for all reported IRS data breaches :

    1. Step 1: Examine key factors. Each of the three factors identified by OMB 17-12 (the nature and sensitivity of the PII potentially compromised by the data breach; the likelihood of access and use of the PII potentially compromised by the data breach; and the type of data breach) is assessed in relation to the specific data breach to determine the potential likelihood of harm to individuals. See (4) below for additional information on the risk assessment factors.

    2. Step 2: Determine risk factor ratings. Each of the three factors is rated based on its impact level (high, moderate, low, or no impact) with corresponding points from 3 to 0 assigned to each impact level.

    3. Step 3: Categorize or classify the data breach. Based on the total factor rating points the data breach is categorized into one of four levels. Data breaches with a total factor rating point between 8 and 9 are considered Level Three (High Impact). Potentially impacted individuals involved in a data breach categorized as Level Three (High Impact) will be sent a data breach letter.

  4. PGLD/IM considers the following key factors and considerations when conducting a risk assessment to determine the potential likelihood of harm to potentially impacted individuals. Identifying the data elements involved in the data breach, i.e., the PII that was lost or disclosed, and assessing the impact of the data breach are key elements that must be considered when determining if, when, and how notification will be provided to potentially impacted individuals.

    1. Nature and Sensitivity of the PII. The nature and sensitivity of the PII potentially compromised by the data breach, including the potential harms that an individual could experience from the loss or compromise of the type of PII. At a minimum, the following items are considered when assessing the nature and sensitivity of the PII potentially compromised by a data breach: Data Elements, including an analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together; Context, including the purpose for which the PII was collected, maintained, and used; Private Information, including the extent to which the PII, in a given context, may reveal particularly private information about an individual or constitutes information that an individual would generally keep private; Vulnerable Populations, including the extent to which the PII identifies or disproportionately impacts a particularly vulnerable population; and Permanence, including the continued relevance and utility of the PII over time and whether the information is easily replaced or substituted or will permanently identify an individual.

    2. Likelihood of Access and use of the PII. The likelihood of access and use of the PII potentially compromised by the data breach, including whether the PII was properly encrypted, or rendered partially or completely inaccessible by other means. The following items are considered when assessing the likelihood of access and use of PII potentially compromised by a data breach: Security Safeguards, including whether the PII was properly encrypted, or rendered partially or completely inaccessible by other means; Format and Media, including whether the format of the PII or the media on which it is maintained may make it difficult and resource-intensive to use; Duration of Exposure, including how long the PII was exposed; and Evidence of Misuse, including any evidence confirming that the PII is being misused, or that it was never accessed.

    3. Type of Data Breach. The type of data breach, including the circumstances of the data breach, as well as the actors involved and their intent. The following items are considered when determining the type of data breach: Intent, including whether the PII was compromised intentionally, unintentionally, or whether the intent is unknown; and, Recipient, including whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient.

  5. After IM has completed its risk analysis of a data breach and developed a recommendation with regard to the appropriate response, data breaches categorized as "High Impact" , are included in a Code Red Recommendations Report and presented to the Incident Management Associate Director for review and action if necessary.

  6. If the recommendation is to notify, then potentially impacted individuals are notified of the data breach via Letter 4281C, IM Breach Notification Letter.

The PII Working Group (PIIWG)

  1. The PII Working Group (PIIWG) consists of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security. A Code Red Recommendations Report is presented to the PIIWG weekly by PGLD/IM for information only; no concurrence or approval by the PIIWG is required.

  2. The Privacy Policy and Compliance Advisory Committee (PPCAC) no longer exists. It was a committee comprised of executives from all key business and functional unit stakeholders. It was originally established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and data breach policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives.

PGLD/Incident Management Data Breach Notification - Letter 4281C

  1. The IRS, through PGLD/IM, will notify potentially impacted individuals if the evaluation of an IRS data breach results in a likelihood of harm to these individuals.

  2. The IRS, through PGLD/IM, will notify these individuals via Letter 4281C, IM Breach Notification Letter.

  3. The IRS, through PGLD/IM, will identify individuals who have been sent Letter 4281C by marking each entity (on CC ENMOD and/or CC IMFOLE) with the IRS data breach (data loss) indicator TC 971 AC 505 (only if the account is on the Master File (MF)). See IRM 10.5.4.5.1.1, Applying the IRS Breach Tracking Indicator to IRS Data Breaches, for additional information.

