IRS Logo

10.5.4  Incident Management Program

Manual Transmittal

August 15, 2016

Purpose

(1) This transmits revised IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

Material Changes

(1) Reviewed and updated links and citations throughout.

(2) Updated links to PGLD webpages on IRWeb to pages in the Disclosure and Privacy Knowledge Base.

(3) Updated links to irs.gov to conform to the new irs.gov URL requirement for using all lowercase letters and numbers.

(4) Made editorial changes and updated text to improve clarity throughout the IRM.

(5) IRM 10.5.4.1.3 - Made editorial changes and updated links to pages in the Disclosure and Privacy Knowledge Base.

(6) IRM 10.5.4.2 (2) - Made editorial changes and deleted information concerning SPIIDE capabilities upon full deployment.

(7) IRM 10.5.4.3.3 - Added new (1); consequent paragraphs renumbered.

(8) IRM 10.5.4.3.3 - Made editorial changes and updated links to pages in the Disclosure and Privacy Knowledge Base.

(9) IRM 10.5.4.3.3 (2) (b) - Updated the telephone number from 267-941-7777 to 267-466-0777 due to the deployment of the Convergence Unified Communications technology.

(10) IRM 10.5.4.3.3 (2) (b) - Added an additional Note to advise that the loss or theft of official records must also be reported to the Records Specialist (formerly Area Records Managers (ARM) or the IRS Records Officer as per IRM 1.15.3.1.3, Unauthorized or Accidental Destruction of Records.

(11) IRM 10.5.4.3.3.1 (1) (b) - Updated the telephone number from 267-941-7777 to 267-466-0777 due to the deployment of the Convergence Unified Communications technology.

(12) IRM 10.5.4.3.5 (1) (e) - Updated the Suicide Threats webpage link to the Suicide Threats page in the Disclosure and Privacy Knowledge Base; added SAMC as a reporting requirement; and added a citation to IRM 10.2.8, Incident Reporting.

(13) IRM 10.5.4.3.6 - Added Automated Data Loss Prevention (DLP) Tool to the title of the sub-section; made editorial updates in (1); and added (2) through (5) with additional information regarding Safeguarding Personally Identifiable Information Data Extracts (SPIIDE).

(14) IRM 10.5.4.4.1 - Added a new (4) to add a reporting requirement to TIRC for Level 1 incidents.

(15) IRM 10.5.4.4.4.3 - Added FY16 Business and Organizational goals; added new (4) with new OMB measure; consequent paragraph renumbered.

(16) IRM 10.5.4.4.5.1 (2) and (3) - Placement of paragraphs 2 and 3 reversed.

(17) IRM 10.5.4.4.5.1 (3) - Added a see also tag for IRM 10.5.4.4.5.6.

(18) IRM 10.5.4.4.5.1 (4) - Added procedures for forwarding correspondence received in response to Letter 4281C, or addressed to employee 0847999999, to the local Image Control Team (ICT) for scanning and controlling in accordance with existing IRM procedures in various sections.

(19) IRM 10.5.4.4.5.2 (2) - Added an IRM citation for IRM 25.23.3.2.3 as the TPP/HRA IAT tool is required to be used for all calls received on the IDT toll-free line (App 161/162).

(20) IRM 10.5.4.4.5.6 - Made editorial changes throughout; in (5) and (6) updated and clarified wording regarding Form 4442 and sections to be completed on Form 4442; in (9) deleted the IM fax number and added the location of the fax number on the Who/Where tab on the Servicewide Electronic Research Program (SERP).

(21) IRM 10.5.4.4.5.8 - Added for Calls Regarding IRS Data Loss Letters to the title of the sub-section and updated and clarified wording to explain that the requirement to document calls related to Incident Management/IRS data loss letters on AMS means that AM CSRs are required to add an issue to identify the type of inquiry as well as leave a brief narrative of what was covered with the caller on AMS.

(22) IRM 10.5.4.7 (1) (a) - Updated links to irs.gov and the United States Department of Justice website; added new #2, Taxpayer Guide to Identity Theft; renumbered all consequent rows; and replaced Pub 4535 with Pub 5027.

(23) IRM 10.5.4.7 (1) (b) - Made editorial changes and updated links to pages in the Disclosure and Privacy Knowledge Base.

(24) IRM Exhibit 10.5.4-1 - Updated definition of Personally Identifiable Information (PII) and Safeguarding Personally Identifiable Information Data Extracts (SPIIDE); added a definition for Level 1 (L-1) Incidents; and made editorial changes to other definitions.

(25) IRM Exhibit 10.5.4-2 - Updated the mailing address in Answer #33 and made editorial changes throughout.

(26) IRM Exhibit 10.5.4-3 - Added links to the President’s Identity Theft Task Force Reports under Other Federal Guidance.

Effect on Other Documents

IRM 10.5.4, dated October 15, 2015, is superseded.

Audience

The provisions in this manual apply to all divisions, functional units, managers, employees, and contractors within the Internal Revenue Service (IRS).

Effective Date

(08-15-2016)

Frances W. Kleckley
Director, Privacy Policy and Compliance
Privacy, Governmental Liaison and Disclosure

10.5.4.1  (10-15-2015)
Overview

  1. Purpose. This Internal Revenue Manual (IRM) section defines the mission, objectives, and governance structure of the Incident Management Program. It provides the organizational framework for carrying out specific policies and procedures aimed at timely reaction and appropriate responses to occurrences of IRS data losses, thefts, breaches and disclosures.

  2. Scope/Audience. The provisions in this manual apply Servicewide whenever Personally Identifiable Information (PII) is collected, created, transmitted, used, processed, stored, or disposed of, in support of the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors, Volunteer Income Tax Assistance/Tax Counseling for the Elderly volunteers, and any other outsourced providers doing business with the IRS.

  3. Responsibility/Accountability. All IRS employees, contractors, and persons with authorized access to PII are responsible and accountable for complying with federal and IRS privacy, information protection, and data security, policies and procedures. Safeguarding and preventing the unauthorized disclosure of PII is a responsibility that is shared by all IRS employees and contractors. Lost, stolen or disclosed PII may be used to perpetrate identity theft or other forms of harm, if the information falls into unauthorized hands.

  4. All tax, privacy, and security clauses must be included in contracts as required by IRM 11.3.24, Disclosures to Contractors. Contractor employees must be trained about sensitive information protection requirements as required in Treasury Regulation 301.6103(n)-1(d).

  5. For additional information about security controls, see IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and Publication 4812, Contractor Security Controls.

10.5.4.1.1  (10-15-2015)
Origins of the Incident Management Program

  1. Federal agencies have been instructed by the Office of Management and Budget (OMB) and the Department of the Treasury to address the increasing occurrence of identity theft and to safeguard Personally Identifiable Information (PII).

  2. The President’s Identity Theft Task Force recommended that Federal agencies improve their capacity to respond to PII data losses. In May 2007, OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf, instructed Federal agencies to enhance their safeguards for PII and to enact incident handling and data loss notification policies. See Exhibit 10.5.4-3, References, for a list of other relevant OMB Memoranda, Federal Guidance, and Internal Revenue Manuals, and details about where to locate them.

  3. The Incident Management Program was created in response to OMB directives and the President's Identity Theft Task Force recommendations, and to ensure IRS compliance with OMB requirements for incident management and data loss notification. Consistent with the OMB directives, the IRS notifies potentially impacted individuals who are determined to be at high risk of harm following a PII data loss without unreasonable delay following a risk assessment of the incident.

  4. Since September 2007, the Incident Management Office (IM) (previously known as the ITIM Office) in PGLD (previously known as PIPDS) has been responsible for ensuring IRS incidents involving the loss or theft of an IRS asset, or the loss, theft, or disclosure of PII, are investigated, analyzed and resolved by the Incident Management Team.

10.5.4.1.2  (10-15-2015)
PGLD/Incident Management Program Roles and Responsibilities

  1. Privacy, Governmental Liaison and Disclosure (PGLD), previously known as Privacy, Information Protection and Data Security (PIPDS). PGLD works with other business units to provide the IRS with the tools and resources necessary to protect sensitive taxpayer and employee data from potential identity theft due to IRS data loss.

  2. Incident Management (IM). This PGLD office manages the reporting, risk assessment, and tracking of IRS data loss incidents as well as data loss notification to individuals potentially impacted by the IRS data loss, in accordance with OMB M-07-16. IM has the following specific responsibilities related to administering the Incident Management Program in the IRS:

    1. Interpreting federal laws, regulations, and policies relating to the protection of Personally Identifiable Information (PII). See IRM 11.3.1, Introduction to Disclosure, for more information about Disclosure and the protection of personal information.

    2. Coordinating with other program areas in the IRS to ensure compliance with OMB Memorandum 07-16 and related directives.

    3. Receiving Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) events for investigation and addressing accordingly when received.

    4. Carrying out activities as required by the Privacy Policy and Compliance Advisory Committee (PPCAC).

    5. Identifying and tracking data loss incidents.

    6. Conducting risk assessments of data loss incidents.

    7. Mitigating risks associated with data loss incidents before substantial damage occurs.

    8. Preparing all reporting documentation pertaining to data loss incidents.

    9. Making notification recommendations regarding potentially impacted individuals based on assessed risk and consulting with appropriate law enforcement officials and other offices or authorities if necessary.

    10. Convening and facilitating the PII Working Group (PIIWG) to review all notification recommendations with the exception of notification recommendations for certain high risk level/high profile/sensitive breaches which are instead elevated to the PPCAC.

    11. Presenting certain high risk level/high profile/sensitive breach notification recommendations to the PPCAC.

    12. Supporting communications and other follow-up actions based on PPCAC notification decisions.

    13. Identifying emerging trends and developing appropriate strategies and responses.

    14. Improving procedures to reduce the occurrence of data loss incidents.

    15. Developing, defining, monitoring, and executing Incident Management policies and procedures.

    16. Overseeing the maintenance, publication, and conveyance of the Servicewide Incident Management Internal Revenue Manual.

    17. Communicating and coordinating with internal stakeholders to ensure consistency regarding data loss policy and issues.

10.5.4.1.3  (08-15-2016)
Definitions of Key Incident Management Terms

  1. Data Loss/Breach Incident. An incident involving a loss, theft, breach, or inadvertent unauthorized disclosure.

  2. Personally Identifiable Information (PII). The definition of personally identifiable information is provided by the Office of Management and Budget (OMB) in OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information,https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf.

    1. PII is any information about an individual maintained by an agency, including: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

    2. For further information about PII, visit the page in the Disclosure and Privacy Knowledge Base, Personally Identifiable Information What is PII?, at https://organization.ds.irsnet.gov/sites/vldp/Privacy/PII/Pages/default.aspx and IRM 10.8.1, Information Technology (IT), Security, Policy and Guidance, Personally Identifiable Information (PII).

  3. Sensitive But Unclassified (SBU) Information. Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act. For further information on SBU, visit the page in the Disclosure and Privacy Knowledge Base, Sensitive But Unclassified (SBU) Data What is SBU data? , at https://organization.ds.irsnet.gov/sites/vldp/Privacy/PPC/SBU-PII/SBU-Definition/Pages/default.aspx.

  4. Controlled Unclassified Information (CUI). A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. In the future, the designation CUI will replace Sensitive But Unclassified (SBU), but the exact time frame has not been determined by the IRS or Treasury. See IRM Exhibit 10.8.40-2, Glossary and Acronym List.

  5. Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) Automated Data Loss Prevention (DLP) Tool. SPIIDE is a Data Loss Prevention (DLP) tool within the IRS CyberSecurity toolkit. DLP is a tool that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures.

