When an unauthorized disclosure or data breach occurs, the agency must not wait to conduct an internal investigation to determine if federal tax information (FTI) was involved. If FTI may have been involved, the agency must contact Treasury Inspector General for Tax Administration (TIGTA) and the IRS Office of Safeguards immediately, but no later than 24 hours after identifying a possible issue involving FTI.
Incident response policies and procedures required in IRS Publication 1075, Section 9.3.8, Incident Response, must be followed when responding to an identified, unauthorized disclosure or data breach incident.
The Office of Safeguards will coordinate with the agency regarding appropriate follow- up actions required to be taken by the agency to ensure continued protection of FTI. Once the incident has been addressed, the agency will conduct a post-incident review to ensure the incident response policies and procedures provide adequate guidance.
Any identified deficiencies in the incident response policies and procedures should be resolved immediately. Additional training on any changes to the incident response policies and procedures should be provided to all employees, including contractors and consolidated data center employees, immediately.
Notification to impacted individuals regarding an unauthorized disclosure or data breach incident is based upon the agency’s internal incident response policy since the FTI is within the agency’s possession or control.
However, the agency must inform the Office of Safeguards of notification activities undertaken before release to the impacted individuals. In addition, the agency must inform the Office of Safeguards of any pending media releases, including sharing the text, prior to distribution.
- IRS Publication 1075 (PDF), Tax Information Security Guidelines for Federal, State and Local Agencies