  4. The objectives of communications in the event of a possible compromise of PII/sensitive information within the IRS are as follows:

    1. To comply with the Office of Management and Budget (OMB) and Treasury Department directives which mandate notification to potentially impacted individuals if there is a potential risk that the compromised data may be used by someone other than the owner of the information to commit a crime or fraud.

    2. To minimize the possible negative impact of the compromised data on the taxpayer/victim.

    3. To ensure the IRS' relationship with the impacted individual(s) will not be so damaged as a result of the data breach that it negatively impacts his or her tax filing and paying obligations.

Contents of the Data Breach Notification
  1. The IRS will notify individuals potentially impacted by IRS data breaches using Correspondex Letter 4281C, IM Breach Notification Letter; however, the IRS may use a unique letter when deemed necessary and appropriate.

    Note:

    These procedures apply only to data breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e). See IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  2. Remedial services such as identity protection services are offered to potentially impacted individuals of an IRS data breach as part of the overall OMB requirement regarding implementation of a data breach response program to mitigate the likely risk of harm.

  3. Data breach notifications will be written plainly and clearly, and will generally include the following information:

    1. A brief description of what happened, including the date of the data breach;

    2. To the extent possible, a description of the type of PII disclosed as a result of the data breach (e.g., name, SSN, date of birth, address, etc.);

    3. Actions that potentially impacted individuals should take to protect themselves from potential harm;

    4. A toll-free telephone number that potentially impacted individuals can contact for more information;

    5. A statement that the IRS has provided or will provide potentially impacted individuals with an identity protection service at no cost, and the contact information for the vendor providing the service.

      Note:

      The IRS does not auto-enroll potentially impacted individuals. The potentially impacted individual must contact the vendor in order to sign up for the free identity protection service.

  4. The Privacy and Information Protection (PIP) toll-free telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

Data Breach Notification Signature
  1. The signature on the IRS data breach notification letter shall be that of the Director, Privacy Policy and Compliance (PPC) .

Timeliness of the Data Breach Notification
  1. The IRS will notify individuals potentially impacted by IRS data breaches without unreasonable delay following the completion of the risk assessment process.

    Note:

    The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any potentially impacted individuals.

  2. Business measures and lapse time goals were established to track/assess PGLD/IM and IRS performance. The FY18 measures and goals are:

    1. Measure 1: Lapse time (# of days) from Data Breach Report Date to the Data Breach Notification Letter Date. Goal: Median of 10 days or less.

    2. Measure 2: Lapse time (# of days) from the Data Breach Date to the Data Breach Notification Letter Date. Goal: Median of 24 days or less.

    3. Measure 3: Percentage of data breaches with a lapse time (# of days) of 30 days or less from the Data Breach Report Date to the Data Breach Notification Letter Date. Goal: Percentage of data breaches equal to or more than 94%. Measure 3 is reported to Treasury as part of OMB required reporting.

Means of Providing Data Breach Notifications
  1. The IRS will provide written notification to the individual's address of record on IDRS.

  2. Based on the number of potentially impacted individuals and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as newspapers or other media outlets.

  3. At the discretion of the BRT, and consistent with applicable law, the IRS may notify external entities. In making its decision, the BRT will consider whether notifying external entities would result in any of the following:

    1. Aiding the public in its response to the data breach (e.g., whether constructive notification via media channels would help the IRS alert potentially impacted individuals more effectively and expeditiously than via notification letter alone)

    2. Facilitating the IRS’ ability to mitigate the potential harm resulting from the data breach (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries)

    3. Contributing to unnecessary public alarm

    4. Creating an unnecessary burden on the public, external entities, or potentially impacted individuals

Ongoing Support

  1. Based on the circumstances of the data breach, the IRS will provide ongoing support to potentially impacted individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free telephone number staffed by trained IRS personnel to respond to general data breach-related inquiries

    2. Information on websites and other resources providing information about identity theft prevention and protection

    3. Coordination with business units on IRS data breaches that affect an individual's tax account, such as phishing schemes

  2. The PGLD/Incident Management Program is supported by Wage and Investment's (W&I) Accounts Management (AM). AM Customer Service Representatives (CSR)s support PGLD/IM by assisting individuals who call the Privacy and Information Protection (PIP) toll-free telephone number (866-225-2009) provided in Letter 4281C, IM Breach Notification Letter. AM CSRs are trained to respond to IRS data breach questions and questions about Letter 4281C.