  6. For a full listing of Incident Management terms, see Exhibit 10.5.4-1, Glossary of Incident Management Terms and Definitions.

10.5.4.2  (08-15-2016)
Incident Management Program

  1. The Incident Management Program includes the management of the IRS data loss reporting process, as well as the risk assessment and tracking of IRS data loss incidents and notification to individuals potentially impacted by IRS data losses.

  2. The Incident Management Program also includes interaction with CyberSecurity’s SPIIDE application, a tool which scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures. Incident Management may receive events for investigation and will address accordingly when received.

10.5.4.3  (10-15-2015)
Reporting Losses, Thefts and Disclosures

  1. All IRS employees are required to report the loss or theft of an IRS IT asset, or an asset in the Bring Your Own Device (BYOD) program, or hardcopy record or document containing sensitive information, or the inadvertent unauthorized disclosure of sensitive information, whether it be electronically, verbally or in hardcopy form, within one hour.

    Note:

    Sensitive information in hardcopy form includes, but is not limited to, taxpayer correspondence, tax returns, transcripts, faxes, email messages (printed), and personnel and job application information.

  2. Contractors should refer to Publication 4812, Contractor Security Controls, for incident handling and reporting procedures.

10.5.4.3.1  (10-15-2015)
Timely Reporting: Within One Hour

  1. All incidents involving personally identifiable information must be reported within one hour of discovering the incident.

  2. The timely reporting, within one hour, of all inadvertent unauthorized disclosures of sensitive information, and all losses or thefts of sensitive information and IRS IT assets and "BYOD" assets, is critical for quickly initiating any needed investigation or recovery of information. A prompt report decreases the possibility the information will be compromised and used to perpetrate identity theft or other forms of harm.

10.5.4.3.2  (10-15-2015)
Intentional Unauthorized Disclosures

  1. Incidents involving intentional unauthorized disclosures must be reported to the Treasury Inspector General for Tax Administration (TIGTA) as soon as possible. See IRM 11.3.1.7, Reporting Unauthorized Accesses or Disclosures, and IRM 11.3.38.6, Reporting Unauthorized Accesses or Disclosures, for additional information. See also Section 7213 of Title 26 which imposes fines and/or other punishment for the willful unauthorized disclosure of a return or return information.

10.5.4.3.3  (08-15-2016)
Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets and Hardcopy Records/Documents

  1. It is critical to report an incident as soon as actionable information is available so a response/reaction can be initiated. Incident updates and any additional notifications to TIGTA and/or Law Enforcement (see (3) and (4) below) can be completed after the initial report to OTC, PGLD/IM, or CSIRC is submitted.

  2. An employee who becomes aware of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IRS IT asset or "BYOD" asset, or hardcopy record or document containing sensitive information, is required to report the incident within one hourto his or her manager and one of the following offices based on what was lost or disclosed:

    1. The Office of Taxpayer Correspondence (OTC), if the incident involves taxpayer correspondence, using the Servicewide Notice Information Program's (SNIP) Erroneous Taxpayer Correspondence Reporting Form, at http://dci0150cpres/CMIS/STACI/redbutton.aspx. The Erroneous Taxpayer Correspondence Reporting Form is also available on the SERP website, under SNIP. The scope of the Reporting Form includes taxpayer correspondence generated in any of the following formats: notices, letters, transcripts, faxes, e-faxes, and other electronic transmissions such as email. See IRM 25.13.1.3 , Erroneous Correspondence Procedures - Red Button Process. The OTC will notify the Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM), as necessary after an initial analysis of the incident. This procedure minimizes the potential for inaccurate, incomplete, and duplicate reporting of incidents to PGLD/IM, lessens the operational impact of reporting an incident, and focuses resources on correcting the error to prevent additional breaches/losses.

    2. The Office of Privacy, Governmental Liaison and Disclosure (PGLD) Incident Management Office (IM), if the incident does not involve taxpayer correspondence, e.g., a verbal disclosure, or if the incident involves the loss or theft of hardcopy records or documents containing sensitive information, packages lost during shipment, etc., using the PII Incident Reporting Form at https://vp0sentappetrk2.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2. Call 267-466-0777 if you have any problems with the online form or any questions about completing the online form.

      Note:

      If you participate in the Bring Your Own Device (BYOD) program, you must report the loss or theft of your "BYOD " asset to PGLD as well as open a KISAM ticket to report the loss or theft.

      Note:

      The loss or theft of official records (whether the records contain PII or not) must also be reported to the Records Specialist (formerly Area Records Managers (ARM) or the IRS Records Officer as per IRM 1.15.3.1.3, Unauthorized or Accidental Destruction of Records.

    3. The Computer Security Incident Response Center (CSIRC), if the incident involves the loss or theft of an IRS IT asset, e.g., an IRS issued computer, laptop, router, printer, cell phone, BlackBerry, etc., or removable media (CD/DVD, flash drive, floppy, etc.), using the Computer Security Incident Reporting Form at https://www.csirc.web.irs.gov/incident/, or by calling 240-613-3606.

      Note:

      If the incident involves both the loss or theft of an IRS IT asset, e.g., the loss or theft of an IRS issued laptop, flash drive, etc., and the loss or theft of hardcopy records or documents containing sensitive information, packages lost during shipment, etc., report the incident to CSIRC. Do not report it to PGLD/IM.

  3. You must also report the incident to the Treasury Inspector General for Tax Administration (TIGTA), if the incident involves a loss or theft of an IRS IT asset or non-IRS IT asset (BYOD device), e.g., computer, laptop, router, printer, removable media, CD/DVD, flash drive, floppy, etc., or a loss or theft of hardcopy records/documents containing sensitive information, at 800-366-4484.

  4. If the incident involves a theft, file a Police Report with your Local Law Enforcement authority, but do not disclose sensitive data and/or taxpayer data.

    Note:

    Visit the Report Losses, Thefts and Disclosures page in the Privacy and Disclosure Knowledge Base at https://organization.ds.irsnet.gov/sites/vldp/Privacy/report/Pages/default.aspx and the IF/THEN Chart at https://organization.ds.irsnet.gov/sites/vldp/kr/If-Then-Guide-Reporting-Data-Loss-Incidents.pdf, for additional information and guidance.

10.5.4.3.3.1  (08-15-2016)
Other Responsibilities of Reporting Employees and Business Unit Data Owners

  1. In addition to timely reporting so the PGLD Incident Management team (IMT) can begin its risk assessment process, reporting employees and Business Unit (BU) data owners have other responsibilities:

    1. Containment. The BU data owners must take steps to contain the data loss/breach. For example, if employee or taxpayer data is inadvertently exposed on the internet, the BU data owner must immediately take steps to remove the data and/or close the access; or, if DVDs have been shared with material that should have been redacted, the BU must take steps to immediately recover them and request the recipient remove public access (if the information was made publicly available) and replace it with the proper data. The BU should contact the Office of Privacy, Governmental Liaison and Disclosure (PGLD), Online Fraud Detection and Prevention Office, if assistance is required to contain a breach involving an electronic transmission such as email or a breach involving the posting of information on the internet.

      Note:

      If the employee reporting the data loss/breach incident is not the BU data owner, the reporting employee must collaborate with the BU and PGLD/IMT to determine the best approach for managing containment.

    2. Information Requests. Any information requested by PGLD/IMT (i.e., SSN’s, names, dates, etc.) should be provided as quickly as possible to ensure timely reporting and taxpayer notification. If a delay is likely, contact the IMT at 267-466-0777 to facilitate next steps.

    3. Mitigation. The BU data owner must analyze the event circumstances and determine the necessary steps to prevent similar breaches in the future. This could entail investigating the cause of the breach and developing a prevention plan if necessary. A prevention plan may include a security audit of both physical and technical security; a review and/or development of policies and procedures; and a review of employee training.

  2. Definition of Data Owner and Reporting Employee.

    1. Data Owner. The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data loss/breach incident. For example, if a POA tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporter is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.

    2. Reporting Employee. The reporting employee is the employee who identifies/recognizes a data loss/breach incident and reports the incident as required. The reporting employee is responsible for reporting all pertinent information relative to the data loss/breach incident.

10.5.4.3.4  (06-27-2014)
Inadvertent Accesses of Taxpayer Information

  1. Inadvertent accesses of taxpayer information are reported on the hard copy Form 11377, Taxpayer Data Access, or the fillable Form 11377-E, Taxpayer Data Access.

  2. Form 11377 may be used by employees Servicewide to document accesses to taxpayer return information when the accesses are not supported by direct case assignment, were performed in error (inadvertent access), or when the access may raise a suspicion of an unauthorized access.

  3. Some examples of an inadvertent access include accidentally entering an incorrect Taxpayer Identification Number or unintentionally retrieving other taxpayer information while working an assigned case. Inadvertent accesses are not reported to PGLD/IM, CSIRC or OTC.

10.5.4.3.5  (08-15-2016)
"No Reporting" Situations

  1. The following are examples of situations which require no reporting to PGLD/IM, CSIRC, OTC, etc., as they are not considered erroneous correspondence or unauthorized disclosures:

    1. An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find that he or she is not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.

    2. An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number provided by the taxpayer or authorized representative was incorrect.

    3. An IRS employee follows all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    4. The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the individual does not live there.

    5. An IRS employee follows procedures in IRM 21.1.3.12, Suicide Threats, to disclose a taxpayer's name, address/location, and/or telephone number to Law Enforcement because the taxpayer threatened suicide and/or threatened harm to another individual. In this situation, the disclosure of this information is not prohibited by law; therefore, although the Suicide Threat must be reported to Disclosure, TIGTA, SAMC, and the Office of Employee Protection, no reporting to PGLD/IM is necessary unless directed to do so by Disclosure. See IRM 21.1.3.12, Suicide Threats, IRM 10.2.8 , Incident Reporting, and the Governmental Liaison, Disclosure and Safeguards (GLDS) Suicide Threats webpage at https://organization.ds.irsnet.gov/sites/vldp/disclosure/unique/suicide/Pages/default.aspx for the procedures to follow when a taxpayer threatens suicide or when it is appropriate to contact the local Law Enforcement authority versus federal or State Law Enforcement authorities.

      Note:

      See IRM 25.13.1.3, Erroneous Correspondence Procedures - Red Button Process, for additional information regarding erroneous correspondence procedures.

10.5.4.3.6  (08-15-2016)
Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) Automated Data Loss Prevention (DLP) Tool

  1. Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) is an automated Data Loss Prevention (DLP) tool within the IRS CyberSecurity toolkit which was deployed on May 22, 2015. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures.

  2. The SPIIDE DLP tool monitors outgoing unencrypted email traffic (including attachments) and external unencrypted web traffic to identify and block transmissions containing social security numbers.

  3. When a message is detected containing unencrypted SSNs the SPIIDE DLP System will block the message and prevent it from leaving the IRS boundary. The sender of the message will receive an automated message from the DLP System advising the sender that his or her message was blocked and delivery prevented.

  4. Detected disclosure attempts may result in referral to the BSPs, PGLD, CSIRC, and/or TIGTA and contact with management for review/action within established policies/practices.

  5. Incident Management may receive SPIIDE events for investigation and will address within established procedures, when received.

10.5.4.4  (06-25-2013)
Incident Management Intake, Risk Assessment and Notification

  1. This section covers the intake and risk assessment of IRS data loss incidents by PGLD/IM as well as notification to potentially impacted individuals.

