Upon discovering a possible improper inspection or disclosure of FTI, including breaches and security incidents, by a federal employee, a state employee, or any other person, the individual making the observation or receiving information must contact the office of the appropriate special agent-in-charge, TIGTA immediately, but no later than 24 hours after identification of a possible issue involving FTI. Call the local TIGTA Field Division Office first.
TIGTA Field Division
States Served by Field Division
|Alabama, Florida, Georgia, North Carolina, South Carolina, Tennessee, Puerto Rico, and U.S. Virgin Islands,|
|Arkansas, Illinois, Iowa, Kansas, Louisiana, Michigan, Minnesota, Mississippi, Missouri, Nebraska, North Dakota, South Dakota, Wisconsin, Northern Ohio, Oklahoma, Texas, Louisiana, Kansas, Missouri, Nebraska|
|Alaska, Arizona, Colorado, Idaho, Montana, New Mexico, Nevada, Oregon, Utah, Washington, Wyoming||
|Connecticut, Maine, Massachusetts, New Hampshire, New York, Rhode Island, and Vermont|
|San Francisco||California, Hawaii, Guam, American Samoa, Commonwealth of Northern Mariana Islands, Trust Territory of the Pacific Islands||213-576-4147|
|Delaware, Indiana, Kentucky, Martinsburg Computing Center, Maryland, New Jersey, Pennsylvania, Southern Ohio, Virginia, West Virginia, Washington, DC|
|Electronic Crimes & Intelligence Division||Any agency reporting a cyber-incident such as data breach may report directly to this division|
If unable to contact the local TIGTA Field Division, contact the Hotline Number.
Treasury Inspector General for Tax Administration
Ben Franklin Station
P.O. Box 589
Washington, DC 20044-0589
In conjunction with contacting TIGTA, the Office of Safeguards must be notified. (See Pub. 1075, Section 10.2, Office of Safeguards Notification Process)
Office of Safeguards Notification Process
Concurrent to notifying TIGTA, the agency must notify the Office of Safeguards by email to Safeguards mailbox, email@example.com. To notify the Office of Safeguards, the agency must document the specifics of the incident known at that time into a data incident report, including but not limited to:
- Name of agency and agency Point of Contact for resolving data incident with contact information
- Date and time the incident occurred
- Date and time the incident was discovered
- How the incident was discovered
- Description of the incident and the data involved, including specific data elements, if known
- Potential number of FTI records involved; if unknown, provide a range if possible
- Address where the incident occurred
- IT involved (e.g., laptop, server, mainframe)
Reports must be sent electronically and encrypted via IRS-approved encryption techniques. Use the term data incident report in the subject line of the email. Do not include any FTI in the data Incident report.
Even if all information is not available, immediate notification is the most important factor, not the completeness of the data incident report. Additional information must be provided to the Office of Safeguards as soon as it is available.
The agency will cooperate with TIGTA and Office of Safeguards investigators, providing data and access as needed to determine the facts and circumstances of the incident.
Incident Response Procedures
The agency must not wait to conduct an internal investigation to determine if FTI was involved in an unauthorized disclosure or data breach. If FTI may have been involved, the agency must contact TIGTA and the IRS immediately.
Incident response policies and procedures required in Section 9.3.8, Incident Response, must be used when responding to an identified unauthorized disclosure or data breach incident.
The Office of Safeguards will coordinate with the agency regarding appropriate follow- up actions required to be taken by the agency to ensure continued protection of FTI. Once the incident has been addressed, the agency will conduct a post-incident review to ensure the incident response policies and procedures provide adequate guidance. Any identified deficiencies in the incident response policies and procedures should be resolved immediately. Additional training on any changes to the incident response policies and procedures should be provided to all employees, including contractors and consolidated data center employees, immediately.
Incident Response Notification to Impacted Individuals
Notification to impacted individuals regarding an unauthorized disclosure or data breach incident is based upon the agency’s internal incident response policy since the FTI is within the agency’s possession or control.
However, the agency must inform the Office of Safeguards of notification activities undertaken before release to the impacted individuals. In addition, the agency must inform the Office of Safeguards of any pending media releases, including sharing the text, prior to distribution.
FTI Suspension, Termination, and Administrative Review
The federal tax regulation 26 CFR 301.6103(p)(7)-1 establishes a process for the suspension or termination of FTI and an administrative review if an authorized recipient has failed to safeguard returns or return information. For more information, refer to Exhibit 3, U.S.C Title 26, CFR 301.6103(p)(7)-1.