Handling Inquiries About IM Data Breach Notification Letters
  1. These procedures apply only to data breach notifications; they do not apply to notifications made pursuant to 26 USC 7431(e). See IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  2. The contact telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. The 4281C Letter does not require individuals to contact the Internal Revenue Service; however, some individuals may call with questions or concerns about the letter. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

  3. In some instances, individuals who receive Letter 4281C may call an IRS telephone number other than the number provided in the letter (866-225-2009). If an IRS phone assistor other than an AM Customer Service Representative (CSR) receives a call from an individual in response to Letter 4281C, or the individual asks to speak to the employee whose number appears on Letter 4281C (0847999999), transfer the call to extension 92161 (for callers needing assistance in Spanish, use extension 92162).

  4. AM CSRs answer general data breach-related inquiries about the IRS data breach and prepare a Form 4442, Inquiry Referral Form, if the caller requests specific information about the data breach that the AM CSR is unable to answer. The Form 4442 is directed to PGLD's IM office in Philadelphia for resolution. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office.

  5. Correspondence (and any attachments) received in response to Letter 4281C, or addressed to employee 0847999999, must be forwarded to the local Image Control Team (ICT) for scanning and controlling. See IRM Exhibit 3.10.72-2, Correspondex "C" Letters - Routing Guide, IRM Exhibit 3.13.16-1, Appendix A - Document Types, Category Codes, IMF, IRM Exhibit 3.13.6-14, Appendix N - Document Types, Category Codes, Priority Codes, IDT - IMF, Doc Type: ID Theft: IDT5, and IRM 21.5.1.4.2.3, Clerical Function for the Image Control Team (ICT) Correspondence Imaging System (CIS), for information about ICT; IRM 21.5.1.5, Correspondence Imaging System (CIS) Procedures, for information about CIS procedures; and the Miscellaneous section of the Campus Program Locator Guide (located under the Who/Where tab) (http://serp.enterprise.irs.gov/databases/who-where.dr/transshipment.dr/campus_locator_guide/ICT.htm) to determine the address for your local ICT function. ICT will review the correspondence and determine if a Referral to the IM office in Philadelphia is necessary.

    1. If scanning is not available, route the correspondence and any attachments received in response to Letter 4281C, or addressed to employee 0847999999, to AM. See the address table below, and IRM 10.2.13.4.4.1, Shipping Personally Identifiable Information (PII), for policy and guidance relating to protecting and handling PII/sensitive information.

    2. If the correspondence appears to be time sensitive, fax it to the Image Control Team (ICT) at 855-807-5720. ICT will review the correspondence and determine if a Referral to the IM office in Philadelphia is necessary.

    United States Postal Service (USPS) Mailing Address Private Delivery Service (PDS) Mailing Address
    Internal Revenue Service
    Accounts Management
    Fresno, CA 93888-0025
    Internal Revenue Service
    Accounts Management
    5045 East Butler Avenue, Fresno, CA 93727
  6. See the IRS Breach/Data Loss Frequently Asked Questions (FAQs) on SERP at http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs-breach-data-loss/faq.html, for a list of frequently asked questions about the IRS Breach Notification Letter (Letter 4281C) and general questions about IRS data breaches/data losses.

IMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview
  1. When taking calls from impacted individuals, a consistent and proper greeting is required. Refer to procedures in IRM 21.1.1.7, Communication Skills.

  2. Employees are required to authenticate callers to ensure the person calling is the individual impacted by the data breach. See IRM 25.23.12.3, Identity Theft Telephone Overview and General Guidance, for required use of the Integrated Automation Technologies (IAT) Disclosure tool and the High Risk Authorization (HRA) IAT tool to perform authentication; IRM 21.1.3.2.3, Required Taxpayer Authentication; and IRM 21.1.3.2.4, Additional Taxpayer Authentication.

  3. If the caller is not the impacted individual, but claims to represent the individual, determine whether the individual provided a Power of Attorney (POA) in connection with the data breach. Do not recognize a representative when the POA on file only identifies tax matters and does not specifically identify the data breach as a matter for which the POA has authority.