10.5.4.4.1  (08-15-2016)
Incident Management Intake

  1. When a data loss incident occurs (this includes the loss or theft of an IRS asset, or the loss, theft, or disclosure of PII), the incident is reported to either PGLD/IM or CSIRC.

    1. The incident is reported to PGLD/IM if the incident involves, for example, a verbal disclosure or the loss or theft of hardcopy records. The incident is also reported to PGLD/IM if the incident involves a non-IRS IT asset, i.e., an asset in the Bring Your Own Device (BYOD) program.

    2. The incident is reported to CSIRC if the incident involves the loss or theft of an IRS IT asset, or multiple assets, i.e., an IRS IT asset and hardcopy records or documents containing sensitive information.

      Note:

      The form and instructions for incidents involving IT assets are different from the forms and instructions for all other incidents.

    3. The PII mailbox (*PII) is a centralized communication tool used by the Incident Management Team to send and receive all communications throughout the incident intake process. Incident summaries with a brief description of the incident are automatically sent via email to the PII mailbox whenever incidents are reported to CSIRC or PGLD/IM via the Incident Reporting Forms.

    Note:

    Incident Management Intake may also include events received from SPIIDE for investigation.

  2. PGLD/IM performs an initial assessment of the incident. If PII or SBU data is involved, if necessary, PGLD/IM will send an Impacted Individuals and/or Business Excel Spreadsheet, to the IRS employee and the employee's manager to obtain additional information.

    1. The PGLD/IM and CSIRC Incident Reporting Forms provide an inventory of possible compromised data elements, the source of the data, whether the data was encrypted, and any other special factors that need to be considered, such as data being used in a criminal or grand jury investigation.

    2. The Impacted Individuals and/or Business Excel Spreadsheet provides an inventory of the names and TINs of all the individuals potentially impacted by the data loss.

  3. PGLD/IM will escalate/report all High-Impact Incidents to the PPC Leadership Team before proceeding with further reporting duties. For purposes of this procedure, the PPC Leadership Team consists of the Director, Privacy Policy and Compliance, the Deputy Director, Privacy Policy and Compliance, and the Associate Director, Incident Management, as well as other staff that may be designated by these officials to receive notification. The *PII mailbox, at mailto:pii@irs.gov ,will be copied on all notifications. PGLD/IM will wait for feedback from the PPC Leadership Team before proceeding with further reporting duties for High-Impact Incidents. For purposes of this procedure, a High-Impact Incident is defined as one that:

    1. Potentially impacts 100 or more individuals;

    2. Involves circumstances that are exceptional in nature and may draw media attention, e.g., a break-in at an IRS office or alternative work site in which a potential data loss has been reported, documents falling off the back of a truck, a loss known to potentially involve a high-profile individual, a loss where it appears the media may have already been contacted, etc.; or,

    3. Involves information the loss of which may negatively impact the IRS, e.g., the loss of e-file records, the compromise of sensitive information involving a high-profile IRS initiative, incidents affecting irs.gov, such as a glitch allowing personal information to be accessed, etc.

  4. PGLD will also report all Level 1 (L-1) incidents to the AWSS Threat Information and Critical Incident Response Initiative (TIRC). The TIRC is comprised of staff from Facilities Management and Security Services (FMSS), the Treasury Inspector General for Tax Administration-Criminal Intelligence and Counterterrorism Group (TIGTA-CICT), Criminal Investigation (CI), Federal Protective Service (FPS), the Computer Security Incident Response Center (CSIRC), and the Office of Privacy, Governmental Liaison and Disclosure (PGLD). The mission of the TIRC is to identify and mitigate threats and record countermeasures and mitigation strategies as it pertains to Federal tax administration and the IRS for the protection of service operations.

10.5.4.4.2  (06-25-2013)
Incident Management Risk Assessment

  1. Incident Management performs a risk assessment to evaluate the likely risk of harm, specifically the potential for identity theft, for all reported IRS data loss incidents, based on standardized factors and ratings criteria. The end result of the assessment is a categorization of the incident into one of four levels. Categorization into levels dictates a recommended level of response and determines when, what, how, and to whom notification of a data loss should be given.

  2. Incident Management uses the following three-step methodology to assess all incidents to determine the potential likelihood of harm to individuals:

    1. Step 1: Key factors. Each of the four factors identified by OMB (the nature of the data elements breached; the likelihood the PII is accessible and usable; the likelihood the PII may lead to harm as defined by the Privacy Act; and the ability of the agency to mitigate the risk of harm) is assessed in relation to the specific incident to determine the potential likelihood of harm to individuals. See (3) below for additional information on the risk assessment factors. Note: OMB suggests a fifth factor, the number of individuals affected. However, this factor is not used to determine if notification should be provided, but may dictate the communication vehicles used for notification. Identifying the data elements and assessing the impact of the loss are key factors that must be considered in determining if, when, and how notification will be provided to potentially impacted individuals.

    2. Step 2: Factor ratings. Each of the four factors is then rated based on its impact level (high, moderate, low, or no impact) with corresponding points from 3 to 0 assigned to each impact level;

    3. Step 3: Incident categorization. Based on the total factor rating points the incident is categorized into one of four levels. Incidents with a total factor rating point of between 8 and 12 are considered Level Three. Potentially impacted individuals involved in a data loss incident categorized as Level Three will be sent a data loss letter.

  3. The IRS risk assessment includes the following factors and key considerations, at a minimum:

    1. The nature of the data elements breached, i.e., the type of information disclosed, e.g., whether the data loss incident involved PII, i.e., SSN's, addresses, and names;

    2. The likelihood the information was made accessible to and usable by unauthorized individuals, e.g., was data encrypted using an encryption product approved for government use by the National Institute of Standards and Technology (NIST), and does it meet Federal Information Processing Standard (FIPS) 140-2 specifications;

    3. The likelihood the information may lead to harm as defined by the Privacy Act, i.e., the damage potential of the information disclosed, e.g., whether the information can be used to cause harm, such as identity theft or public embarrassment; and

    4. The ability of the IRS to mitigate the potential harm, e.g., does the agency have the capabilities to take countermeasures.

10.5.4.4.3  (10-15-2015)
The PII Working Group (PIIWG) and the Privacy Policy and Compliance Advisory Committee (PPCAC)

  1. The PII Working Group (PIIWG) is a decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security. It is responsible for reviewing risk assessment recommendations and timely approving all notification recommendations with the exception of notification recommendations for certain high risk level/high profile/sensitive breaches (or incidents otherwise representing a servicewide impact) which are instead elevated for review, decision making, and concurrence to the Privacy Policy and Compliance Advisory Committee (PPCAC).

  2. The PPCAC is a committee comprised of executives from all key business and functional unit stakeholders. It was originally established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and PII data loss policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives. The PPCAC is responsible for review of, has decision making authority for, and is responsible for timely concurrence on, certain high risk level/high profile/sensitive breaches (or incidents otherwise representing a servicewide impact) as determined by the Director, PPC.

  3. After Incident Management has completed its risk analysis of an incident and developed a recommendation with regard to the appropriate response, the recommendation is presented to the PIIWG for review and concurrence.

  4. For certain high risk level/high profile/sensitive breaches (or incidents otherwise representing a servicewide impact), the recommendation is instead presented to the PPCAC for review and concurrence.

  5. If the notification recommendation is to notify potentially impacted individuals, and if the PIIWG or PPCAC concurs with the recommendation to notify, then potentially impacted individuals are notified of the data loss via Letter 4281C , IM Breach Notification Letter.

10.5.4.4.4  (10-15-2015)
Incident Management Data Loss Notification

  1. The IRS, through PGLD/IM, will notify potentially impacted individuals if the evaluation of an IRS data loss incident results in a high risk of harm to these individuals.

  2. The IRS, through PGLD/IM, will notify these individuals via Letter 4281C, IM Breach Notification Letter.

  3. The IRS, through PGLD/IM, will identify individuals who have been sent Letter 4281C by marking each entity (on CC ENMOD and/or CC IMFOLE) with the IRS data loss indicator TC 971 AC 505 (only if the account is on the Master File (MF)). See IRM 10.5.4.5.1.1, Applying Tracking Indicators to IRS Data Loss Incidents, for additional information.

  4. The objectives of communications in the event of a possible compromise of sensitive information within the IRS are as follows:

    1. To comply with the Office of Management and Budget (OMB) and Treasury Department directives which mandate notification to potentially impacted individuals if there is a potential risk that the compromised data may be used by someone other than the owner of the information to commit a crime or fraud.

    2. To minimize the possible negative impact of the compromised data on the taxpayer/victim.

    3. To ensure the IRS' relationship with the impacted individual(s) will not be so damaged as a result of the incident that it negatively impacts his or her tax filing and paying obligations.

10.5.4.4.4.1  (10-15-2015)
Contents of the Data Loss Notification

  1. The IRS will notify individuals potentially impacted by IRS data loss incidents using Letter 4281C, IM Breach Notification Letter. The IRS may use a unique letter when deemed necessary and appropriate. Notifications will be written plainly and clearly, and will generally include, at a minimum, the following information:

    1. A brief description of what happened, including the date of the data loss incident;

    2. To the extent possible, a description of the type of PII disclosed as a result of the data loss incident (e.g., name, SSN, date of birth, address, etc.);

    3. Actions that potentially impacted individuals should take to protect themselves from potential harm;

    4. A toll-free telephone number that potentially impacted individuals can contact for more information;

    5. A statement that the IRS has provided or will provide potentially impacted individuals with an identity theft protection product/credit monitoring at no cost for twelve months, and the contact information for the credit reporting agency.

      Note:

      The potentially impacted individual must contact the credit reporting agency in order to sign up for the free identity theft protection product/credit monitoring.

  2. The Privacy and Information Protection (PIP) toll-free telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

  3. Remedial services, such as credit monitoring and identity theft protection, are offered to potentially impacted individuals of an IRS data loss as part of the overall OMB requirement regarding implementation of a breach response program to mitigate the likely risk of harm.

10.5.4.4.4.2  (12-02-2014)
Data Loss Notification Signature

  1. The Director, Privacy Policy and Compliance (PPC) shall sign notification letters to individuals potentially impacted by a data loss incident.

10.5.4.4.4.3  (08-15-2016)
Timeliness of the Data Loss Notification

  1. The IRS will notify individuals potentially impacted by IRS data loss incidents without unreasonable delay following the completion of the risk assessment process.

  2. Beginning with fiscal year 2012, the business measure/lapse time goal was an average of 19 days or less from the PGLD(IM)/CSIRC Report Date to the Data Loss Notification Letter Date. For FY16, the business measure/lapse time goal was reduced to an average of 16 days or less with the primary goal being a median of 14 days or less.

  3. Also beginning in FY12, a new Organizational goal was introduced to measure the average elapsed time between the Incident Date and the Data Loss Notification Letter Date. The lapse time goal was established at 60 days for FY12; reduced to 54 days for FY13; reduced to 50 days for FY14; further reduced to 40 days for FY15; and is now an average of 32 days for FY16 with the primary goal being a median of 30 days or less.

  4. In FY16, a new OMB measure was added to the list of measures. This measure is the percentage of incidents less than or equal to 30 days from the Report Date to the Letter Date. For FY16, the goal is a percentage equal to or more than 90%.

  5. The IRS has discretion to delay notification in cases where notification could adversely interfere with an ongoing criminal investigation or compromise national security and the delay will not increase the risk of harm to any potentially impacted individuals.

10.5.4.4.4.4  (12-02-2014)
Means of Providing Data Loss Notifications

  1. The IRS will provide written notification to the individual's address of record on IDRS.

  2. Based on the number of potentially impacted individuals and the urgency with which they may need to receive notice, the IRS may supplement written notification with other means of communication such as newspapers or other media outlets.

