Outline Transcript Links Bios

♫♫ Joyce Peneau: Hello. I am Joyce Peneau from the IRS Office of Safeguards.

Welcome to Safeguards Disclosure Awareness Training.

The purpose of this video is to provide training for federal, state, and local agency employees, agents, and contractors.

The Office of Safeguards verifies compliance with 6103(p)(4) safeguard requirements.

It does this through the identification and mitigation of any risk of loss, breach, or misuse of federal tax information by over 300 external government agencies.

Each year, billions of pieces of FTI are disclosed, as the law allows.

The laws that permit disclosure also require its protection.

We partner with each agency to protect federal tax information.

Our agency partners play a vital role in safeguarding FTI by building effective security controls into your processes, procedures, and systems.

You are responsible for ensuring the information is protected appropriately from the time you receive it until the time it´s destroyed.

The American public expects two things from both of us.

First, that we work together proactively to be as effective as possible, and second, that we safeguard their personal data.

A good security awareness program is, by far, the most effective and the least expensive part of the overall security program.

For many of you, this is simply a refresher on disclosure awareness, while for others, this may be the first time you have been exposed to the concepts.

Before we move into the substance of the discussion, I would like to thank you for everything you do to protect the confidentiality of federal tax information.

I truly appreciate it.

Kevin Woolfolk: Hello. I´m Kevin Woolfolk, and I´ll be the moderator for this discussion.

I have extensive experience with the IRS and have worked in many capacities within the Safeguards office.

Joining me as the panel are Shawn Finnegan, Chief of Safeguard Review Team 2, Megan Ripley, lead computer security reviewer, and Joi Bridgers, program analyst.

Shawn, Joi, and I have all served as disclosure enforcement specialists in the safeguards operation before moving into our current positions.

We have all conducted on-site reviews.

We´re grateful for the opportunity to visit with you today.

We´ll be discussing several key concepts that are used in protecting federal tax information, or FTI.

It´s up to us to protect this sensitive information while creating and cultivating confidence in our agencies.

So let´s get started.

We will begin our discussion today with a question we´re often asked.

Megan, what do we mean by federal tax information, or FTI?

Megan Ripley: Kevin, that´s a very good question.

FTI consists of two things.

One, a tax return, and two, return information.

FTI can be either or both.

FTI is any return or return information received from the IRS or a secondary source such as Social Security Administration, Federal Office of Child Support Enforcement, Bureau of Fiscal Services, or the Center of Medicare and Medicaid Services.

FTI is also shared under agreements allowed by the statute or regulations.

Joi Bridgers: A tax return includes all amendments, supplements, supporting schedules, attachments, or lists filed on paper or electronically along with the return, such as forms 1040, 941, 1120, and other informational forms, such as a Form 1099 or a W-2.

Kevin Woolfolk: So now we know what is considered FTI for the return.

What is return information?

Joi Bridgers: I´d like to answer that, Kevin.

Return information, in general, is any information collected or generated by the IRS regarding any person´s liability or possible liability.

The Internal Revenue Code defines return information very broadly.

It includes, but is not limited to, the return itself, as well as any information that the IRS obtained or developed that relates to the potential tax liability.

It could be from anywhere.

Shawn Finnegan: FTI includes the information extracted from a return, including names of dependents, the location of a business, the taxpayer´s name, address, and identification number.

Even if identifiers such as name, address, and identification number are deleted from this information, it is still considered FTI.

Megan Ripley: We need to emphasize that the definition of return information includes anything relating to a tax account.

Return information includes the status of whether return was filed, if it´s being processed, if it is under examination, if it´s subject to other investigation, or in collection status.

It also includes information contained on transcripts of the taxpayer´s account.

This information is all FTI.

Kevin Woolfolk: What about the copies of tax returns that clients or their representatives have given to the agency to verify their data?

Are those returns considered FTI?

Shawn Finnegan: No, Kevin. Returns from clients are not federal tax information.

Source is the key to knowing whether or not the data is FTI.

The information must be derived from the IRS or a secondary source, as previously mentioned, for it to be considered federal tax information.

This is what you need to remember.

If the source is your agency´s client or a client´s representative, it is not FTI.

If the source is the IRS or an IRS secondary source, the information is FTI.

Kevin Woolfolk: Megan, what happens when the information from the return is transferred to a different format, document, or computer application?