  4. High risk authentication per IRM 21.1.3.2.4, Additional Taxpayer Authentication, is also required. Ask the caller for the Breach Date and Breach Number as part of the authentication process. The Breach Date, if included in the letter, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Breach Number is located to the right and just above the Salutation (Dear Taxpayer).

  5. In some situations, a caller may want to receive as much information as possible about the data breach, but is not willing to provide his or her SSN/TIN. In these situations, the CSR may still answer general questions about the data breach and answer all the taxpayer's questions using the Frequently Asked Questions (FAQ), but a referral may not be made for any specific questions about the data breach. CSRs must be sensitive to the caller's tone and ensure they are given as much information as they are entitled to receive without the caller providing their TIN. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office and IRM 10.5.4.4.7.8 , Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters.

  6. In some data breaches, impacted individuals receiving notices may be IRS employees. In these cases, follow guidance in IRM 21.1.3.8, Inquiries from IRS Employees.

BMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview
  1. Some of the impacted individuals may be business entities and letters sent may be to business related entities (sole proprietorships, corporations, LLCs, etc.). A caller may be required to be an owner of a small business or an officer of a corporation before employees are able to talk to him or her about the data breach. To ensure a caller is the appropriate individual that is allowed to receive information about the data breach, AM CSRs will need to conduct an identity check with the caller to determine if he or she is allowed to receive the information. See IRM 21.1.3.2.3, Required Taxpayer Authentication, for required use of the IAT Disclosure tool to perform authentication.

  2. In addition to the authentication probes outlined in IRM 21.1.3.2.3, Required Taxpayer Authentication, ask the caller for the BMF entity to provide the following information:

    • The Breach Number, located to the right and just above the Salutation (Dear Taxpayer) on Letter 4281C, and

    • The Breach Date, located in the first paragraph of Letter 4281C.

  3. If the caller is not able to, or unwilling to provide the EIN, tell the caller that a Referral may not be made for any specific questions about the data breach. See IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office and IRM 10.5.4.4.7.8, Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters.

    Note:

    It will not be necessary to access any tax account information on the BMF case to assist the caller. If at any time you feel the caller is not entitled to receive general information, and the caller is insistent on receiving as much information as he or she can, be sure not to disclose any specific account information.

Free Identity Protection Service
  1. The IRS is offering an identity protection service at no cost to individuals potentially impacted by an IRS data breach if the result of the risk assessment results in a likelihood of harm.

    Note:

    The IRS assigns a unique enrollment code/verification code via Letter 4281C, IM Breach Notification Letter, to each individual potentially impacted by an IRS data breach if the result of the risk assessment results in a likelihood of harm. The potentially impacted individuals must contact the vendor in order to sign up for the free identity protection service.

    Note:

    A POA cannot sign up for the free identity protection service on behalf of his or her client.

  2. AM CSRs do not have access to the vendor’s system; therefore, CSRs cannot assist the caller with the enrollment.

  3. AM CSRs can assist with:

    • Providing the toll-free number for the vendor. See Note below.

    • Reviewing the online and telephone enrollment instructions included in Letter 4281C, IM Breach Notification Letter. See Note below.

    • Informing the individual if he or she is having difficulty enrolling in the vendor’s system, he or she has the option of speaking with a live agent by calling the vendor . Remind the individual he or she will need to have his or her unique enrollment code/verification code (assigned in Letter 4281C) available when contacting the vendor. See Note below.

    • Ensuring the individual understands what he or she needs to do to monitor his or her credit report and other financial information. See Note below.

    Note:

    See the IRS Breach/Data Loss Frequently Asked Questions (FAQs) on SERP at http://serp.enterprise.irs.gov/databases/irm-sup.dr/irs-breach-data-loss/faq.html for a list of frequently asked questions about the IM Breach Notification Letter (Letter 4281C) and general questions about IRS data breaches/data losses and the identity protection vendors.

Fraud Alerts
  1. A Fraud Alert is a consumer statement added to an individual’s credit file that alerts creditors that the consumer may be a victim of fraud.

  2. This statement requires creditors to take certain steps to verify the consumer’s identity before establishing any new credit accounts in his or her name, issuing a new card on an existing account, or increasing the credit limit on an existing account.