  3. At the discretion of the PPCAC, and consistent with applicable law, the IRS may notify external entities. In making its decision, the PPCAC will consider whether notifying external entities would result in any of the following:

    1. Aiding the public in its response to the incident (e.g., whether constructive notification via media channels would help the IRS alert potentially impacted individuals more effectively and expeditiously than via notification letter alone)

    2. Facilitating the IRS’ ability to mitigate the potential harm resulting from the data loss incident (e.g., preparing counterpart entities such as the Federal Trade Commission (FTC) that may receive a surge in inquiries)

    3. Contributing to unnecessary public alarm

    4. Creating an unnecessary burden on the public, external entities, or potentially impacted individuals

10.5.4.4.5  (10-15-2015)
Ongoing Support

  1. Based on the circumstances of the data loss incident, the IRS will provide ongoing support to potentially impacted individuals. This post-notification assistance and support may include, but is not limited to, the following:

    1. A dedicated toll-free telephone number staffed by trained IRS personnel to respond to general data loss incident-related inquiries

    2. Information on websites and other resources providing information about identity theft prevention and protection

    3. Coordination with business units on IRS data loss incidents that affect an individual's tax account, such as phishing schemes

  2. The PGLD/Incident Management Program is supported by Wage and Investment's (W&I) Accounts Management (AM). AM CSRs support PGLD/IM by assisting individuals who call the Privacy and Information Protection (PIP) toll-free telephone number (866-225-2009) provided in Letter 4281C, IM Breach Notification Letter. AM CSRs are trained to respond to IRS data loss questions and questions regarding Letter 4281C.

10.5.4.4.5.1  (08-15-2016)
Handling Inquiries Regarding Data Loss Letters

  1. The contact telephone number provided in Letter 4281C, IM Breach Notification Letter, is 866-225-2009. The 4281C Letter does not require individuals to contact the Internal Revenue Service; however, some individuals may call with questions or concerns about the letter. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162).

  2. In some instances, individuals who receive Letter 4281C may call an IRS telephone number other than the number provided in the letter (866-225-2009). If an IRS phone assistor other than an AM Customer Service Representative (CSR) receives a call from an individual in response to Letter 4281C, or the individual asks to speak to the employee whose number appears on Letter 4281C (0847999999), transfer the call to extension 92161 (for callers needing assistance in Spanish, use extension 92162).

  3. AM CSRs answer general incident related inquiries regarding the IRS data loss and prepare a Form 4442, Inquiry Referral Form if the caller requests specific information regarding the incident that the AM CSR is unable to answer. The Form 4442 is directed to PGLD's Incident Management office in Philadelphia for resolution. See IRM 10.5.4.4.5.6, Referrals to the Incident Management (IM) Office.

  4. Correspondence (and any attachments) received in response to Letter 4281C, or addressed to employee 0847999999, must be forwarded to the local Image Control Team (ICT) for scanning and controlling. See IRM Exhibit 3.10.72-2, Correspondex "C" Letters - Routing Guide, IRM Exhibit 3.13.16-1, Appendix A - Document Types, Category Codes, IMF, IRM Exhibit 3.13.6-14, Appendix N - Document Types, Category Codes, Priority Codes, IDT - IMF, Doc Type: ID Theft: IDT5, and IRM 21.5.1.4.2.3, Clerical Function for the Image Control Team (ICT) Correspondence Imaging System (CIS), for information regarding ICT; IRM 21.5.1.5, Correspondence Imaging System (CIS) Procedures, for information regarding CIS procedures; and the Miscellaneous section of the Campus Program Locator Guide (located under the Who/Where tab) (http://serp.enterprise.irs.gov/databases/whowhere.dr/transshipment.dr/campus_locator_guide/ICT.htm) to determine the address for your local ICT function. ICT will review the correspondence and determine if a Referral to the Incident Management office in Philadelphia is necessary.

    1. If scanning is not available, route the correspondence and any attachments received in response to Letter 4281C, or addressed to employee 0847999999, to AM. See the address table below, and IRM 10.2.13.4.4.1, Shipping Personally Identifiable Information (PII), for policy and guidance relating to protecting and handling sensitive information.

    2. If the correspondence appears to be time sensitive, fax it to the Image Control Team (ICT) at 855-807-5720. ICT will review the correspondence and determine if a Referral to the Incident Management office in Philadelphia is necessary.

    United States Postal Service (USPS) Mailing Address Private Delivery Service (PDS) Mailing Address
    Internal Revenue Service
    Accounts Management
    Fresno, CA 93888-0025
    Internal Revenue Service
    Accounts Management
    5045 East Butler Avenue, Fresno, CA 93727
  5. See the table in Exhibit 10.5.4-2 , IRS Information Loss Frequently Asked Questions (FAQs), for a list of frequently asked questions regarding the IRS data loss letter (Letter 4281C) and general questions regarding IRS Information Loss.

10.5.4.4.5.2  (08-15-2016)
IMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview

  1. When taking calls from impacted individuals, a consistent and proper greeting is required. Refer to procedures in IRM 21.1.1.7, Communication Skills.

  2. Employees are required to authenticate callers to ensure the person calling is the individual impacted by the information loss. See IRM 25.23.3.2.3, Receiving Calls Related to E-filing, Prior Year AGI and Identity Theft App 161/162 Only, for required use of the TPP/HRA IAT tool and IRM 21.1.3.2.3, Required Taxpayer Authentication.

  3. If the caller is not the impacted individual, but claims to represent the individual, determine whether the individual provided a power of attorney (POA) in connection with the information loss. Do not recognize a representative when the POA on file only identifies tax matters and does not specifically identify the information loss as a matter for which the POA has authority.

  4. High risk authentication per IRM 21.1.3.2.4, Additional Taxpayer Authentication, is also required. If available, ask the caller for the Incident Date and Incident Number as part of the authentication process. The Incident Date, if included in the letter, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Incident Number is located to the right and just above the Salutation (Dear Taxpayer).

  5. In some situations, a caller may want to receive as much information as possible on his or her information loss, but is not willing to provide his or her SSN/TIN. In these situations, the CSR may still answer general questions about the incident and answer all the taxpayer's questions using the Frequently Asked Questions (FAQ) (see Exhibit 10.5.4-2), but a referral may not be made for any specific questions regarding the incident. CSRs should be sensitive to the caller's tone and ensure they are given as much information as they are entitled to receive without the caller providing their TIN. See IRM 10.5.4.4.5.6, Referrals to the Incident Management Office and IRM 10.5.4.4.5.8, Updating History on Accounts Management Services (AMS).

  6. In some breach notification incidents, impacted individuals receiving notices may be IRS employees. In these cases, follow guidance in IRM 21.1.3.8, Inquiries from IRS Employees.

10.5.4.4.5.3  (10-15-2015)
BMF Identity Check - AM IDT Toll-Free (App 161/162) Telephone Overview

  1. Some of the impacted individuals may actually be business entities and letters sent may be to business related entities (sole proprietorships, corporations, LLCs, etc.). A caller may be required to be an owner of a small business or an officer of a corporation before employees are able to talk to him or her about the incident. To ensure a caller is the appropriate individual that is allowed to receive information about the information loss, AM CSRs will need to conduct an identity check with the caller to determine if he or she is allowed to receive the information.

  2. To conduct an identity check, AM CSRs will only need to ensure that the person calling is entitled to receive the general answers to the FAQs. Because the FAQ information is generic in nature, this information may be provided to almost anyone. Therefore, BMF authentication procedures as outlined in IRM 21.1.3.2.3, Required Taxpayer Authentication, are NOT required.

  3. Ask the caller for the BMF entity to provide the following information:

    • The Employer Identification Number (EIN),

    • The name of the entity as shown on the letter,

    • The date of the incident,

    • His or her name, and

    • His or her position or interest in the entity for which he or she is calling.

  4. If the caller is not able to, or unwilling to provide the EIN, tell the caller that a Referral may not be made for any specific questions regarding the incident. See IRM 10.5.4.4.5.6, Referrals to the Incident Management Office and IRM 10.5.4.4.5.8, Updating History on Accounts Management Services (AMS).

    Note:

    It will not be necessary to access any tax account information on the BMF case to assist the caller. If at any time you feel the caller is not entitled to receive general information, and the caller is insistent on receiving as much information as he or she can, be sure not to disclose any specific account information.

10.5.4.4.5.4  (10-15-2015)
Free Identity Theft Protection Product/Credit Monitoring Services

  1. The IRS is offering an identity theft protection product/credit monitoring service at no cost for twelve months, through Equifax, to individuals potentially impacted by an IRS data loss. Equifax is one of the three national credit reporting agencies that offer credit-management tools.

    Note:

    The IRS assigns a unique enrollment promotion code (via Letter 4281C) to each individual potentially impacted by an IRS data loss. The potentially impacted individuals must contact the credit reporting agency in order to sign up for the free identity theft protection product/credit monitoring service. Equifax will ask the individual for his or her name, address, social security number, date of birth, and telephone number which the individual must provide in order to enroll in the identity theft protection product/credit monitoring service

    Note:

    A POA cannot request credit monitoring services via Equifax.

  2. AM CSRs do not have access to the Equifax system; therefore, CSRs cannot assist the caller with the enrollment.

  3. AM CSRs can assist with:

    • Providing the toll-free number to Equifax: 866–937–8432.

    • Reviewing the Equifax enrollment instructions included in Letter 4281C, IM Breach Notification Letter.

    • Informing the individual if he or she is having difficulty enrolling in the Equifax system, he or she has the option of speaking with a live Equifax agent by calling 866–252–4576. Remind the individual he or she will need to have his or her unique promotion code (assigned in Letter 4281C) available when contacting Equifax.

    • Ensuring the individual understands what he or she needs to do to monitor his or her credit report and other financial information.

    • Answering any other questions regarding the credit monitoring services.

10.5.4.4.5.5  (10-15-2015)
Fraud Alerts

  1. A Fraud Alert is a consumer statement added to a credit report. This statement alerts creditors of possible fraudulent activity within a consumer's report as well as requests that a potential creditor contact the consumer prior to establishing any accounts in his/her name.

  2. A consumer may place a fraud alert on his or her file by calling Equifax's auto fraud line at 877–478–7625 and following the simple prompts. Once a consumer has placed a fraud alert with Equifax, the other two credit reporting agencies, Experian and Trans Union, will be notified by Equifax to place alerts on their files as well.

  3. Callers may request a fraud alert anytime within 90 days of receipt of his or her Letter 4281C, IM Breach Notification Letter.

  4. AM CSRs will NOT suggest to the caller to solicit this service unless the caller inquires about it and expresses interest in it.

10.5.4.4.5.6  (08-15-2016)
Referrals to the Incident Management (IM) Office

  1. If a caller states he or she received a letter from the IRS regarding a data loss incident but lost, misplaced the letter, etc., refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral, following the referral procedures below.

  2. If a caller states he or she attempted to redeem the Promotion Code included in the data loss letter but was told the Promotion Code is expired, invalid, or does not work, refer the caller to the IM office via Form 4442/e-4442, Inquiry Referral, following the Referral procedures below.

  3. If the caller is requesting additional information or details about the incident, and is unsatisfied with the limited information you can provide and is insistent that he or she would like additional information, more than what was already provided, regarding the incident, refer the caller to the IM office via Form 4442 /e-4442, Inquiry Referral, following the procedures below.