Megan Ripley: Agency personnel often forget that any information derived from the FTI is considered federal tax information and must be safeguarded.

Derived FTI includes things like photocopies, scanned data, or information transcribed into a form, letter, application, or spreadsheet.

It could be something as basic as a sticky note where information from FTI was jotted down for quick reference.

The information on the sticky note then becomes FTI, which requires safeguarding.

Shawn Finnegan: When there is any doubt, ask yourself, where did the data originate?

If the answer is IRS or one of the secondary sources, it is FTI and must be safeguarded.

Kevin Woolfolk: Joi, what requires FTI to be kept confidential?

Joi Bridgers: Title 26 of the Internal Revenue Code, section 6103, gives the IRS the authority to disclose FTI to federal, state, and local agencies.

It also dictates that the disclosed FTI must be held confidential.

IRS shares billions of tax records each year to increase compliance, enforcement, and service to taxpayers.

These records help agencies generate hundreds of millions of dollars in revenue and provide verification for those requesting assistance.

With all this information sharing comes great responsibility to protect it.

Kevin Woolfolk: Joi, disclosure´s a running theme in the law.

Please explain what the term "disclosure" means.

Joi Bridgers: The Internal Revenue Code defines disclosure as making known of return or return information to any person in any manner.

We must be mindful that when Congress gave IRS the authority to disclose FTI, it also provided IRS statutory provisions to protect the private information of U.S. citizens.

The provisions provide the foundation for safeguarding FTI, which is where agency personnel and the Office of Safeguards entered the picture.

Shawn Finnegan: The law only allows FTI to be disclosed to those who are authorized and who have a need to know.

Kevin Woolfolk: Thank you, Shawn.

Megan, can you please tell us about Publication 1075 and why it´s important to the agencies who receive federal tax information?

Megan Ripley: Publication 1075 tax information security guidelines for federal, state, and local agencies details the security requirements for all agencies that receive, process, store, or transmit FTI.

The Publication 1075, for all intents and purposes, is the guiding document for the Office of Safeguards and our agency partners.

It provides the information needed to meet the strict requirements for requesting, receiving, safeguarding, and destroying FTI.

Joi Bridgers: The requirements within the publication originate from several different sources.

Internal Revenue Code, or IRC, Section 6103, IRS policy and procedures, and the National Institute of Standards and Technology Special Publication 800-53.

These requirements are designed for moderate-risk systems and are the backbone of information technology confidentiality requirements.

Shawn Finnegan: Each agency that receives federal tax information must become familiar with Publication 1075 and its requirements.

It outlines all the policies and procedures for safeguarding FTI within your agency.

Publication 1075 is periodically updated and published electronically.

The latest version is always available in the Safeguard section of the IRS´ website at IRS.gov.

Kevin Woolfolk: Wow. That´s really helpful information, Shawn.

Megan, could you please tell us more about the Safeguard section of the IRS website?

Megan Ripley: Certainly.

You can find comprehensive information by going to IRS.gov and searching for the "Safeguards Program" page.

Type the words "Safeguards Program" into the search box.

We update the website often, so I encourage you to visit the page frequently for most current information.

Our website has a lot of useful features and information you´ll need.

It includes alerts, technical information, and computer security requirements, which are documented in safeguards computer security evaluation matrices.

Shawn Finnegan: You´ll find recommendations on how to comply with Publication 1075 requirements, templates for internal inspections, and guidance on how to complete the forms.

Instructions for reporting unauthorized accesses, disclosures, or data breaches are on our site.

And a link to this video is on the webpage in case you need to revisit it or share it with new staff members.

Kevin Woolfolk: That´s great information.

It sounds like that Safeguards website´s a one-stop shop for all of the safeguarding information.

Now we´re going to examine the key tenets of safeguarding.

The eight areas of focus are as follows -- recordkeeping, secure storage, restricting access, employee awareness and internal inspections, reporting, disposal, need and use, and computer security.

Let´s begin with recordkeeping.

Joi, can you please tell us a little bit about recordkeeping?

Joi Bridgers: Recordkeeping requires that each agency maintain a system of standardized records or logs for all FTI.

Records and logs come into play at the time that the FTI is received, and they must remain active until the FTI is destroyed.

The logs may be in paper format, or they may be electronic.

The recommended data elements for the logs and their retention schedule are listed in Publication 1075.