  3. All three credit reporting agencies (Equifax, Experian, and TransUnion) have fraud reporting services. The consumer only needs to contact one of them. The agency initially contacted will notify the other two.

  4. A consumer can place a fraud alert on his or her credit file by contacting:

    • Equifax at 800-525-6285 or www.equifax.com

    • Experian at 888-397-3742 or www.experian.com

    • TransUnion at 800-680-7289 or www.transunion.com

  5. Callers may request a fraud alert anytime within 90 days of receipt of his or her Letter 4281C, IM Breach Notification Letter.

  6. AM CSRs will NOT suggest to the caller to solicit this service unless the caller inquires about it and expresses interest in it.

Referrals to PGLD’s Incident Management Office
  1. If a caller states he or she received a letter from the IRS about a data breach but lost, misplaced the letter, etc., refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  2. If a caller states he or she attempted to redeem the enrollment code included in the data breach letter but was told the enrollment code is expired, invalid, or does not work, refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  3. If the caller is requesting additional information or details about the data breach, and is unsatisfied with the limited information you can provide and is insistent that he or she would like additional information, more than what was already provided, about the data breach, refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral. See IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442.

  4. In addition to the required fields as noted in IRM 21.3.5.4.2, if available, include the Breach Date and Breach Number, as shown on the caller's letter, in the Referring To field (Box #5) of Form 4442/e-4442. The Breach Date, if included in the Letter 4281C, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Breach Number is located to the right and just above the Salutation (Dear Taxpayer).

  5. A brief narrative must be completed in the Taxpayer Inquiry/Proposed Resolution section (Part III, Section B) of Form 4442/e-4442. Include in the Taxpayer Inquiry/Proposed Resolution section of the Form 4442/e-4442 the IRM reference (IRM 10.5.4.4.5.6) directing the referral, the reason you are making the referral, and a complete description of the caller’s issue. Also document the response time frame provided to the caller and the fax number for PGLD/IM.

  6. Inform the caller a referral has been completed in response to his or her inquiry. Tell the caller he or she will hear from us within 30 calendar days. See IRM 21.3.5.4, Referral Procedures.

  7. Document AMS with the details of the Referral. See IRM 10.5.4.4.7.8, Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters. EXCEPTION: If the AMS or CIS system is down, then narratives and/or case notes will not be required.

  8. All Forms 4442 will be collected by the Lead CSR at the beginning of each business day and faxed to the IM Office in Philadelphia. The IM EEfax number is listed on the Form 4442 Referral Fax Numbers list (Site: Philadelphia and Function: PGLD: Incident Management) located on the SERP Who/Where tab at http://serp.enterprise.irs.gov/databases/who-where.dr/referral_fax_numbers.htm.

  9. An analyst from PGLD/IM will contact the sender via secure email confirming receipt of the faxed Forms 4442. Once confirmation is made, the original Form 4442 can be destroyed. If no confirmation email is received within 48 hours from the fax date, re-faxing the Form 4442 will be required.

Caller Indicates He/She is a Victim of Identity Theft as a Result of an IRS Data Breach
  1. A caller who has already been notified of an IRS data breach via Letter 4281C may indicate he or she is already a victim of identity theft as a result of the IRS data breach and would like the IRS to assist him or her in dealing with the identity theft.

    Note:

    As part of the Identity Theft Program, AM will generally assist taxpayers whose situations meet TAS criteria 5 - 7 AND involve identity theft. See IRM 25.23.3.2.5, Identity Theft Assistance Request (ITAR) - General Information.

  2. AM CSRs will:

    • Apologize to the caller for any inconvenience.

    • Research the taxpayer's TIN thoroughly to see if there is a tax related issue related to the ID theft as defined in IRM 25.23.2.3.4, Identity Theft Research.

    • If a tax related issue is involved, see IRM 25.23.12.5, Tax-Related Identity Theft.

    • Input an Identity Theft Tracking Indicator as directed in IRM 25.23.2.4.4, Initial Allegation or Suspicion of Tax-Related identity Theft - IMF Identity Theft Indicators.

  3. If the taxpayer is threatening litigation or legal action because the IRS data breach resulted in identity theft, in addition to the above actions, prepare a Form 4442, Inquiry Referral, to alert the IM Office of the possible litigation or legal action. See the referral procedures in IRM 10.5.4.4.7.6, Referrals to PGLD’s Incident Management Office.

