Points of Risk for Government Agencies and Contractors

Help

Send us your comment!

Your comment will be read by our web staff, but will not be published.

Please do not enter any personal information. Your comment is voluntary and will remain anonymous, therefore we do not collect any information which would enable us to respond to any inquiries.

However, IRS.gov provides a How to Contact the IRS page where you will find guidance on where to submit specific questions.

Share this presentation


Copy and paste the following URL to share this presentation

To email a link to this presentation, click the following:

Share the current section

Bookmarks


Share the current section

This program writes a small 'cookie' locally on your computer when you set a bookmark. If you want to utilize this feature, check the following checkbox. Otherwise, bookmarks will be disabled.
Allow cookies

To view this page, ensure that Adobe Flash Player
version 10 or greater is installed.

Like

Share

♫ ♫ WOMAN: I never dreamed that a swipe of my credit card could cause so much trouble.

MAN: I thought my personal information was safe.

MAN 2: $50,000 of stolen purchases on my cards. It destroyed my credit rating.

NARRATOR: Data security breeches happen. Whether they´re caused by hackers, carelessness, or improper safeguarding procedures, these data losses are big news to the public, undermining their trust in those responsible for keeping their information safe. Most people are concerned that their sensitive information is not shared outside the limits of the law, that it is not lost, that it is not stolen.

In this program, we´ll refer to Federal Tax Information and other sensitive information simply as FTI. Because you have access to FTI, you´re required by law to protect that data. How do you do that all the time, every time? By recognizing when FTI is most vulnerable -- the points of risk.

Risk one -- when you work with it.

Risk two -- when you share it.

Risk three -- when you store it.

The workplace is a primary point of risk.

[ Cell phone rings ]

MAN: Hello?

WOMAN: Hi, David. Did you review that eminent statute case for me?

DAVID: Looking, looking.

WOMAN: [ Sighs ] It´s on my desk!

DAVID: Okay. [ Papers shuffle ]

DAVID: Sorry, I can´t find it.

WOMAN: You´ve got to find that case.

DAVID: Okay. [ Papers shuffle ] There it is -- stuck between the desk and the wall. Must have slid off the pile on your desk.

WOMAN: Great! Review it, please.

NARRATOR: Poor security habits are often linked to messy, disorganized workspaces. It´s easy to lose track of paper or electronic data in a messy environment. When you work with FTI, whether you´re at the office, at home, or traveling, attend to good housekeeping. Be absolutely certain your work environment is secure. And if you step away for a minute, be sure to protect the data first.

When sharing information consider who needs to know, where you share the information, and how you share it. Only persons with an official need to know may access protected data. You may confer with other employees and disclose return information if there is a business need for the conversation -- for instance, to understand or resolve a tax matter.You may not share FTI with a colleague simply because a taxpayer is wealthy or famous. Be careful about where you share information.

[ Indistinct conversations, mid-tempo music plays ]

MAN: I was having lunch with some friends. I could hear the group behind us talking pretty loudly. [ Indistinct conversations ] Then, I realized one of the voices was the agent who was auditing my business. He didn´t mention may name, but I´m dead certain he was talking about my case. Anyone in that restaurant could have overheard.

NARRATOR: Restaurants, lobbies, elevators, public places are clearly inappropriate for sharing sensitive information. Instead, find a secure environment where you can´t be overheard. Consider how you share information by fax, e-mail, and postal services.

When faxing FTI, use a cover sheet to protect the data. Don´t use redial. And avoid using the group-distribution feature. Instead, always enter the fax number directly. And check the number a second time before you press "send."

When e-mailing FTI or other sensitive information, before you hit the "send" button, remember that the subject line can´t be encrypted, so check that it contains no sensitive information. You can encrypt the message itself, and you can encrypt attachments with the message. Double-check both the message and attachments for sensitive material like a taxpayer´s name, an employee´s Social Security number, or similar information. Breaches in messages and attachments are reported all too often. Use SecureZIP to share sensitive attachments and encrypt messages containing sensitive information. And, finally, double-check the "To" and "CC" lines. Are all the recipients those you intend to send to? There are many people with similar names.

Take precautions when moving sensitive information physically from place to place.

MAN: These guys were loading file boxes marked "Exhibit" on the hand carts, said they were heading down the street to the courthouse for trial. You could read the taxpayer´s name clearly on each box. I made them cover up the labels on all the boxes before they went out on the sidewalk. Just in time -- They were about to make four city blocks worth of disclosures.

NARRATOR: If you send FTI by regular mail or private carrier, remember to document the contents of the package. Double-box or double-wrap the package. If the outer package is damaged, the inner package will keep the contents covered. Label the package clearly, double-checking the address and include a return address. Track the shipment and confirm that the package has been delivered and acknowledged. If the package has not been received within the estimated time, follow up with a report to the carrier. When you store FTI, be certain it´s secure -- all the time, every time.

Secure data storage is particularly important for laptops, flash drives, CDs, and DVDs or other mobile media. The more portable the device, the easier it is to lose or to be stolen. IRS Publication 1075 for agencies and Publication 4812 for contractors explains safe storage procedures in detail. If you are a contractor and you lose FTI, report the loss immediately. Call TIGTA at 1-800-366-4484. Notify IRS CSIRC at 1-800-216-4809. And notify your COR immediately by phone and e-mail. If you´re a government employee and you lose FTI, call TIGTA at 1-800-589-3718. And notify Safeguards with an encrypted e-mail, subject "Data Incident Report," to SafeguardReports@IRS.gov.

In summary, when you work with FTI, when you share it, when you store it, recognize the points of risk so that you can safeguard sensitive data -- just in time, all the time, every time. You´ll avoid information breaches and you´ll comply with the laws written to protect the people behind the data.

WOMAN: They ruined my credit.

MAN: They stole my identity.

MAN 2: It took years to get my life back the way it was.

MAN #3: UNAX is a misdemeanor offense with fines of up to $1,000 for each violation and/or one year in prison and dismissal from employment. The willful unauthorized disclosure of returns or return information is a felony offense with penalties of up to five years in jail and $5,000 in fines.

♫ ♫ WOMAN: I never dreamed that a swipe of my credit card could cause so much trouble.

MAN: I thought my personal information was safe.

MAN 2: $50,000 of stolen purchases on my cards.

It destroyed my credit rating.

NARRATOR: Data security breaches happen.

Whether they´re caused by hackers, carelessness, or improper safeguarding procedures, these data losses are big news to the public, undermining their trust in those responsible for keeping their information safe.

Most people are concerned that their sensitive information is not shared outside the limits of the law, that it is not lost, that it is not stolen.

In this program, we´ll refer to Federal Tax Information and other sensitive information simply as FTI.

Because you have access to FTI, you´re required by law to protect that data.

How do you do that all the time, every time?

By recognizing when FTI is most vulnerable -- the points of risk.

Risk one -- when you work with it.

Risk two -- when you share it.

Risk three -- when you store it.

The workplace is a primary point of risk.

[ Cell phone rings ] MAN: Hello?

WOMAN: Hi, David.

Did you review that eminent statute case for me?

DAVID: Looking, looking.

WOMAN: [ Sighs ] It´s on my desk!

DAVID: Okay.

[ Papers shuffle ] DAVID: Sorry, I can´t find it.

WOMAN: You´ve got to find that case.

DAVID: Okay.

[ Papers shuffle ] There it is -- stuck between the desk and the wall.

Must have slid off the pile on your desk.

WOMAN: Great! Review it, please.

NARRATOR: Poor security habits are often linked to messy, disorganized workspaces.

It´s easy to lose track of paper or electronic data in a messy environment.

When you work with FTI, whether you´re at the office, at home, or traveling, attend to good housekeeping.

Be absolutely certain your work environment is secure.

And if you step away for a minute, be sure to protect the data first.

When sharing information consider who needs to know, where you share the information, and how you share it.

Only persons with an official need to know may access protected data.

You may confer with other employees and disclose return information if there is a business need for the conversation -- for instance, to understand or resolve a tax matter.

You may not share FTI with a colleague simply because a taxpayer is wealthy or famous.

Be careful about where you share information.

[ Indistinct conversations, mid-tempo music plays ] MAN: I was having lunch with some friends.

I could hear the group behind us talking pretty loudly.

[ Indistinct conversations ] Then, I realized one of the voices was the agent who was auditing my business.

He didn´t mention may name, but I´m dead certain he was talking about my case.

Anyone in that restaurant could have overheard.

NARRATOR: Restaurants, lobbies, elevators, public places are clearly inappropriate for sharing sensitive information.

Instead, find a secure environment where you can´t be overheard.

Consider how you share information by fax, e-mail, and postal services.

When faxing FTI, use a cover sheet to protect the data.

Don´t use redial.

And avoid using the group-distribution feature.

Instead, always enter the fax number directly.

And check the number a second time before you press "send." When e-mailing FTI or other sensitive information, before you hit the "send" button, remember that the subject line can´t be encrypted, so check that it contains no sensitive information.

You can encrypt the message itself, and you can encrypt attachments with the message.

Double-check both the message and attachments for sensitive material like a taxpayer´s name, an employee´s Social Security number, or similar information.

Breaches in messages and attachments are reported all too often.

Use SecureZIP to share sensitive attachments and encrypt messages containing sensitive information.

And, finally, double-check the "To" and "CC" lines.

Are all the recipients those you intend to send to?

There are many people with similar names.

Take precautions when moving sensitive information physically from place to place.

MAN: These guys were loading file boxes marked "Exhibit" on the hand carts, said they were heading down the street to the courthouse for trial.

You could read the taxpayer´s name clearly on each box.

I made them cover up the labels on all the boxes before they went out on the sidewalk.

Just in time -- They were about to make four city blocks worth of disclosures.

NARRATOR: If you send FTI by regular mail or private carrier, remember to document the contents of the package.

Double-box or double-wrap the package.

If the outer package is damaged, the inner package will keep the contents covered.

Label the package clearly, double-checking the address and include a return address.

Track the shipment and confirm that the package has been delivered and acknowledged.

If the package has not been received within the estimated time, follow up with a report to the carrier.

When you store FTI, be certain it´s secure -- all the time, every time.

Secure data storage is particularly important for laptops, flash drives, CDs, and DVDs or other mobile media.

The more portable the device, the easier it is to lose or to be stolen.

IRS Publication 1075 for agencies and Publication 4812 for contractors explains safe storage procedures in detail.

If you are a contractor and you lose FTI, report the loss immediately.

Call TIGTA at 1-800-366-4484.

Notify IRS CSIRC at 1-800-216-4809.

And notify your COR immediately by phone and e-mail.

If you´re a government employee and you lose FTI, call TIGTA at 1-800-589-3718.

And notify Safeguards with an encrypted e-mail, subject "Data Incident Report," to SafeguardReports@IRS.gov.

In summary, when you work with FTI, when you share it, when you store it, recognize the points of risk so that you can safeguard sensitive data -- just in time, all the time, every time.

You´ll avoid information breaches and you´ll comply with the laws written to protect the people behind the data.

WOMAN: They ruined my credit.

MAN: They stole my identity.

MAN 2: It took years to get my life back the way it was.

MAN #3: UNAX is a misdemeanor offense with fines of up to $1,000 for each violation and/or one year in prison and dismissal from employment.

The willful unauthorized disclosure of returns or return information is a felony offense with penalties of up to five years in jail and $5,000 in fines.