Incident Response Procedures

The agency must not wait to conduct an internal investigation to determine if federal tax information (FTI) was involved in an unauthorized disclosure or data breach. If FTI may have been involved, the agency must contact Treasury Inspector General for Tax Administration (TIGTA) and the IRS immediately.

Contacting TIGTA is a critical step to expedite the recovery of compromised data and identify potential criminal acts. An IRS Office of Safeguards investigation focuses on identifying processes, procedures or systems within the agency with inadequate security controls which led to the incident.

Incident response policies and procedures required in Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Section 9.3.8, Incident Response, must be used when responding to an identified unauthorized disclosure or data breach incident.

The Office of Safeguards will coordinate with the agency appropriate follow- up actions required to be taken by the agency to ensure continued protection of FTI. Once the incident has been addressed, the agency will conduct a post-incident review to ensure their incident response policies and procedures provide adequate guidance.

Any identified deficiencies in the incident response policies and procedures should be resolved immediately. Additional training on any changes to the incident response policies and procedures should be provided to all employees, including contractors and consolidated data center employees, immediately.

Incident Response Notification to Impacted Individuals

Since the FTI is within the agency’s possession or control, notification to impacted individuals regarding an unauthorized disclosure or data breach incident is based upon the agency’s internal incident response policy.

However, the agency must inform the Office of Safeguards of notification activities undertaken before release to the impacted individuals. In addition, the agency must inform the Office of Safeguards of any pending media releases, including sharing the text, prior to distribution.

References