Updating History on Accounts Management Services (AMS) for Calls About IRS Data Breach Notification Letters
  1. The Privacy and Information Protection (PIP) toll-free number, 866-225-2009, is included in Letter 4281C, IM Breach Notification Letter, as well as the family of letters (Letter 4281-A, Letter 4281-B, Letter 4281-E, Letter 4281-F, and Letter 4281-G) developed for the Get Transcript data breach. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162). AM CSRs working programs related to IM data breach notification letters are required to add an issue to identify the type of inquiry as well as leave a brief narrative of what was covered with the caller.

    Exception:

    If the AMS or CIS system is down, then narratives and/or case notes will not be required.

    Note:

    Although the SSN is not shown on Letter 4281C, IM Breach Notification Letter, employees will need to secure the caller's SSN in order to update AMS. If the caller is unwilling to provide the employee with his or her SSN, it will not be possible to update AMS.

Undelivered Letter 4281C
  1. Undeliverable procedures must be followed. Refer to (3) of IRM 21.3.3.4.12.1.1, Undelivered Mail Procedures for Accounts Management, for research procedures for undeliverable mail.

  2. If a new address is found, address an envelope with the new address and mail the undeliverable Letter 4281C, IM Breach Notification Letter to the new address.

  3. If a new address is not found, treat Letter 4281C, as Classified Waste.

    Note:

    Because this process has to do with IRS data breaches, and not specifically tax related issues, a representative or a POA must not be contacted when referring to the Undeliverable procedures unless a POA specifically identifies the data breach.

Retention and Disposition

  1. IM will adhere to all document retention schedules in accordance with IRM 1.15, Records and Information Management. This applies to all materials in electronic or hard copy format that are created in response to an IRS data breach.

IRS Data Breach Tracking Indicator - Objectives

  1. The Incident Management Program tracks IRS data breaches to support the following objectives:

    1. Reduce taxpayer burden while addressing IRS data breaches.

    2. Increase operational efficiency of the IRS by detecting and processing reported IRS data breaches as early and consistently as possible.

IRS Data Breach Tracking Indicator - Development and Implementation

  1. PGLD developed an IRS data breach indicator Action Code to centrally track IRS data breaches.

  2. The IRS data breach indicator was implemented by PGLD to identify individuals whose PII was lost, stolen, or disclosed as a result of an IRS data breach.

  3. The IRS data breach indicator is input as a Transaction Code (TC) 971 with Action Code (AC) 505. The TC 971 AC 505 is displayed on the Integrated Data Retrieval System (IDRS) on the entity portion of each affected individual's account (CC ENMOD and CC IMFOLE).

Applying the IRS Data Breach Tracking Indicator to IRS Data Breaches
  1. The TC 971 AC 505 is an IRS Data Breach Tracking Indicator (also known as a Data Loss Tracking Indicator) - not an identity theft indicator.

  2. The TC 971 AC 505:

    1. Will not block, or prevent, online system access.

    2. Will not stop registration for online services, including registration for Get Transcript or an Identity Protection Personal Identification Number (IP PIN).

    3. Will not stop paper requests for a transcript (Form 4506/T).

  3. PGLD/IM inputs a TC 971 AC 505 on the entity portion of an individual's account (as long as the entity is established on the Master File) when all of the following occur:

    1. An individual's IRS-held PII was lost, disclosed, or stolen.

    2. The data breach risk assessment results in a likelihood of harm to the potentially impacted individuals.

    3. The IRS notifies the individual of the data breach via Letter 4281C, IM Breach Notification Letter, or similar letter in some circumstances (such as letters developed for the Get Transcript data breach).

    Example:

    Case files containing PII were lost while being shipped from one location to another. Since the data breach risk assessment resulted in a likelihood of harm, IM will send data breach notification letters to the potentially impacted individuals.

  4. Input of TC 971 AC 505 is limited and reserved for use by PGLD/IM employees; however, this indicator is visible and available for reference on the entity portion (CC ENMOD or CC IMFOLE) of an individual’s account. See Exhibit 10.5.4-2, TC 971 AC 505 — IRS Data Breach (Data Loss) Indicator, for more information about this indicator.