  4. Refer to IRM 21.3.5.4.2, How to Prepare a Referral, for the required fields to be completed on Form 4442/e-4442, Inquiry Referral.

  5. In addition to the required fields as noted in IRM 21.3.5.4.2, if available, include the Incident Date and Incident Number, as shown on the caller's letter, in the Referring To field (Box #5) of Form 4442/e-4442. The Incident Date, if included in the Letter 4281C, is located in the first paragraph of Letter 4281C, IM Breach Notification Letter. The Incident Number is located to the right and just above the Salutation (Dear Taxpayer).

  6. A brief narrative must be completed in the Taxpayer Inquiry/Proposed Resolution section (Part III, Section B) of Form 4442/e-4442. Include in the Taxpayer Inquiry/Proposed Resolution section of the Form 4442/e-4442 the IRM reference (IRM 10.5.4.4.5.6) directing the referral , the reason you are making the referral, and a complete description of the caller’s issue. Also document the response time frame provided to the caller and the fax number for PGLD/IM.

  7. Refer to IRM 21.3.5.4, Referral Procedures. Inform the caller a referral has been completed in response to his or her inquiry. Tell the caller he or she will hear from us within 30 calendar days.

  8. Document AMS with the details of the Referral. See IRM 10.5.4.4.5.8, Updating History on Accounts Management Services (AMS). EXCEPTION: If the AMS or CIS system is down, then narratives and/or case notes will not be required.

  9. All Forms 4442 will be collected by the Lead CSR at the beginning of each business day and faxed to the Incident Management (IM) Office in Philadelphia. The IM fax number is listed on the Form 4442 Referral Fax Numbers list (Site: Philadelphia and Function: PGLD: Incident Management) located on the SERP Who/Where tab at http://serp.enterprise.irs.gov/databases/who-where.dr/referral_fax_numbers.htm.

  10. A member from the IM Office will contact the sender via secure email confirming receipt of the faxed Forms 4442. Once confirmation is made, the original Form 4442 can be destroyed. If no confirmation email is received within 48 hours from the fax date, re-faxing the Form 4442 will be required.

10.5.4.4.5.7  (10-15-2015)
Caller Indicates He/She is a Victim of Identity Theft as a Result of IRS Information Loss

  1. A caller may indicate he or she is already a victim of identity theft as a result of the IRS information loss and would like the IRS to assist him or her in dealing with this.

    Note:

    As part of the Identity Theft Program, AM will generally assist taxpayers whose situations meet TAS criteria 5 - 7 AND involve identity theft. See IRM 25.23.3.3.5, Identity Theft Assistance Request (ITAR) - General Information.

  2. AM CSRs will:

    • Apologize to the caller for any inconvenience.

    • Research the taxpayer's TIN thoroughly to see if there is a tax related issue related to the ID theft as defined in IRM 25.23.2.6, Identity Theft Research.

    • If a tax related issue is involved, see IRM 25.23.3.2.2, Tax-Related Identity Theft.

    • Input an Identity Theft Tracking Indicator as directed in IRM 25.23.2.17, Initial Allegation or Suspicion of Tax-Related identity Theft - IMF Identity Theft Indicators.

    • Prepare a Form 4442, Inquiry Referral, to alert the IM Office that the taxpayer believes he or she is a victim of identity theft as a result of the IRS information loss. See the referral procedures in IRM 10.5.4.4.5.6, Referrals to the Incident Management (IM) Office.

  3. If the taxpayer is threatening litigation or legal action because the IRS data loss resulted in identity theft, then a referral to the IM office MUST be sent in addition to the above actions.

10.5.4.4.5.8  (08-15-2016)
Updating History on Accounts Management Services (AMS) for Calls Regarding IRS Data Loss Letters

  1. The Privacy and Information Protection (PIP) toll-free number, 866-225-2009, is included in Letter 4281C, IM Breach Notification Letter, as well as the family of letters developed for the Get Transcript incident. Individuals who call the PIP toll-free number are auto directed to the Identity Theft Product Line (Applications 161 and 162). AM CSRs working programs related to Incident Management/IRS data loss letters are required to add an issue to identify the type of inquiry as well as leave a brief narrative of what was covered with the caller.

    Exception:

    If the AMS or CIS system is down, then narratives and/or case notes will not be required.

    Note:

    Although the SSN is not shown on Letter 4281C, IM Breach Notification Letter, employees will need to secure the caller's SSN in order to update AMS. If the caller is unwilling to provide the employee with his or her SSN, it will not be possible to update AMS.

10.5.4.4.5.9  (10-15-2015)
Undelivered Letter 4281C

  1. Undeliverable procedures must be followed. Refer to (3) of IRM 21.3.3.4.12.1.1, Undelivered Mail Procedures for Accounts Management, for research procedures for undeliverable mail.

  2. If a new address is found, address an envelope with the new address and mail the undeliverable Letter 4281C, IM Breach Notification Letter to the new address.

  3. If a new address is not found, treat Letter 4281C, as Classified Waste.

    Note:

    Because this process has to do with information loss, and not specifically tax related issues, a representative or a power of attorney (POA) should not be contacted when referring to the Undeliverable procedures unless a POA specifically identifies the information loss.

10.5.4.4.6  (12-10-2010)
Retention and Disposition

  1. Incident Management will adhere to all document retention schedules in accordance with IRM 1.15, Records and Information Management.. This applies to all materials in electronic or hard copy format that are created in response to an IRS data loss incident.

10.5.4.5  (12-02-2014)
IRS Data Loss Tracking Indicator - Objectives

  1. The Incident Management Program tracks IRS data loss related incidents to support the following objectives:

    1. Reduce taxpayer burden while addressing IRS data loss incidents.

    2. Increase operational efficiency of the IRS by detecting and processing reported IRS data loss incidents as early and consistently as possible.

10.5.4.5.1  (12-02-2014)
IRS Data Loss Tracking Indicator - Development and Implementation

  1. PGLD developed an IRS data loss indicator Action Code to centrally track IRS data loss incidents.

  2. The IRS data loss indicator was implemented by PGLD to identify individuals whose PII was lost, breached, stolen, or disclosed because of an IRS data loss incident.

  3. The IRS data loss indicator is input as a Transaction Code (TC) 971 with Action Code (AC) 505. The TC 971 AC 505 is displayed on the Integrated Data Retrieval System (IDRS) on the entity portion of each affected individual's account.

10.5.4.5.1.1  (12-02-2014)
Applying the IRS Data Loss Tracking Indicator to IRS Data Loss Incidents

  1. PGLD/IM inputs a TC 971 AC 505 on the entity portion of an individual's account (as long as the entity is established on the Master File) when all of the following occur:

    1. An individual's PII was lost, breached, disclosed, or stolen.

    2. The incident risk assessment results in a high risk of harm to the potentially impacted individuals.

    3. The IRS notifies the individual of the data loss incident via Letter 4281C, IM Breach Notification Letter.

    Example:

    Case files containing PII were lost while being shipped from one location to another. Since the incident risk assessment resulted in a high risk of harm, Incident Management will send notification letters to the potentially impacted individuals.

  2. Input of TC 971 AC 505 is limited and reserved for use by PGLD/IM employees; however, this indicator is visible and available for reference on the entity portion of an individual’s account. See Exhibit 10.5.4-4, TC 971 AC 505 — IRS Data Loss Indicator, for more information about this indicator.

  3. PGLD/IM inputs TC 971 AC 505 on an account regardless of the existence of any identity theft indicator codes that may be present on the account.

  4. There can be multiple IRS data loss indicators input/present on an individual's account. Each TC 971 AC 505 represents a different IRS data loss incident.

  5. In some instances, it may be necessary for PGLD/IM personnel to manually reverse the TC 971 AC 505. Although input of the TC 972 AC 505 is limited and reserved for use by PGLD/IM employees, Exhibit 10.5.4-5, TC 972 AC 505 — Reversal of TC 971 AC 505, is included in this IRM to explain the values in the TC 972 AC 505 Miscellaneous field.

10.5.4.6  (12-10-2010)
Awareness Training and Education

  1. The Incident Management Program develops and implements initiatives to inform IRS personnel of their responsibilities for protecting taxpayers and employees against the loss, disclosure, or theft of PII.

  2. The Incident Management Program supports the annual Information Protection and Disclosure Mandatory Briefing and the Unauthorized Access (UNAX) Mandatory Briefing, which are managed by the Office of Privacy. These briefings provide information regarding privacy, disclosure, computer security, and UNAX to all employees.

10.5.4.7  (08-15-2016)
IRS Data Loss and Identity Theft Information Links

  1. Links to publicly available external websites and internal IRS intranet websites containing identity theft and identity theft-related information and publications are provided below as well as internal links for IRS data loss incident reporting and the PGLD website.

    1. Publicly available external websites and publications that provide general information on identity theft and identity theft-related issues:

      # Title Description Link Owner
      1 Internal Revenue Service (IRS) Website IRS Identity Protection home page https://www.irs.gov/individuals/identity-protection IRS
      2 Internal Revenue Service (IRS) Website Taxpayer Guide to Identity Theft https://www.irs.gov/uac/taxpayer-guide-to-identity-theft  
      3 Federal Trade Commission (FTC) Identity Theft Website Visit ftc.gov/idtheft for prevention tips and free resources. https://www.consumer.ftc.gov/features/feature-0014-identity-theft FTC
      4 Federal Trade Commission (FTC) Identity Theft Website IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide you through the recovery process. https://www.identitytheft.gov/ FTC
      5 Federal Trade Commission (FTC) Identity Theft Victim's Complaint and Affidavit Direct link to FTC Identity Theft Affidavit; includes instructions and guidance for completing FTC Affidavit

      Note:

      This form is no longer accepted by the IRS to substantiate identity theft. However, it can still be used by individuals to substantiate identity theft with credit bureaus and/or any companies where accounts have been opened using the victim's identity.

      https://www.consumer.ftc.gov/articles/pdf-0094-identity-theft-affidavit.pdf FTC
      6 Internal Revenue Service (IRS) Form 14039, Identity Theft Affidavit Direct link to IRS Identity Theft Affidavit (Form 14039). This form is used by taxpayers who want to report to the IRS that he/she is a victim of identity theft, or who may become a victim of identify theft as a result of a lost or stolen wallet or purse, or who notice suspicious activity on his/her credit card or bank statements. https://www.irs.gov/pub/irs-pdf/f14039.pdf IRS
      7 United States Department of Justice Website Identity Theft and Identity Fraud Information https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud DOJ
      8 Taxpayer Advocate Service (TAS) Website Taxpayer Advocate Service home page https://www.irs.gov/advocate TAS
      9 Social Security Administration (SSA) Website Social Security Administration (SSA) home page https://www.ssa.gov SSA
      10 Social Security Administration (SSA) Publication - Identity Theft and Your Social Security Number Social Security Administration (SSA) Publication https://www.ssa.gov/pubs/EN-05-10064.pdf SSA
      11 Identity Theft Task Force Webpage on the Federal Trade Commission (FTC) Website President's Task Force on Identity Theft https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive Identity Theft Task Force
      12 IRS Phishing Website Instructions on how to report and identify phishing, email scams, and bogus IRS websites https://www.irs.gov/uac/report-phishing IRS
      13 Credit Bureaus Direct links to the three recognized credit bureaus: Equifax, Experian, and TransUnion http://www.equifax.com/home
      http://www.experian.com
      http://www.transunion.com/
      Equifax, Experian, and TransUnion
      14 IRS Pub 4523 Beware of Phishing Schemes https://www.irs.gov/pub/irs-pdf/p4523esp.pdf IRS
      15 IRS Pub 4524 Security Awareness and Identity Theft https://www.irs.gov/pub/irs-pdf/p4524.pdf IRS
      16 IRS Pub 5027 Identity Theft Information for Taxpayers IRS
      17 Identity Theft Resource Center® (ITRC) Website Nonprofit organization dedicated exclusively to the understanding and prevention of identity theft http://www.idtheftcenter.org/ ITRC
      18 OnGuard Online Website Identity theft prevention tips from the federal government and technology industry https://www.consumer.ftc.gov/features/feature-0038-onguardonline FTC
    2. Internal IRS intranet links that provide general information on identity theft, identity theft-related issues, and data loss incidents:

      # Title Description Link Owner
      1 Privacy, Governmental Liaison and Disclosure (PGLD) Website Office of Privacy, Governmental Liaison and Disclosure home page on IRWeb http://irweb.irs.gov/AboutIRS/bu/pipds/default.aspx PGLD
      2 Privacy, Governmental Liaison and Disclosure (PGLD), Report Losses, Thefts and Disclosures page Office of Privacy, Governmental Liaison and Disclosure Report Losses, Thefts and Disclosures page in the Disclosure and Privacy Knowledge Base https://organization.ds.irsnet.gov/sites/vldp/Privacy/Report/Pages/default.aspx PGLD
      3 Privacy, Governmental Liaison and Disclosure (PGLD) e-Trak Privacy on-line application Privacy, Governmental Liaison and Disclosure (PGLD) PII Incident Reporting Form https://vp0sentappetrk2.ds.irsnet.gov/etrak-privacy/page.request.do?page=page.final2 PGLD
      4 Privacy, Governmental Liaison and Disclosure (PGLD) IF/THEN Chart Privacy, Governmental Liaison and Disclosure (PGLD) IF/THEN Chart for reporting incidents https://organization.ds.irsnet.gov/sites/vldp/kr/If-Then-Guide-Reporting-Data-Loss-Incidents.pdf PGLD
      5 Computer Security Incident Response Center (CSIRC) Website Computer Security Incident Response Center (CSIRC) Computer Security Incident Reporting Form https://www.csirc.web.irs.gov/incident/ IT (Information Technology)
      6 IRM 1.2.25.2 IRS Policy Statement on assisting taxpayers who report they are victims of identity theft IRM 1.2.25.2 IRS

Exhibit 10.5.4-1 
Glossary of Incident Management Terms and Definitions

TERM DEFINITION
Access The ability or opportunity to gain knowledge of personally identifiable information.
Accounts Management (AM) CSRs AM CSRs assist individuals impacted by IRS data loss by answering general incident related inquiries or preparing a Form 4442, Inquiry Referral, if the caller requests specific information regarding the incident that the AM CSR is unable to answer. AM CSRs also provide assistance to individuals impacted by identity theft or individuals who could become victims of identity theft in the future due to a data loss such as a lost or stolen purse/wallet, questionable credit card activity, etc. This assistance is provided by AM CSRs even if the individual has not experienced any problems with, or received communications from, the IRS.
Breach The loss of control, disclosure, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where individuals other than authorized users and for other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
Controlled Unclassified Information (CUI) A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is pertinent to the national interests of the United States or to the important interests of entities outside the Federal Government, and under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. In the future, the designation CUI will replace Sensitive But Unclassified (SBU), but the exact timeframe has not been determined by IRS or Treasury.
Data Loss/Breach Incident An incident involving a loss, theft, breach, or inadvertent unauthorized disclosure.
Data Loss (Breach) Notification The process of notifying potentially impacted individuals following the evaluation of a PII data loss incident which results in a high risk of harm to these individuals. Also known as PII data loss incident notification.
Data Loss Incident Risk Assessment A risk assessment conducted on an IRS data loss, theft, breach, or inadvertent unauthorized disclosure incident. The risk assessment includes factors that must be considered, specifically the context of the incident and the data that was disclosed. Example - An IRS employee in the field loses a taxpayer case file . The case file contained PII data such as name, address, social security number, and other tax data. It is not known if the loss of the PII data will lead to identity theft. The IRS conducts a risk assessment and examines key factors to determine if notification should be given to the potentially impacted individual.
Data Owner The data owner is the Business Unit who has responsibility for the information and is therefore responsible for containment and mitigation of the data loss/breach incident. For example, if a POA tells an SBSE Revenue Officer (RO) she received Income Verification Express Service (IVES) transcripts she did not request, the reporter is the RO but W&I is the data owner and carries the responsibility for mitigation and containment.
Federal Information Processing Standards (FIPS) A set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.
Federal Information Processing Standards (FIPS) Publications Publications issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Trade Commission (FTC) An independent agency of the United States government, established in 1914 by the Federal Trade Commission Act, with the principal mission of promoting "consumer protection" and the elimination and prevention of what regulators perceive to be "anti-competitive" business practices.
Harm Includes any of the following effects of a breach of confidentiality, integrity, availability, or fiduciary responsibility:
   a) Potential for blackmail;
   b) Disclosure of private facts;
   c) Mental pain and emotional distress;
   d) Potential for secondary uses of the information that could result in fear or uncertainty, or unwarranted exposure leading to humiliation or loss of self-esteem;
   e) Identity theft; or
  f) Financial loss.
Identity Protection Specialized Units (IPSU) The IPSU assists taxpayers that are, or may become, victims of identity theft. The IPSU is comprised of paper teams as part of the Accounts Management Identity Theft Victim Assistance (IDTVA) function.
Identity Theft A fraud that is committed or attempted using an individual's identifying information without authority.
Incident Management The process of managing incidents involving the loss, theft, breach or disclosure of data. This term can also be used to refer to the Office within Privacy, Governmental Liaison and Disclosure responsible for the process of managing incidents involving the loss, theft, breach or disclosure of data by the IRS.
Information Technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.
Level 1 (L-1) Incidents
  • Incidents that include situations involving a direct threat of an imminent physical assault action against identifiable IRS personnel (in relation to a known or implied nexus to their employment), facilities, or infrastructure. Additionally, sensitivity factors apply if the threat was made concerning the IRS Commissioner, a member of the Commissioner’s immediate staff or any IRS Business Unit Commissioner or if the threat significantly impacted the operations of another government agency.

  • Incidents that include powder mailings, bomb threats or other “incidents” which cause the IRS to divert from normal operations, involve significant personnel or operations disruptions and/or disclosures.

Loss Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data.
National Institute of Standards and Technology (NIST) A non-regulatory federal agency within the U.S. Department of Commerce that develops and promotes measurement, standards, and technology.
The Office of Management and Budget (OMB) OMB assists the President in overseeing the preparation of the Federal budget and evaluates the effectiveness of agency programs, policies, and procedures, and works to make sure that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. In addition, OMB oversees and coordinates the Administration's regulatory, procurement, financial management, information technology, and information management policies.
Personally Identifiable Information (PII) Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. See GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008 at http://www.gao.gov/new.items/d08536.pdf, OMB 07-16, at http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdfand the PGLD webpage, Personally Identifiable Information, athttps://organization.ds.irsnet.gov/sites/vldp/Privacy/PII/Pages/default.aspx for additional information.
Phishing Phishing is a scam where Internet fraudsters send e-mail messages to trick unsuspecting victims into revealing personal and financial information that can be used to steal the victim's identity. Refer to IRM 21.1.3.23, Scams (Phishing) and Fraudulent Schemes.
PII Incident An actual or suspected loss of control, disclosure, unauthorized disclosure, unauthorized acquisition of, or unauthorized access to PII. PII incidents include situations in which individuals other than authorized users may or do have access to PII for an unauthorized purpose. This applies to PII maintained in electronic or hard copy format.
PII Incident Notification See Data Loss (Breach) Notification.
PII Working Group (PIIWG) A decision making body consisting of senior management and technical experts from all key business and functional unit stakeholders with expertise in information technology, legal requirements, privacy, law enforcement and information security. It is responsible for reviewing risk assessment recommendations and timely approving all notification recommendations with the exception of notification recommendations for certain high risk level/high profile/sensitive breaches (or incidents otherwise representing a servicewide impact) which are instead elevated for review, decision making, and concurrence to the Privacy Policy and Compliance Advisory Committee (PPCAC).
Privacy Policy and Compliance Advisory Committee (PPCAC) A committee comprised of executives from all key business and functional unit stakeholders; originally established to oversee the Identity Protection Program and Incident Management Program activities, specifically the development of Servicewide identity theft and PII data loss policies and procedures, development and execution of Identity Protection and Incident Management Program office procedures, and the study and execution of identity theft outreach, victim assistance and prevention initiatives. The PPCAC is responsible for review of, has decision making authority for, and is responsible for timely concurrence on, certain high risk level/high profile/sensitive breaches (or incidents otherwise representing a servicewide impact) as determined by the Director, PPC.
Reporting Employee The reporting employee is the employee who identifies/recognizes a data loss/breach incident and reports the incident as required. The reporting employee is responsible for reporting all pertinent information relative to the data loss/breach incident.
Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security and privacy controls that would mitigate this impact.
Safeguard Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
Safeguarding Personally Identifiable Information Data Extracts (SPIIDE) A Data Loss Prevention (DLP) tool within the IRS CyberSecurity toolkit. DLP is technology that scans unencrypted, outbound transmissions to advance data protection and reduce inadvertent disclosures.
Sensitive But Unclassified (SBU) Information Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under FOIA (5 U.S.C. 552).
Theft An asset, electronic or hardcopy, thought or known to have been taken without permission from the individual who is responsible for the asset.
Unauthorized Access The willful unauthorized access and/or inspection of tax returns and return information.
Unauthorized Disclosure An unauthorized and unlawful release of information to an individual who is not authorized to receive the information.
Unreasonable Delay A delay in notification following the discovery of a data breach beyond that which is necessary to determine the scope of the breach while considering the needs of law enforcement and national security, and, if applicable, to restore the reasonable integrity of the computerized data system compromised. This means if a breach is discovered and all the information necessary to determine the scope of the breach is gathered within 30 days, it is unreasonable to wait until the 45th day to notify the individuals whose information was breached.

Exhibit 10.5.4-2 
IRS Information Loss Frequently Asked Questions (FAQs)

This table lists frequently asked questions regarding the IRS data loss letter (Letter 4281C) and general questions regarding IRS Information Loss. The table categorizes the questions and answers into the following categories: Caller Authentication Process; Details of Information Loss; Referral; Identity Theft Protection/Credit Monitoring Product; Prevention of Future Information Losses/Protection Against Identity Theft; Impact of Information Loss on Tax Information; Validity of Information Loss Letter/IRS Contact Information; Dependent/Minor Information Loss; and a Standard Closing. This list of FAQs is for use by AM CSRs only. AM CSRs are the only employees authorized and trained to respond to IRS Information Loss notification inquiries.

