Version 1.14, April 2010
FISMA Year 2010
ELMS # 30907







2

As with all Federal agencies, IRS employees and managers have a responsibility to safeguard Sensitive But Unclassified (SBU) and
Personally Identifiable Information (PII).
The IRS must safeguard tax, financial and personal information regarding taxpayers, fellow employees and other individuals.
You must protect any information that, if lost or disclosed, could:
 Violate a person’s privacy
 Put a person at risk for identity theft
 Compromise the integrity of the tax administration process
Loss, theft or disclosure of sensitive information places taxpayers and others at serious risk for identity theft and erodes the public’s confidence in the IRS.
3

S.A.F.E. II was developed to keep the topic of safeguarding taxpayer data and other SBU/PII data foremost in the minds of SBSE employees.
 Last year we conducted S.A.F.E. briefings to reinforce safeguarding policies, procedures, and requirements, and we provided all employees with reference materials and preventative tips to assist in the protection of both government equipment and sensitive data.
This awareness and training briefing provides employees with the current loss and disclosure trends and key tips and actions for lowering these incidents.
Exercising the same care in handling, securing and protecting data in your possession as you would your own personal information and valuables is a simple way to reduce the number of loss or disclosure incidents.
4

 SBU data refers to sensitive but unclassified information originating within IRS offices.
 Sensitive information (including tax and tax-related information) is any information which if lost, stolen, or altered without proper authorization, may adversely affect Service operations ( IRM 10.2.13.3
).
 PII is a specific type of SBU information.
 PII includes the personal data of taxpayers, and also the personal information of employees, contractors, applicants, and visitors to the IRS.
 Failure to protect PII could result in disciplinary action for employees and managers ( IRM 10.2.13.3.1(1) provides examples of PII).
5

 Unintentional/Inadvertent Disclosure Definition
 Disclosure is making known in any way:
 Unintentional or inadvertent unauthorized disclosures of sensitive data, including but not limited to federal tax returns or return information, Privacy Act Information,
Bank Secrecy Act information, Trade Secrets Act information, Financial Right to
Privacy Act information, Grand Jury information, and other sensitive information except as provided for by statute
 Sensitive data may include infrastructure/configuration data
 Includes personally identifiable information (PII) of individuals, including personnel and job applicant information.
 Loss/Theft Definition
 Lost or stolen:

IT equipment , such as: Computers, laptops, routers, removable Media, CD/DVD, flash drive, floppies, cell phones, or wireless/air cards
 Hardcopy records
 Packages lost during shipment
7

 47% of all FY09 SB/SE incidents resulted from procedural deviation
 59% of those incidents resulted in disclosure
 34% of all FY09 SB/SE incidents resulted from human error
 33% of those incidents resulted in disclosure
 14% of all FY09 SB/SE incidents resulted from loss and theft of IT equipment
 5% of all FY09 SB/SE incidents resulted from other reported incidents such as recovered loss and method not stated
8

 Between 2007 and 2009, the IRS experienced more than 3,150 incidents of loss, theft or disclosure of IT assets or data. This chart shows the breakdown between each type of incident.
FY-2009 109
392
1871
FY-2008 98
100
375
Loss
Theft
Disclosure
FY-2007
30
190
165



0 200 400 600 800 1000 1200 1400 1600 1800 2000
During 2009 loss/theft incidents had a slight increase (6%).
The total number of disclosures in 2009 increased at an alarming rate to more than1,800.
‒ This increase can largely be attributed to a change in the reporting requirements for inadvertent disclosures, which may not have been captured by CSIRC in the past, as well as increased employee awareness as the result of outreach and education efforts.
CSIRC Loss/Theft/Disclosure Reporting does not include UNAX violations and investigations.
Source: Statistics provided by Office of DC-Operations Support, Privacy
– Information Protection and Data Security, Privacy & Information Protection, Incident
Management
9

2000
1800
1600
1400
1200
1000
800
600
400
200
0
30
1
FY07
(3.3%)
100
16
FY08
(16%)
1871
351
FY09
(18.8%)
IRS
Disclosure
SB/SE
Disclosure
450
400
350
300
250
200
150
100
50
0
190
57
180
160
140
120
100
80
60
40
20
0
FY07
(30%)
165
10
FY07
(6%)
375
98
137
FY08
(35.5%)
14
FY08
(14%)
392
109
94
FY09
(24%)
30
FY09
(27.5%)
IRS Loss
SB/SE Loss
IRS Theft
SB/SE Theft
(%) SBSE percentage of total IRS incidents
10

N u mb er o f D is c lo s u res (351) b y In c id en t T y p e fo r S B /S E in F Y 09
No P O A /P O A Y ears
F ax
Inc orrec t addres s ee
Inc orrec t addres s
Multi-s tuffing, multi-page
S S N/Name mis matc h
P reprinted form
S S N/E IN/TIN entry error
Mis repres entation by c ontac t
E mail internal
O ther D is c los ure (method not s tated)
3rd P arty - O ther than tax pay er
Hard c opy handling
More information than allowed
P roc edural deviation
Unenc ry pted email
L os t D oc s within IR S , improper mailing
L os t D oc s via UP S reported dis c los ure
L os t D oc s within IR S
O ther
3rd P arty - D idn't s ign/prepare return
P II in garbage/improper dis pos al
0
1
2
Type of Incident
No POA/POA years
Fax
Incorrect addressee
Incorrect address
Multi-stuffing, multi-page
SSN/Name mismatch
Pre-printed form
4
5
7
7
8
9
9
1 0
1 2
1 3
1 3
1 4
1 7
2 0
2 8
2 9
3 0
3 6
3 8
3 9
5 10 15 20 25 30 35 40
Examples
No POA or No POA for year(s) in question
Incorrect fax number entered
Mail sent to person with similar name
Mail sent to address other than address of record, or trace address not updated
Multiple taxpayers' data included in same envelope
SSN for a sibling or child
Form used for another taxpayer without updating all fields and pages with intended taxpayer’s data
11

Number of Loss/Theft (124)
IT Equipment Loss
IT Equipment Theft
Lost Documents UPS, reported as Loss
Lost Documents within IRS
Lost Documents within IRS -- improper mailing
Hard copy handling
PII in garbage/improper disposal
Recovered Loss no Disclosure
Type of Incident
IT Equipment Loss
IT Equipment Theft
Lost Documents UPS, reported as loss
Lost Documents within IRS
Incorrect address
Multi-stuffing, multi-page
Other
1
1
1
3
2
3
7
17
24
30
35
0 5 10 15 20 25 30 35 40
Examples
Lost air card, cell phone
Stolen laptop
Lost during shipping and package unable to be located
Lost documents in mailroom
12

(#) Total Number of Incidents 13

500
450
400
350
300
250
200
150
100
50
0
Disclosures FY09 vs. FY10 Trend
24
19
FY10 Disclosures (Trend to
2249)
FY09 Disclosures (351)
14
9
4
Loss/Theft FY09 vs. FY10 Trend
FY10 Loss/Theft (Trend to 147)
FY09 Loss/Theft (124)


FY10 Disclosure trend is based on Oct-Dec 2010 (75 incidents)
FY10 Loss/Theft trend is based on Oct-Dec 2010 (30 losses)
14

rd
FY09 Trend: 15% of inadvertent disclosures were due to 3 rd party permissions that were not verified and/or not current.
Protection Guidelines

Type
3 rd Party permissions can work in 4 different ways as listed in the following table:
Guidelines
Checkbox
Designee - 2
Written consents or tax information authorizations
(TIAs)
• Checkbox authorizations are made directly on the tax form 720, 941, 941PR, 941SS,
1040, 1041, 1120, 2290 and CT-1
• Not permissible for collection or examination proceedings
• Only valid the period of one year from the due date of the return.
• Checkbox designees cannot be contacted by RAs/ROs to schedule the initial appointment
• Written consents, such as tax information authorizations, permit access to returns and return information by the designee
• Does not grant the power to represent the taxpayer before the IRS. For example, while he or she is granted permission to have a copy of a Revenue Agent’s Report of
Adjustments, the holder of a Tax Information Authorization (TIA) may not dispute any of the adjustments found in the report. http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3002.aspx
16

rd
Type Guidelines
Oral
Consent
• Take appropriate steps to verify that person is indeed the taxpayer – at a minimum, follow the guidance in IRM 11.3.2.3.2
to authenticate identity
• Be sure to fully document in your case file the actions taken when the taxpayer gives you oral permission and when verifying the third party’s identity (oral consent can only be accepted to resolve a federal tax matter)
Power of
Attorney
Power of Attorney IRS Form 2848
• Authorizes a third party to represent the taxpayer before the IRS.
• Only individuals can be named to represent the taxpayer
• They must be part of a specifically authorized category of representative sanctioned by regulation.
• They must be specifically designated by the taxpayer via a properly completed
Power of Attorney.
Non-IRS Powers of Attorney
• Individuals may use a non-IRS durable power of attorney as long as it contains all of the information required by regulation
• Must include language that authorizes the designee to handle federal tax matters. http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/3021.aspx
17

 Understand the different types of permissible 3 rd party authorizations and the information allowed to be disclosed under each
 Keep the Quick Guide* from Disclosure for a chart that identifies permissible disclosures based on the taxpayer designee type
 All discussions of tax matters must be held only with someone named on the POA and for the year(s) covered by that POA, Form 2848
 Verify there is a valid Power of Attorney (POA) on file before disclosing any information
 POAs must be held by individuals
 Non-IRS POAs may be used given that it is clearly stated on the POA that the designee has rights to federal tax information
 POAs must be on file for the year(s) in question
 Some acts must be specifically authorized, e.g. receive and endorse a refund check, substitute a representative
*A Quick Guide to the Powers of Attorney and Tax Information Authorizations can be found at: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/POA/7486.aspx
18

Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms
FY09 Trend: Inadvertent disclosures occurring during routine activities account for 46% of all SB/SE disclosures and include key errors such as:
 Misdirected Faxes
 Double-stuffing, stuffing envelopes incorrectly
 Different party’s information on a pre-printed form (a.k.a. pattern correspondence)
Protection Guidelines
 For faxing use a cover sheet with the recipient’s name, number of pages and Notice of Disclosure – no confidential information on cover page
 Fax the cover sheet in the order in which the cover sheet is the first page covering the faxed correspondence (IRM Reference: 11.3.1.10).
 Cover sheet template link: http://core.publish.no.irs.gov/forms/internal/pdf/23436c07.pdf
 Wherever possible, pattern correspondence templates should be saved without confidential information
19

Disclosure – Fax, Multi-Stuffing and Pre-Printed Forms
 Do not use the redial button on the fax machine
 Before hitting the “Send” button - take the time to double check the fax number you just entered
 Before sealing envelope, verify only ONE taxpayer’s documentation is in the envelope
 Work one case file at a time to prevent documents becoming mixed between cases
 For pattern correspondences/pre-printed forms:
 Use a new template letter or document
 Remove references to other taxpayers
 Take a second look at the correspondence for accuracy
20

Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch
FY09 Trend: 27% of inadvertent disclosures were due to incorrect addressee, address and SSN/Name mismatch
 Disclosures resulting from incorrect addressee or address and
SSN and Name mismatch
 Addressee is a different taxpayer
 Address is incomplete or similar to another case
 Recipient of correspondence has the same name, but different SSN
 Address obtained from Accurint was not for the same person for which the correspondence was intended
Protection Guidelines
 Conduct a Mail Trace using e-Discovery and/or Accurint to verify the name and address match SSN/EIN/TIN you are processing
21

Disclosure – Incorrect Addressee, Address, SSN/Name Mismatch
Taking a few simple precautions can greatly reduce these incidents:
 When using Accurint, be sure to:
 Use Accurint guide to optimize searches
 Redact all identifying information that does not relate to the taxpayer in question based upon how it appears in the IRS address of record
 Remove other SSNs listed with taxpayer names
 Verify taxpayer using identifiers other than name (such as DOB,
SSN)
Accurint QRG: http://rnet.web.irs.gov/docs/pdfs/accurint_qrg.pdf
Redacting Choicepoint and Accurint: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Office/Guidance/Dispatch/3425.aspx
22

Disclosure



Good disclosure decisions use the CAP process:
 Be sure Code (C) allows the disclosure,
 that you have the authority (A) to make the disclosure and
 that you follow the appropriate procedures (P) when making the disclosure.
Safeguard Paper Files

Follow the Clean Desk Policy
– do not leave confidential information unattended
 Securely lock paper documents containing sensitive information when not in use

Protect documents while you are in the field as well as in the office by keeping them in a folder or placing a blank cover sheet on top
Misrepresentation of contact is often due to incomplete authentication of taxpayer or taxpayer’s Limited English Proficiency
 Required Taxpayer Authentication procedures should be followed as outlined in IRM 21.1.3.2.3 and
21.1.3.2.4
 Taxpayers may use their minor child as interpreter by giving verbal or written consent
CAP: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/Basics/3131.aspx
Disclosure Awareness Pocket Guide: http://core.publish.no.irs.gov/docs/pdf/14784k08.pdf
General Disclosure Hot Topics: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Reference/HotTopics/default.aspx
23

SB/SE Laptop Highlights
60
50
40
30
20
10
0
52
28 28
24
2
Number of
Lost/Stolen Laptops
Note: Year-to-date data represents the period from Oct 1 to Dec 31
24

FY09 Trend : 52% of all SB/SE loss and theft incidents are related to IT asset loss and theft, which includes:


Cell phones
Laptops
 Media Cards, Thumb drives, printers, etc
Protection Guidelines
 IRS laptops and other IT assets (e.g. air cards) shall never, under any circumstance, be stored in checked luggage while traveling, whether it is an international or a domestic flight.
 Protect your passwords at all times. Passwords, smart cards or grid cards should be protected and shall not be stored on or with the laptop/cell phone.
 Never leave your laptop unattended and/or unsecured!!
25






When possible place your laptop under the seat in front of you when traveling by plane, bus or train, rather than in an overhead bin where it is out of your sight.
 If your laptop is stored in overhead bin it should be within your direct line of sight
Set up an encrypted directory and save sensitive files to an encrypted folder
 Newer laptop images have forced encryption on everything in the “My
Documents” folder
Use cable locks to secure your laptop - even within IRS-controlled facilities.
 Laptops may be locked in a cabinet or desk for additional protection overnight
Never leave your laptop in your vehicle overnight!!
 Not even in your trunk, in the driveway, or in the garage
Enable the password/PIN function on your cell phone
26

FY09 Trend: Loss of hardcopy SBU/PII data accounted for 48% of all losses/thefts and is comprised of:
 UPS Shipping
 Losses within IRS Facilities
 Other hard copy loss, e.g. residence, vehicle, public transportation
Protection Guidelines




When transmitting PII in paper or removable media format by mail or through a carrier, employees are required to do so in a manner that ensures it does not become misdirected or disclosed to unauthorized personnel.
Use Small Package Carrier (e.g.
UPS) when shipping PII
Use US Postal Service to mail documents to the taxpayer
Use Form 3210, Document
Transmittal to track mail and shipments
IRM Reference for Form 3210: 3.13.62.7.1
27






Do not use “Sensitive Contents” labels on PII packages – decreases temptation for theft.
Securely package PII contents prior to shipping
 Use undamaged packaging materials
Double wrap or double box all materials.
 Place address labels on both inside and outside packages
When shipping via United Parcel Service (UPS)

Monitor the package during shipment using the basic tracking number provided by UPS and confirm receipt
 Set and monitor timelines for transmittal acknowledgement – within 7 days
For internal IRS shipments, use a document receipt to verify that confidential material has been properly received

If sender, initiate Form 3210; if recipient, complete and return Form 3210
28

A Revenue Agent (RA)/ Correspondence Examination Technician
(CET) was working several cases and preparing letters to be sent to taxpayers and their representatives. The RA/CET prepared a letter for case 1 to send to POA “A” on behalf of Mr. and Mrs. Jones. The
RA/CET then moved on to case 2 and prepared a report to send to
POA “B”, Mr. and Mrs. Smith’s representative. The RA/CET packaged up the documents for mailing, addressed the envelopes and moved on to other case work. Two days later, POA “A” called to say he had received the report for Mr. and Mrs. Smith, and he does not represent them.
Which of the following are True statements about this scenario?
A.
This is not a disclosure
B.
This is a disclosure
C.
Prior to sealing envelope, RA/CET should have checked contents
D.
RA/CET should have completed case 1 prior to moving to case 2
See Notes for Answers
30

A Tax Compliance Officer (TCO) was preparing a report to send to a taxpayer. The report was sent to the network printer, promptly retrieved and put in an envelope for mailing. 3 days later, the taxpayer called to say that they had received additional documents of another taxpayer.
Which of the following are True statements about this scenario?
A.
This is not a disclosure
B.
This is a disclosure
C.
Prior to sealing envelope, TCO should have checked the documents retrieved from the printer to verify pages were only for this taxpayer
See Notes for Answers
31

A Revenue Officer (RO)/ Tax Examining Technician (TET) researched the address of a taxpayer, found a newer address on
Accurint, and mailed a letter to the address. The individual at the address opened the letter believing it was for her since it was her maiden name. Upon opening the letter, the individual realized the letter was for someone else.
Which of the following are True statements about this scenario?
A.
This is not a disclosure
B.
This is a disclosure
C.
The RO/TET should have verified the identity of the taxpayer using additional identifiers such as SSN and Date of Birth
See Notes for Answers
32

 Within one hour of becoming aware of the inadvertent disclosure of sensitive information, or the loss or theft of a laptop, IT asset or hardcopy document containing sensitive information, you should report the incident to:
1.
Your manager,
2.
If it involves taxpayer correspondence , report it directly to the Notice Gatekeeper using the Servicewide Notice Information Program’s Erroneous Taxpayer
Correspondence SNIP Reporting Form http://gatekeeper.web.irs.gov/errCPReport2.aspx
This form has now been expanded to include electronic communication like faxes, transcripts and e-mails.
3.
If it does not involve taxpayer correspondence (for example, a verbal disclosure, lost laptop, data disk or internal mail shipment), report it to the Computer Security Incident
Response Center using the CSIRC Incident Reporting Form , or by calling 866.216.4809
4.
If the incident involves the loss or theft of an IT asset or hardcopy data, contact
TIGTA at 800.366.4484.(TTY/TDD 1-800-877-8339) http://www.treas.gov/tigta/contact_report.shtml
 When calling TIGTA, always secure a TIGTA reference number.
5.
Local Law Enforcement, as appropriate
34

 Situations that are not to be reported to SNIP or CSIRC:
 Example 1:
An IRS employee follows all procedures to verify the identity of a caller before disclosing any information, only to later find they are not talking to the taxpayer or the taxpayer’s authorized representative. The employee terminates the call at that point without disclosing any further information.
 Example 2:
An IRS employee faxes return information as requested by a taxpayer or authorized representative. The employee follows all established procedures for faxing sensitive information, only to later find that the fax number given to them by the taxpayer or authorized representative was incorrect.
 Example 3:
IRS employees follow all established procedures for locating a potential new address for a taxpayer, and a letter is generated to that address in an attempt to contact the taxpayer. A person who receives the correspondence at that address contacts the IRS and says they are not the taxpayer.
 Example 4:
The IRS sends correspondence to the last known address of a taxpayer. A person who receives the correspondence at that address contacts the IRS to say the taxpayer does not live there.
35

 The timely reporting of all information losses or thefts is critical so that any needed investigation can be initiated quickly, which can decrease/mitigate the possibility that the information will be compromised and used to perpetrate identity theft or other forms of fraud.
 Refer to IRM 10.5.3.6
Reporting Losses, Thefts and Disclosures of
Sensitive Information
 If you see indications of an intentional unauthorized disclosure, the incident must be reported to TIGTA. See IRM 11.3.1.6(2) and IRM
11.3.38.6.1(1) .
36

Please email the SB/SE Security PMO with any questions at: *SBSE Security
37