    Note:

    At the request of PGLD/IM, for large scale data breaches, the TC 971 AC 505 may be uploaded directly to CC IMFOLE by Return Integrity and Compliance Services (RICS).

  5. PGLD/IM inputs TC 971 AC 505 on an account regardless of the existence of any identity theft indicator codes that may be present on the account.

  6. There can be multiple IRS data breach indicators input/present on an individual's account. Each TC 971 AC 505 represents a different IRS data breach.

  7. In some instances, it may be necessary for PGLD/IM personnel to manually reverse the TC 971 AC 505. Although input of the TC 972 AC 505 is limited and reserved for use by PGLD/IM employees, Exhibit 10.5.4-3, TC 972 AC 505 — Reversal of TC 971 AC 505, is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field.

Glossary of Incident Management Terms, Definitions, and Acronyms

TERM DEFINITION
Access The authority granted to employees and contractors that provide opportunity to physically come into contact with (including, but not limited to reading, transporting, and/or transcribing/interpreting) Sensitive But Unclassified (SBU) data in the performance of official duties; entering an IRS facility without escort; and/or to login to IRS systems with approved credentials.
Accounts Management (AM) Customer Service Representatives (CSR)s AM CSRs assist individuals impacted by IRS data breaches by answering general data breach related inquiries or preparing a Form 4442, Inquiry Referral, if the caller requests specific information about the data breach that the AM CSR is unable to answer. AM CSRs also provide assistance to individuals impacted by identity theft or individuals who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by AM CSRs even if the individual has not experienced any problems with, or received communications from, the IRS.
Audience The employees responsible for taking action or who require knowledge about the program, process or activity.
Bring Your Own Device (BYOD) Bring Your Own Device is a concept that allows employees to use their personally owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer-provided services and/or data on their personal tablets/eReaders, smartphones, and other devices.
Computer Security Incident Response Center (CSIRC) Responsible for monitoring the IRS network 24 hours a day year-round for cyber attacks and computer vulnerabilities and for responding to various security incidents such as the theft of a laptop computer.
Data Breach OMB M-17-12, defines a data breach as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person, other than an authorized user accesses or potentially accesses personally identifiable information, or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.

Note:

See also the definition of "Incident" .

Data Breach Incident An incident involving a loss, theft, or inadvertent unauthorized disclosure of personally identifiable information. A few common examples include: a laptop or portable storage device storing PII is lost or stolen; an email containing PII is inadvertently sent to the wrong person; or a box of documents with PII is lost or stolen during shipping.
Data Breach Management The process of managing data breaches involving the loss, theft, or inadvertent unauthorized disclosure of PII.
Data Breach Notification The process of notifying potentially impacted individuals following the evaluation of a breach which results in a likelihood of harm to these individuals.
Data Breach Risk Assessment A risk assessment conducted on an IRS data loss, theft, or inadvertent unauthorized disclosure of personally identifiable information. The risk assessment includes factors that must be considered, specifically the context of the data breach and the data that was disclosed. Example - An IRS employee in the field loses a taxpayer case file. The case file contained PII data such as name, address, social security number, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to determine if notification must be given to the potentially impacted individual.
Data Owner The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data breach. For example, if a Power of Attorney (POA) tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporting employee is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.
Federal Information Processing Standards (FIPS) A set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
Federal Information Processing Standards (FIPS) Publications Publications issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Trade Commission (FTC) An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Fraud Alert A fraud alert is a consumer statement added to a credit file that alerts creditors that a consumer may be a victim of fraud. This statement requires creditors to take certain steps to verify the consumer’s identity before establishing any new credit accounts in his or her name, issuing a new card on an existing account, or increasing the credit limit on an existing account.
Harm Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
a) Potential for blackmail;
b) Disclosure of private facts;
c) Mental pain and emotional distress;
d) Potential for secondary uses of the information that could result in fear or uncertainty, or unwarranted exposure leading to humiliation or loss of self-esteem;
e) Identity theft; or
f) Financial loss.
Identity Protection Specialized Units (IPSU) The IPSU assists taxpayers that are, or may become, victims of identity theft. The IPSU is comprised of paper teams as part of the Accounts Management Identity Theft Victim Assistance (IDTVA) function.
Identity Theft Use of an individual’s personal information, without the individual’s permission, to commit fraud or other crimes.
Incident OMB M-17-12, defines an Incident as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. An incident is classified as an incident if it involves SBU information but doesn’t involve PII. Often, an occurrence may be first identified as an incident, but later identified as a breach once it is determined that the incident involves PII, as is often the case with a lost or stolen laptop or electronic storage device.