INFORMATION LOSS QUESTIONS INFORMATION LOSS ANSWERS
CALLER AUTHENTICATION PROCESS - QUESTIONS CALLER AUTHENTICATION PROCESS - ANSWERS
Q1. Why are you asking for my social security number? A1. We are asking for your social security number in order to access your IRS information so that we can verify your identity and update your IRS record with any actions or activity resulting from this call.
Q2. Do I have to provide my social security number? A2. No, you do not have to provide your social security number in order for me to assist you. We ask for your social security number in order to access your IRS information so that we can verify your identity and update your IRS record with any actions or activity resulting from this call. If there are questions today that I am unable to assist you with and which require referral to another office for response, I will require your social security number at that time in order to ensure that we respond to the right person with the right information.
Q3. I have a Power of Attorney (POA) for a client who recently received a letter from the IRS regarding an information loss. Can you help me? A3. I can provide information regarding the information loss; however, I will first have to verify that you have the requisite authority to receive the information. Note to CSR: If the caller is not the impacted individual, but claims to represent the individual, determine whether the individual provided a power of attorney (POA) in connection with the IRS information loss. Do not recognize a representative when the POA on file only identifies tax matters and does not specifically identify the information loss. Also, a POA cannot request credit monitoring or identity theft protection from Equifax for his/her client.
DETAILS OF INFORMATION LOSS QUESTIONS DETAILS OF INFORMATION LOSS ANSWERS
Q4. I don’t understand the letter I received regarding an IRS information loss. Can you tell me what it means? A4. IRS documents or records containing personal information which could be used to identify you, such as your name, address and social security number, were lost on or about the date mentioned in your letter. The letter you received is to inform you about the information loss and to offer you a free identity theft protection product for one year.
Q5. Can you tell me what personal information of mine was lost? A5. The personal information that was lost may have included, for example, your name, your address, your social security number, and/or your tax account information (tax years and balance due). Note to CSR: See Question and Answer #18 if the caller asks for additional information.
Q6. What’s the impact of this information loss on me? A6. Although we have no reason to believe that your personal information has been misused, it is possible that your information could be misused by someone to commit fraud or identity theft. Identity theft occurs when someone uses your personal information such as your name or social security number, without your permission, to commit fraud or other crimes. For your protection, we are offering you a free identity theft protection product for one year with Equifax, one of the three national credit reporting agencies that offer credit-management tools.
Q7. How can I tell if my information has been used to commit fraud or if I have been a victim of identity theft? A7. Unusual or suspicious activity on your bank statements, credit card statements, or any statements relating to recent financial transactions, may be an indication that your personal information has been used to commit fraud or that you've been a victim of identity theft. If you notice any unusual or suspicious activity, you should report it immediately to the financial institution involved.
Q8. When was my information lost? A8. Your information was lost on the date stated in the letter you received from us.
Q9. What is the earliest date that suspicious activity might have occurred due to the loss of my information? A9. Beginning with the date of your information loss (which was stated in your letter), you should monitor your credit report, bank statements, credit card statements and any statements relating to recent financial transactions.
Q10. Why did it take so much time after the loss of information to notify me? A10. We needed time to assess the situation to determine the specific information lost as well as the likelihood for recovery of the information. We then notified you as quickly as possible after the assessment was completed.
Q11. Why did the IRS decide to notify me about the incident? A11. Government policy requires all agencies and bureaus to notify people when information is lost and there is a potential risk that the information could be misused. We want to ensure that you are fully informed of any potential risk so you can better protect yourself and take the necessary steps to monitor your financial transactions.
Q12. What is the likelihood that my information will be recovered? A12. Unfortunately, we don’t know whether your information will be recovered or not. You received the notification letter because we have an obligation to inform you so that you can take the proper precautions.
Q13. What do you mean my information was lost? What does lost mean? A13. We lost possession and control of documents that contain your personal information.
REFERRAL QUESTIONS REFERRAL ANSWERS
Q14. Do I need to send any information to the IRS? A14. At this time you do not need to send any information to us. However, if we determine that we do need you to send any information, you will be contacted via letter by the appropriate IRS business office. Please note that the IRS does not initiate contact with taxpayers via email.
Q15. When did the IRS determine that my personal information had been lost? A15. Unfortunately, I don't have access to that specific information. We can provide that information to you, but it will require additional research by authorized personnel. I am going to fill out a referral form with your question(s) and send it to the office that can address your question(s) and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
Q16. How did this information loss happen? A16. Unfortunately, I don't have access to that specific information. We can provide that information to you, but it will require additional research by authorized personnel. I am going to fill out a referral form with your question(s) and send it to the office that can address your question(s) and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
Q17. How many people were affected by this information loss? A17. Unfortunately, I don't have access to that specific information. We can provide that information to you, but it will require additional research by authorized personnel. I am going to fill out a referral form with your question(s) and send it to the office that can address your question(s) and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
Q18. Can you tell me what additional information of mine was lost? A18. Unfortunately, I don't have access to any additional information. We can provide that information to you, but it will require additional research by authorized personnel. I am going to fill out a referral form with your question(s) and send it to the office that can address your question(s) and provide you with a response. I want to be sure I understand your issue correctly — could you please repeat the specific information you are requesting again? You should expect an answer in writing within 30 days.
IDENTITY THEFT PROTECTION/CREDIT MONITORING PRODUCT QUESTIONS IDENTITY THEFT PROTECTION /CREDIT MONITORING PRODUCT ANSWERS
Q19. How do I sign up for (or enroll in) the free Equifax identity theft protection/credit monitoring product? A19. To sign up for (or enroll in) the free Equifax identity theft protection/credit monitoring product for one year, you must follow the instructions that were included in the letter that you received from us. If you have a specific question regarding those instructions I will be glad to assist you today.
Specific Equifax identity theft protection/credit monitoring product enrollment instructions: You can enroll by internet or by telephone. In addition to your enrollment promotion code, Equifax will ask for your customer information (name, address, social security number, date of birth, and telephone number). You'll also have to give Equifax permission to access and monitor your credit files. To enroll by phone, call 1-866-937-8432 to access the Equifax automated telephone enrollment process; to enroll online, go to http://www.myservices.equifax.com/tri. If you decide to enroll online, Equifax will send you information and reports through your online account. If you decide to enroll by phone, Equifax will send all credit reports and alerts to you by mail.
Q20. What will happen when I enroll in Equifax' identity theft protection product? A20. Upon your enrollment, you will receive daily credit file monitoring and automated alerts of key changes to your Equifax, Experian, and Trans Union credit reports; access to your credit report; toll-free customer assistance available 24 hours a day, 7 days a week; up to $1 million in identity theft insurance with $0 deductible, at no additional cost to you (limitations and exclusions apply); and other services that will ensure you can effectively monitor your personal accounts. In addition, you can place a Fraud Alert on your credit files at all three agencies. If you choose this option, then all creditors should contact you before creating any new account in your name.
Q21. Do I have to pay for the identity theft protection product? A21. No, you do not have to pay for the identity theft protection product from Equifax. It is available to you free of charge. However, it is only available to the individual to whom the letter was addressed, and not to any other family members. The identity theft protection product is free for one year from the date of your enrollment.
Q22. What is a Fraud Alert? A22. A fraud alert is a consumer statement added to your credit report. This statement alerts creditors of possible fraudulent activity within your report and requests that they contact you prior to creating any accounts in your name.
Q23. How do I place a fraud alert with Equifax? A23. To place a fraud alert on your Equifax credit file, visit www.fraudalerts.equifax.com or contact the Equifax auto fraud line at 1-877-478-7625, and follow the simple prompts. Once the fraud alert has been placed with Equifax, a notification will be sent to the other two credit reporting agencies, Experian and Trans Union, on your behalf.
Q24. Why do I have to provide my social security number and date of birth to Equifax and not to the IRS? A24. The IRS is not a party to any agreement made between you and Equifax. Please be assured that the IRS has not provided and will not provide any personal information to Equifax regarding this information loss. Please ensure you review all privacy and security statements to ensure you understand how Equifax will collect, maintain and handle your personal data.
Q25. Can the IRS automatically enroll me with Equifax? A25. The IRS can't automatically enroll you with Equifax because personal information must be provided in order to enroll you in the identity theft protection product. The IRS doesn't provide any personal information to Equifax regarding any information loss. To understand how Equifax will collect, maintain and handle your personal data, be sure to review all privacy and security statements.
Q26. I called the Equifax toll free number but I am having trouble with the Equifax system and getting my free identity theft protection product. Can you help me? A26. Once you have input your promotion/enrollment code, if are having difficulty with the system, you will be given the option of speaking to a live person that can assist you in signing up for the free identity theft protection product. If you want to call an Equifax agent directly, you may call Equifax toll free at 866-252-4576. The IRS is not a party to any agreement made between you and Equifax, and unfortunately, we cannot assist you with the problem you encountered with the Equifax system.
Q27. I tried to use the promotion/enrollment code included in the information loss letter to sign up for the Equifax identity theft protection product, but I was told the code had expired. Can you help me? A27. Unfortunately, I am unable to assist you with your expired enrollment code. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. You should expect an answer within 30 days. We are sorry for any inconvenience this may cause you.
Q28. I received a letter from the IRS regarding an information loss incident but I lost (or misplaced) the letter. Can you send me another letter? A28. Unfortunately, I am unable to assist you with replacing the letter. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. You should expect an answer within 30 days.
Q29. My husband received a letter from the IRS regarding an information loss incident but I didn't. Why didn't I receive a letter? A29. Unfortunately, I am unable to answer that question. I am going to fill out a referral form and send it to the office that can address your question and provide you with a response. You should expect an answer within 30 days.
PREVENTION OF FUTURE INFORMATION LOSSES/PROTECTION AGAINST IDENTITY THEFT QUESTIONS PREVENTION OF FUTURE INFORMATION LOSSES/PROTECTION AGAINST IDENTITY THEFT ANSWERS
Q30. Can you tell me what Identity Theft is? A30. Yes. Identity theft occurs when someone uses your personal information such as your name or social security number, without your permission, to commit fraud or other crimes.
Q31. I haven’t noticed any suspicious activity in my financial statements, but what can I do to protect myself from being victimized by credit card fraud or identity theft? A31. We strongly recommend that you closely monitor your financial statements and that you take advantage of the free identity theft protection product from Equifax we are making available to you. You can minimize your risk by taking these precautions.
Q32. Should I contact my financial institutions (and/or other creditors), or will the IRS do this for me? A32. The IRS is not authorized to act on your behalf on any issue dealing with your personal finances. However, you should monitor your financial accounts and sign up for the free Equifax identity theft protection product. If you see any unusual activity you should contact your financial institutions (and/or other creditors) since the IRS will not contact financial institutions or other creditors on your behalf. The IRS may provide additional services should you experience identity theft as a result of the information loss by the IRS.
Q33. I believe that I have been a victim of ID Theft as a result of this information loss. How are you going to assist me in dealing with this? A33. I apologize for any inconvenience. In order to start the process to assist you I will need you to provide photocopies (not originals) of the following materials: 1. Authentication of Identity. A legible copy of a valid U.S. federal or state government-issued form of identification (example, driver’s license, state identification card, social security card, passport, etc.). 2. Evidence of Identity Theft. A copy of a police report indicating identity theft as the issue or Form 14039, Identity Theft Affidavit. Please fax this information to 855-807-5720 or you may photocopy this information and mail it to: Internal Revenue Service, Fresno, CA 93888-0025. I am also going to fill out a referral form and send it to the office that will investigate your claim of ID Theft as a result of the IRS information loss. If you are experiencing financial difficulty as a result of the ID Theft, contact the Taxpayer Advocate Service toll-free at 1-877-777-4778, or complete Form 911, Request for Taxpayer Advocate Service Assistance (and Application for Taxpayer Assistance Order).
Q34. Where should I report suspicious or unusual activity? A34. If you notice any suspicious or unusual activity in any of your financial accounts, you should report it immediately by: 1. Contacting the financial institution where you noticed the suspicious or unusual activity on your account. 2. Contacting the fraud department of Equifax, one of the three major credit bureaus, by calling 1-800-525-6285; or online at www.equifax.com; or by writing to: Equifax, P.O. Box 740241, Atlanta, GA 30374-0241 3. Filing a complaint with the Federal Trade Commission by calling the FTC’s Identity Theft Hotline, 1-877-438-4338; or online at www.ftc.gov/idtheft; or by writing to: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580. If you believe that the suspicious or unusual activity is a result of this information loss, contact the Treasury Inspector General for Tax Administration (TIGTA), Office of Investigations, by calling the TIGTA hotline, 1-800-366-4484; or online at www.treasury.gov/tigta/ and click on “Report Fraud, Waste, and Abuse”; or by writing to: Treasury Inspector General for Tax Administration Hotline, PO Box 589, Ben Franklin Station, Washington, DC, 20044-0589.
Q35. What is the IRS doing to make sure that this does not happen again? A35. We have strict policies in place to protect your privacy and to ensure the information entrusted to us is secure. Specifically: 1. We use a computer security incident response center that continuously monitors the security of IRS computer systems and networks and serves as the first point of contact for any information loss incident. 2. We issue updated data protection policies and processes to our employees and provide security and privacy education and training tools to improve employee awareness and skill levels. 3. We implemented a system to protect all information stored or transmitted on IRS equipment. 4. We provide cable locks for IRS employees who are assigned laptops and may travel outside of their office locations on IRS business.
IMPACT OF INFORMATION LOSS ON TAX INFORMATION - QUESTIONS IMPACT OF INFORMATION LOSS ON TAX INFORMATION - ANSWERS
Q36. What is the impact on my personal or business related tax return information? A36. Because there is no evidence to suggest that your information has been misused at this time, we do not anticipate any tax-related impact as a result of this information loss. However if you receive an IRS notice or letter that leads you to believe that someone may have used your personal information fraudulently for tax purposes, please notify the IRS immediately by responding to the name and number printed on the notice or letter or by calling the IRS at 1-800-829-1040.
Q37. You said that the information lost included my social security number. I also have an EIN. How do I know if my EIN has been misused? A37. As with your personal financial information, you should also monitor your business accounts for any unusual or suspicious activity on your bank statements, credit card statements, or any statements relating to recent financial transactions. This may be an indication that your information has been used to commit fraud or that you have been a victim of identity theft. If you notice any unusual or suspicious activity, you should report it immediately to the financial institution involved.
Q38. What if the loss of my personal information results in a problem with my Federal income tax information? A38. If you receive a notice or letter from the IRS that leads you to believe someone may have used your personal information fraudulently, please notify the IRS immediately by responding to the name and number printed on the notice or letter. Our tax examiners will work with you and other agencies, such as the Social Security Administration, to help resolve the problem. You should also know that the IRS does not initiate contact with taxpayers or request personal taxpayer information through email. If you do receive this type of request, it may be an attempt by identity thieves to get your private tax information. Additionally, you may contact the Taxpayer Advocate Service (TAS) by calling 877-777-4778 or TTY/TDD 800-829-4059. TAS is an independent organization within the IRS whose employees assist taxpayers who are experiencing economic harm, who are seeking help in resolving tax problems that have not been resolved through normal channels, or who believe that an IRS system or procedure is not working as it should. If you believe you are eligible for TAS assistance, call TAS at 877–777-4778 or TTY/TDD 800-829-4059. For more information about TAS, go to http://www.irs.gov/advocate or see Pub 1546 , Taxpayer Advocate Service – Your Voice at the IRS.
VALIDITY OF INFORMATION LOSS LETTER/IRS CONTACT INFORMATION - QUESTIONS VALIDITY OF INFORMATION LOSS LETTER/IRS CONTACT INFORMATION - ANSWERS
Q39. How can I verify that this letter actually came from the IRS? A39. You can go to our official public website at www.irs.gov. Click on "Help & Resources" at the top of the front page. At the bottom of the Help & Resources page, under Contact Us, select Contact Your Local IRS Office. When you call any of the numbers listed on this page you will be forwarded to the number contained in your letter as that number was established specifically to respond to your questions regarding your information loss.
Q40. I received an email from the IRS asking me to provide personal information (credit card info) so my refund could be deposited into my personal bank account. Is this a legitimate request from the IRS? How do I respond to it? A40. The IRS did not send the email as the IRS does not initiate contact with taxpayers via email. Phishing (as in “fishing for information” and “hooking” victims) is a scam where Internet fraudsters send email messages to trick unsuspecting victims into revealing personal and financial information that can be used to steal the victim's identity. Current scams include phony emails which claim to come from the IRS and which lure the victims into the scam by telling them that they are due a tax refund.
Q41. How do I know the phone number I’m calling right now is not part of a fraud that is taking place with my tax information being misused? A41. I can understand your fears about what is taking place. My name is ____________ and my badge # is ________. You can go to our official public website at www.irs.gov. Click on Help & Resources at the top of the front page. At the bottom of the Help & Resources page, under Contact Us, select Contact Your Local IRS Office. When you call any of the numbers listed on this page you will be forwarded to the number contained in your letter as that number was established specifically to respond to your questions regarding your information loss.
Q42. All IRS correspondence I get has my social security number on it. Why doesn’t my social security number appear on this letter? A42. We intentionally deleted your social security number from the letter we sent you to minimize any future impact on your information. We are also looking at additional ways that we can reduce the risk of exposure of personal information in all of our correspondence and systems.
Q43. What is your involvement with this information loss issue and where are you located? A43. I am an Accounts Management Customer Service Representative located in XXXXXX trained to assist you with any questions or concerns you may have about this issue and to refer you to the appropriate office if I am unable to answer any of your questions.
Q44. Who can I call for further assistance or information? A44. If you have additional questions or require further assistance you may contact us again at 866-225-2009.
Q45. Is there an organization outside the IRS that can provide tax assistance for free or a nominal fee? A45. You may be eligible for assistance from a Low Income Taxpayer Clinic (LITC). LITCs provide low income taxpayers with representation in federal tax controversies with the IRS for free or for a nominal charge. Additional information can be found in Pub 4134 , Low Income Taxpayer Clinic List, which is available at www.irs.gov or your local IRS office.
DEPENDENT/MINOR INFORMATION LOSS - QUESTIONS DEPENDENT/MINOR INFORMATION LOSS - ANSWERS
Q46. Did this information loss include my dependent’s personally identifiable information? A46. If the information loss included your dependent’s personally identifiable information, and your dependent is under the age of 18, the letter you received regarding the information loss stated that your dependent’s information was also lost. If the information loss included your dependent’s personally identifiable information, and your dependent is age 18 or over, you will receive one letter regarding the information loss, and your dependent will also receive a letter. If the information loss included your dependent’s personally identifiable information, and your dependent is under the age of 18, but your dependent already has a history of filing Federal Income Tax Returns, your dependent, although under 18, will receive his/her own letter.
Q47. Why didn’t my dependent child receive his/her own promotion code for the free identity theft protection product? A47. The credit reporting agencies do not knowingly maintain credit files on minor children. Therefore, we cannot extend the free identity theft protection product offer to your dependent child (children).
Q48. How can I protect my dependent (child)? A48. Parents/Guardians who are interested in determining whether an Equifax credit file exists for their child (less than 18 years of age), or who have a concern that their child’s identity may have been misused, can take one of the following actions: 1. Try to place a fraud alert on the child's credit report by calling the Equifax Automated Fraud Alert telephone line at 877-478-7625. The system will ask for a social security number and address information. If the system responds by asking for additional identification verification documents such as a social security card, then this confirms that the child does not have a credit file at this time. 2. Send a copy of the minor child’s birth certificate and a copy of a social security card or letter/form from the Social Security Administration along with a letter explaining that the child may be a victim of identity theft to Equifax. Additionally, the parent must provide a copy of his/her driver's license or other government-issued proof of his/her identity, which includes his/her current address. Parents/guardians can send this information to the following address: Equifax Information Services P.O. Box 740256 Atlanta, Georgia 30374. Once Equifax receives this information, they will perform a search of their database for a credit file under the child's social security number . If Equifax does NOT find a match, they will inform the parent or guardian in writing that a credit file was not found. If a credit file is found, Equifax’s Fraud Investigation Department will become involved to help manage a successful resolution of the situation.
STANDARD CLOSING I hope I have been of some assistance to you today. We regret any inconvenience this incident has caused you. We at the IRS are serious about protecting your personal information and we are committed to making sure that the information you have entrusted to us is protected, secure and private. We want to emphasize that you should take advantage of the free identity theft protection product offered to you in the letter you received and that you should continue to carefully monitor your financial statements and take the appropriate actions if you identify any suspicious activity on your accounts. Please contact us at 866-225-2009 if you have additional questions or require further assistance regarding this issue.

Exhibit 10.5.4-3 
References

The Incident Management Program was established to ensure Servicewide implementation of federal directives to protect citizens and government employees against IRS data losses and misuse of sensitive personal data. The following are the principal documents impacting the Incident Management Program:
OMB Memoranda. OMB Memoranda are available on the Office of Management and Budget home page at http://www.whitehouse.gov/omb/memoranda.

  1. M-06-15, Safeguarding Personally Identifiable Information , May 22, 2006

  2. M-06-16, Protection of Sensitive Agency Information, June 23, 2006

  3. M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006

  4. M-06-20 (M-05-15), Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 17 2006

  5. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007

  6. M-15-01, Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices, October 3, 2014



Other Federal Guidance. The President’s Identity Theft Task Force documents are available on the Federal Trade Commission website under News and Events/Press Releases at https://www.ftc.gov/news-events/press-releases/2007/04/presidents-identity-theft-task-force-releases-comprehensive.

  1. Combating Identity Theft: A Strategic Plan, The President’s Identity Theft Task Force Report, April 2007, https://www.ftc.gov/reports/combating-identity-theft-strategic-plan

  2. Combating Identity Theft, Volume II: Supplemental Information, The President’s Identity Theft Task Force Report, April 2007, https://www.ftc.gov/reports/combating-identity-theft-strategic-plan

  3. The President’s Identity Theft Task Force Report, September 2008, https://www.ftc.gov/sites/default/files/documents/reports/presidents-identity-theft-task-force-report/081021taskforcereport.pdf




IRS Internal Revenue Manuals.

  1. IRM 10.5.1, Privacy and Information Protection, Privacy Policy

  2. IRM 10.5.5, Privacy and Information Protection, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

Exhibit 10.5.4-4 
TC 971 AC 505 — IRS Data Loss Indicator

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

TC 971 AC 505 is displayed on IDRS command code ENMOD and consists of the following data elements:

TRANS-DT SECONDARY-DT MISC
TC 971 AC 505 input date Date the data loss incident occurred. The Incident Tracking Number (number assigned to the data loss case). This number begins with two alphas ("IR" , "CR" , or "PR" ) and is followed by 11 numeric digits. For example: IR20100211034

Exhibit 10.5.4-5 
TC 972 AC 505 — Reversal of TC 971 AC 505

Important: Input of Action Code 505 is limited and reserved for use by the Office of Privacy, Governmental Liaison and Disclosure personnel.

The miscellaneous field for TC 972 AC 505 reflects the reason for the reversal of TC 971 AC 505. See the following chart for reasons and values for the MISC field:

TC 972 AC 505 Miscellaneous Field
Reason Description Value
Keying or Internal Error The 971 was due to a typographical mistake or another internal mistake. IRSERR
Internally Identified Negative Impact The 971 is causing a negative impact on another internal process or system, and must be reversed to discontinue the negative impact. IRSADM
Other The reason for the 971 reversal does not meet any of the above reason descriptions. OTHER

More Internal Revenue Manual