An agency must be able to show the movement of FTI on their logs as it flows through the process.

If you provide FTI to the next person in the process, you must log where it went.

And the next recipient, or the new recipient, must log that they received it.

Shawn Finnegan: Whether the FTI is on a computer system or on a piece of paper, it must be tracked on a log from receipt to disposal.

Kevin Woolfolk: Thanks, Shawn.

Secure storage is the second of the key tenets.

What are the requirements for secure storage of FTI?

Shawn Finnegan: Secure storage is based on the concept of minimum protection standards, or the two-barrier rule.

Basically, there must always be two barriers between someone who is not authorized to see the FTI and the information itself.

Megan Ripley: Let´s talk a minute about storage of FTI.

Tangible items such as a piece of paper, folder, or CD are usually locked in a filing cabinet or secured in a locked office.

So the locked filing cabinet and the locked office constitute your two barriers.

But during business hours, the FTI may need to be outside of the locked cabinet.

So, in this instance, an employee who is present at all times while the FTI is in use can serve as the second barrier.

This person should have their badge above their waist, indicating they are agency personnel.

Shawn Finnegan: The two-barrier rule applies to all agency locations.

It could be the headquarters office or an alternate work site if personnel are allowed to work at home or elsewhere outside the office setting, certainly, the computer facilities where mainframes, servers, routers, and switches are located, as well as off-site storage, where backup tapes are kept, and field offices.

Federal tax information housed in any location within an agency must have two barriers protecting it at all times.

Megan Ripley: One of the things we commonly see when we do on-site reviews is a situation where an agency is looking at the two barriers from the outside in, beginning at the guards.

The two-barrier rule starts with the FTI and proceeds from the inside out.

In other words, start at the FTI and look for what prevents it from being accessed by someone who is not authorized.

It´s likely that you´ll never identify the guards as one of your two barriers.

Remember, people enter your agency every day, going past the guards.

However, they are not allowed in the area where the FTI resides.

Look for the two barriers from the inside out.

Kevin Woolfolk: Thanks, Megan.

Again, that´s helpful information.

The two-barrier rule is a pretty common question that we get when it comes to FTI and safeguarding FTI.

Why is limiting access, however, such a key part of an effective security program?

Joi Bridgers: Restricting access is based on the premise that only agency employees, agents, and contractors who have a need to know are allowed access to FTI.

Basically, need to know is based on position.

If you need federal tax information to complete your job, then you have a need to know.

Restricting access to the greatest extent possible makes FTI less vulnerable.

Megan Ripley: You can restrict access by locking paper in a file cabinet, by requiring key or card access to rooms where FTI is stored, and through a secure log-in and password process on the computer systems.

When mailing FTI, double package it to prevent exposure if the outer packaging is damaged.

Always be mindful of the need-to-know aspect, and grant access within your agency to only those who have that need.

Shawn Finnegan: In some agencies, contractors are not allowed access to FTI by statute.

In these agencies, contractors may have access to any of your agency data, but it is the agency´s responsibility to ensure the contractors never have access to FTI.

For example, if a contractor comes in to repair a computer, the contractor would need to be escorted at all times, and security controls must be in place protecting the FTI.

Kevin Woolfolk: An essential practice in restricting access is a notification requirement to alert others that data is, indeed, FTI and is restricted.

How are agencies expected to provide notification?

Joi Bridgers: I´ll be glad to explain that, Kevin.

Labeling is an important component of restricting access to FTI, whether it´s stored electronically or on paper.

Labeling provides a warning that the data is restricted.

FTI must be clearly labeled as federal tax information and handled in such a manner that it is not misplaced or that it becomes available to unauthorized personnel.

Shawn Finnegan: Publication 1075 provides information on how to order labels for paper documents and backup tapes in the appropriate language needed for warning banners displayed on the screens of computers providing access to FTI.

It makes sense that labeling all FTI would deter unauthorized access.

Kevin Woolfolk: We´ve been talking about the key tenets of safeguarding FTI for the last few minutes.

Obviously, it´s important for those of us who have access to data to understand each of these tenets.

How does an agency impart that knowledge?

Megan Ripley: Agencies are required to provide awareness training for their employees to help them gain an understanding of the agency´s security policies and procedures for safeguarding FTI.

The training must be provided before access to FTI is granted and annually thereafter.

The requirements for the training are in Publication 1075.

Joi Bridgers: Each employee who completes the training must sign a form acknowledging their understanding of the requirements to protect FTI and the sanctions for unauthorized browsing or unauthorized disclosure.

Your agency must retain these acknowledgement certificates according to the retention schedule in Publication 1075.

Kevin Woolfolk: After the training, how does an agency verify those individuals are following the security policies and procedures for protecting FTI?

Shawn Finnegan: Agencies must conduct internal inspections which should be similar to our safeguards on-site reviews.

These inspections provide your agency with a way to identify its compliance with Publication 1075 requirements.

Inspections must be conducted at all locations where FTI resides.

Megan Ripley: The time frames for conducting these inspections are listed in Publication 1075.

Templates are available on Safeguards´ webpage of IRS.gov.

These templates must be notated and included in the agency´s annual Safeguards Security Report.

Kevin Woolfolk: Wow, another acknowledgement of the Safeguards website.

How does an agency report its safeguarding efforts to us?

Joi Bridgers: Each agency must submit an annual Safeguards Security Report.

The SSR describes the procedures established and used for safeguarding.

The SSR is certified by the head of your agency, indicating the agency´s compliance with safeguarding requirements.

Shawn Finnegan: Then, every six months, each agency submits a corrective action plan, which provides a status update on any findings from the on-site review.

This documents the corrective actions completed and those planned.

The IRS Safeguards Office tracks the status of all findings until they are closed.

Megan Ripley: Advanced notification and approvals must be submitted 45 days before your agency secures contracting services or begins specific IT infrastructure changes.

As the IT environment changes, so do the requirements for notifications, so be sure and check our website and the current version of the Publication 1075 to determine whether the activity your agency is considering requires a notification.

Joi Bridgers: We answer technical inquiries that your agency sends via e-mail regarding the processes and procedures for safeguarding FTI.

Shawn Finnegan: If you discover a possible improper inspection or disclosure of FTI, and this could include a breach or security incident of any kind, the individual making the observation or receiving information must contact TIGTA immediately.

TIGTA stands for Treasury Inspector General for Tax Administration, and their phone numbers are provided in Publication 1075.

The number you call will depend on your geographic location.

The contact should be made as soon as possible but no later than 24 hours after the discovery.

Joi Bridgers: At the same time as the notification to TIGTA, your agency must notify the Office of Safeguards by e-mail.

Even if all information is not available about the incident, immediate notification is still the most important factor.

Review Publication 1075 for details on how to report data incidents.

Megan Ripley: All reports, notifications, technical inquiries, and data incidents must be sent encrypted to SafeguardReports@IRS.gov or through secure data transfer if your agency has the capability.

Current templates and submission procedures are available on our website.

Kevin Woolfolk: We talked earlier about recordkeeping from receipt to destruction.

Are there requirements for destroying FTI?

Shawn Finnegan: Absolutely.

As important as it is to track the FTI received, it is equally important to know when and what FTI has been destroyed.

The agency must document the destruction in their annual SSR and provide a sample of the log used to record it.

Joi Bridgers: FTI may be disposed of by destroying or returning it to the IRS, as outlined in Publication 1075.

As FTI is increasingly maintained in electronic systems, destruction requirements are continually changing.

Check our website regularly for any alerts and changes to these requirements.

Shawn Finnegan: Regardless of how the agency is destroying the FTI, the method must make it unreadable or unusable.

Kevin Woolfolk: Another consistent theme seems to be logging, whether electronic or physical.

Joi, can agencies use the FTI for any agency purposes once they receive it?

Joi Bridgers: No, Kevin. They cannot.

The Internal Revenue Code is very direct on how agencies can use it.

They are prohibited from using FTI for any purpose other than that authorized by statute.

Before the agency receives FTI, the IRS must approve its intended use.

Part of the Safeguards on-site review is to verify that the data is being used as approved.

Kevin Woolfolk: Deficiency in computer security account for 97% of the weaknesses identified during Safeguards´ on-site reviews.

Computer security methods are constantly changing.

Megan, can you tell us a bit about computer security and how it applies to safeguarding FTI?

Megan Ripley: The focus of the computer security portion of the on-site review is based on requirements outlined in the National Institute of Standards and Technology Special Publication 800-53.

We review your agency´s IT security controls using evaluation matrices and automated testing tools.

We also examine written documentation and policies and procedures in your IT environment.

To be proactive with safeguarding, your agency can verify their IT systems receiving, processing, storing, or transmitting FTI are compliant with Publication 1075 requirements by using the Safeguards computer security evaluation matrices found on our website.

Shawn Finnegan: Logging and auditing are required to effectively capture all access, modification, deletion, and movement of FTI by each unique user.

This will identify any external breaches or suspicious activity.

Megan Ripley: Automated testing is performed on various systems during an on-site review.

We use an industry-standard compliance and vulnerability assessment tool to evaluate the security of systems that store, process, transmit, or receive FTI.

This tool conducts the configuration compliance checks using Center for Internet Security benchmarks supplemented with IRS-specific requirements.

The audit files are available on our website.

Kevin Woolfolk: Shawn, are there any consequences for the misuse of FTI?

Shawn Finnegan: Yes. There are two criminal penalties associated with either or both unauthorized access or unauthorized disclosures of FTI.

This applies to individuals even after they´re no longer employed with your agency.

There´s a lifelong prohibition from disclosing federal tax information.

The most severe penalty is for unauthorized disclosure, which means that you were providing FTI to someone that is not entitled to have it.

The penalty is five years, a $5,000 fine, or both, plus the cost of prosecution.

Joi Bridgers: The penalty for unauthorized access is one year, $1,000 fine, or both, again with the cost of prosecution.

Unauthorized access is reviewing the data when you are not entitled to look at it.

You can actually be guilty of both offenses and prosecuted for both unauthorized disclosure and unauthorized access.

Let´s not forget that taxpayers who are harmed by unauthorized access or unauthorized disclosure may seek civil damages.

The taxpayer may receive a minimum of $1,000 for each unauthorized access or disclosure or actual damages, whichever is greater, plus punitive damages and the cost of the action.

Shawn Finnegan: It is important to remember that you, not your agency, are liable for these penalties.

Kevin Woolfolk: Wow, Shawn. Those are pretty significant penalties.

I definitely wouldn´t want to run afoul of that.

In this segment, we will highlight the technical requirements that are specific to child support enforcement agencies.

The use of contractors is becoming more prevalent in government today.

Joi, what do child support enforcement agencies that use contractors need to do to protect federal tax information?

Joi Bridgers: Child support enforcement agencies may disclose limited federal tax information to their agents and contractors.

The limited FTI consists of address, Social Security number, and the amount of the federal refund offset.

Megan Ripley: If the agency is disclosing the FTI to a contractor, it must include specific language in the contract.

You´ll find that language in Publication 1075, Exhibit 7, Contract Language for General Services.

This language officially notifies the contractor of their requirement to protect FTI.

It also advises of the criminal and civil penalties that will apply if data is misused.

Kevin Woolfolk: Well, is the FTI that´s disclosed to the noncustodial parent limited, as well?

Shawn Finnegan: A noncustodial parent has the right to receive his or her own information, even if it had came from IRS and is FTI.

There is no provision in the Internal Revenue Code that prohibits an agency from providing a noncustodial parent with their own federal tax information.

Kevin Woolfolk: That makes sense.

If it´s my data, I have the right to see it.

Child support is frequently an issue in court proceedings.

Are there limitations on what can be disclosed in court?

Megan Ripley: In court proceedings, a child support enforcement agency may provide the amounts only after removing the source from all payments.

When the agency removes the source, that protects it from disclosure, even if the payment resulted from an IRS refund offset.

Remember, the source is the key.

Kevin Woolfolk: Thank you, Megan.

I would like to thank the panel for their discussion on this important subject of protecting federal tax information.

Their answers have given us insight to safeguarding.

We encourage you to visit our website and review the current revision of Publication 1075.

Remember, when you´re successful, we´re successful.

I would like to turn this back to Joyce to close out.

Joyce Peneau: We all have a shared responsibility to ensure that federal tax information is disclosed only to those with a need to know and only used as authorized by statute or regulation.

We at the IRS are confident in your diligence, that you adhere to good security protocols, that you are as vigilant as we are about protecting FTI and using it appropriately.

As our IRS Disclosure Awareness Training video concludes, I encourage you at all times to ensure that the data you hold is secure and protected.

Please remember to follow the security requirements within your agency.

Thank you for your time, but most of all, thank you for your efforts to protect the confidentiality of federal tax information.