Note:

See also the definition of "Data Breach"

.
Incident Management (IM) Incident Management (IM) refers to the Office within Privacy, Governmental Liaison and Disclosure responsible for the process of managing data breaches involving the loss, theft, or inadvertent unauthorized disclosure of PII by the IRS.
Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
Loss Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data. A loss involving PII is known as a Data Breach.
Major Incident OMB M-17-05, Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements, defines a major incident as any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. A data breach (see the definition of data breach above) constitutes a major incident when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII constitutes a major incident.
National Institute of Standards and Technology (NIST) A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
The Office of Management and Budget (OMB) OMB assists the President in overseeing the preparation of the Federal budget and evaluates the effectiveness of agency programs, policies, and procedures, and works to make sure that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. In addition, OMB oversees and coordinates the Administration's regulatory, procurement, financial management, information technology, and information management policies.
Personally Identifiable Information (PII) The term PII refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. See GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008 at http://www.gao.gov/new.items/d08536.pdf, OMB 07-16, at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-16.pdf; OMB M-17-12, athttps://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf; and the PGLD webpage, Personally Identifiable Information, athttps://portal.ds.irsnet.gov/sites/vl003/lists/pii/landingview.aspx for additional information.
Phishing Phishing is a scam where Internet fraudsters send e-mail messages to trick unsuspecting victims into revealing personal and financial information that can be used to steal the victim's identity. See IRM 21.1.3.23, Scams (Phishing) and Fraudulent Schemes.
PII Data Breach Notification See Data Breach Notification.
PII Working Group (PIIWG) A decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security.
Policy Owner The IRS organization or the title of the executive (position only) responsible for the program.
Program Owner The office which has primary responsibility for establishing the policy, process, and procedures to implement and manage the IRS program. Directors within this office are responsible for developing and publishing IRM procedures. The program owner is the IRM owner for the program.
Records and Information Management In keeping with the Federal Records Act of 1950, as amended, and pursuant to Title 44, U.S.C. § 3102, the IRS established a records management program - renamed Records and Information Management (RIM) Program - to ensure the economical and efficient management of its records in the creation, maintenance, retrieval, preservation, and disposition of all records.
Reporting Employee The reporting employee is the employee who identifies/recognizes a data breach and reports the data breach as required. The reporting employee is responsible for reporting all pertinent information relative to the data breach.
Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguard Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) A Data Loss Prevention (DLP) tool within the IRS CyberSecurity toolkit. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures.
Sensitive But Unclassified (SBU) Information Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act (5 U.S.C. § 552).
Sensitive Information Information which the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an Executive Order or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).
Theft An asset, electronic or hardcopy, thought or known to have been taken without permission from the individual who is responsible for the asset.
Treasury Inspector General for Tax Administration (TIGTA) Provides oversight of the Department of Treasury matters involving Internal Revenue Service (IRS) activities, the IRS Oversight Board and the IRS Office of Chief Counsel.
Unauthorized Access The willful unauthorized access and/or inspection of tax returns and return information.
Unauthorized Disclosure An unauthorized and unlawful release of information to an individual who is not authorized to receive the information.
Unreasonable Delay A delay in notification following the discovery of a data breach beyond that which is necessary to determine the scope of the data breach while considering the needs of law enforcement and national security, and, if applicable, to restore the reasonable integrity of the computerized data system compromised. This means if a data breach is discovered and all the information necessary to determine the scope of the data breach is gathered within 30 days, it is unreasonable to wait until the 45th day to notify the individuals whose information was breached.

TC 971 AC 505 — IRS Data Breach (Data Loss) Indicator

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure (PGLD) personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the IRS data breach occurred. The Breach Tracking Number (number assigned to the breach). This number begins with two alphas ("IR" , "CR" , or "PR" ) and is followed by 11 numeric digits. For example: IR20100211034

TC 972 AC 505 — Reversal of TC 971 AC 505

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure (PGLD) personnel.

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and must be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER