Mike Oser: Hello, everyone.

Thanks for joining us today and welcome to the Annual Security Summit and Safeguard Awareness Briefing. I am Mike Oser, The Associate Director of the IRS Governmental Liaison Office. Our office has been engaged with your organization in the Security Summit and the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center partnership that we refer to as the ISAC.

This presentation was developed by the IRS Privacy, Governmental Liaison and Disclosure Office.

The purpose of this presentation is to provide an overview to industry, employees and contractors on their responsibilities in protecting return information, including federal return information that is authorized for disclosure under section 2003 of the Taxpayer First Act of 2019. This legislation enables our sharing of Federal Tax Return Information or FTI as we refer to it, with our industry partners in the ISAC, to detect and prevent Identity Theft Tax Refund Fraud.

I would like to introduce to you today's presenters; Lynn Brennan and Marilyn Jordan from our Governmental Liaison Office; Mary Brunelle from our Disclosure Office; and Steve Safeguards. Matteson, from our Office of

Today, we will take you through our agenda, which will cover the background on the Taxpayer First Act, and the topics that we will be discussing in the presentation. You will learn the duties and responsibilities of your organization related to data sharing in the ISAC under 6103(k)(14) of the Taxpayer the Internal Revenue Code First Act.

The security basics for protecting data in the Disclosure, Safeguard and record keeping requirements for the data received. We will also cover the consequences for unauthorized access or reporting requirements that are disclosures and the incident required under the statute.

In 2019, the Taxpayer First Act was passed, which allows the sharing of specific federal tax return information to specified ISAC partners. The laws that permit disclosure also require its protection, Our ISAC partners play a vital role in safeguarding Federal Tax Return Information by building effective security controls into your processes, procedures and systems.

You're responsible for ensuring that the information is protected appropriately from the time you receive it until the time it is destroyed. The American public expects two things from both of us. First, that we work together proactively to be effective in detecting and preventing Identity Theft Tax Refund Fraud, and second, that we safeguard their personal data.

A good security awareness program is by far the most effective and the least expensive part of an overall security program. For many of you this may be a refresher on Disclosure Awareness related to your Internal Revenue Code 7216 responsibilities, while for others, this may be the first time you've been exposed to the concepts. Before we move into the substance of the briefing, we would like to thank you for everything you do to protect the confidentiality of Federal Tax Information. The IRS values and appreciates the great partnership that we have with you and your organization.

Next, I will turn it over to Lynn Brennan, who will provide some background information to set the table for our briefing today. Lynn Brennan: Thanks, Mike. Your organization signed the TFA industry Memorandum of Understanding or MOU between the IRS and industry partners regarding the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center or ISAC.

We'll start off with some basic background information around disclosure, return information also called Federal Tax Information or FTI and the TFA MOU.

What is return information?

Under Internal Revenue Code 7216, any client data received by your organization is return information and must be protected. Under 6103, IRS Federal Tax Information or FTI, is any information collected or generated by the IRS regarding any person's liability or possible liability.

Under 6103(k)(14) FTI received by each industry partner becomes subject to Section 7216 upon receipt by the industry partner.

The TFA MOU between the IRS and the industry describes the specific tax return information the IRS is allowed to share with ISAC industry participants under Internal Revenue Code 6103(k)(14). It also describes the procedures and guidelines established by the IRS for the security protections, safeguards and incident reporting that must be implemented by the industry partner receiving FTI. Our briefing today will cover these responsibilities and requirements.

One of the requirements to participate in the ISAC is that an organization must first be a member of the Security Summit, and adhere to the membership criteria, which includes conducting an annual security self-assessment. The security self-assessment follows the moderate baseline security controls of the National Institute of Standards and Technology or NIST. The IRS provides feedback to industry partners through one-on-one sessions to gather critical feedback, review the status of implemented security and compensating controls and identify areas for the organization to improve its security posture.

We encourage you to visit the NIST website link provided on this slide.

One of the ways the IRS together with our industry partners ensures compliance with the MOU and safeguarding requirement is through the annual Safeguards Security Form, where your organization acknowledges and attests to its need and use for the FTI, limitations of the use of the FTI.

Sharing only with those with a need to know in connection with Identity Theft Tax Refund Fraud.

Your organization certifies that responsible party, any person handling FTI in the organization have read and understand the guidelines in Publication 4557.

The link in the slide will open Publication 4557 if you want to learn more about the guidelines.

Our ISAC industry partners must comply with the FTC safeguards rule to keep FTI secure and have an information security plan in place to protect FTI. As an industry partner, employee or contractor, you must comply with the IRS e-file Safeguarding taxpayer information requirements detailed in the most current version of Publication 1345 found on IRS.gov. Please view the link to Pub 1345 for more detailed information.

I will now hand it over to Mary Brunelle to discuss Disclosure basics. Mary? Mary Brunelle: Thank you, Lynn.

What does the term Disclosure mean? The Internal Revenue Code defines Disclosure as making known of return or return information to any person, in any manner. We must be mindful that when Congress gave IRS the authority to disclose FTI, it also provided IRS statutory provision to protect the private information of US citizens. The law only allows FTI to be disclosed to those who are authorized and who have a need to know.

If you need Federal Tax Information to complete your job in relation to the detection or prevention of Identity Theft Taxpayer Fraud, validation of taxpayer identity, authentication of taxpayer returns or detection or prevention of cybersecurity threats, you have a need to know. Part of the need to know is the requirement to use the information for these specific purposes. If you are not using the information for these need to know. Under previously purposes, then you do not have a enacted legislation, Internal Revenue Code 7216, any client information received by industry partners was protected information covered under Internal Revenue Code 7216.

Now that you are receiving FTI information under the TFA legislation, this information same manner. must also be protected in the

The source of the information is the key to knowing whether the data is FTI. Regardless, whether the information is FTI or 7216 covered data, you are required to protect the confidentiality.

This is what you need to remember. If the source of the information is your organization's clients or client's representative, it is not FTI. However, it is covered by the Internal Revenue Code 7216. But if the source of the information is from the FTI enclave in the ISAC the information is FTI and is covered by Internal Revenue Code 7216 once it is received by your organization.

So, what happens when the information from the return is You transferred to a different format, document or computer application, the nature of the data does not change and it still must be protected. Derived FTI includes things like photocopies, scanned data or information transcribed into a form, letter, application or a spreadsheet. When there is any doubt ask yourself, where does the data originate? If derived from the ISAC as FTI it will always remain FTI. What requires FTI to be kept confidential?

Title 26 of the Internal Revenue Code Section 6103 provides exception to when FTI can be disclosed. But TFA 6103(k)(14)

provision provides the authority to disclose specific return information to ISAC industry partners. It also dictates that the disclosed FTI must be held confidential. With all this information sharing comes with great responsibility to protect it.

So, as we discussed in the previous slide, Internal Revenue Code 6103 defines what is tax return information and that it must be kept confidential and cannot be disclosed, except under limited exceptions.

6103(k)(14) is the exception, which allows the specific Return Information or FTI to be disclosed to the ISAC appropriate agreement in place participants that have the with the IRS.

While this exception allows the Disclosure to specified ISAC participants, it also includes the requirements to protect the data. Anyone who has access to FTI must protect and safeguard the data. Eligible industry partners will receive from the ISAC only the FTI-specified in Section 6103(k)(14), which we will see in more detail on the next slide.

The chart on this slide details the specific return information that can be shared by the IRS through ISAC under the authority of Internal Revenue Code 6103(k)(14).

will also be providing his Our trusted third-party (MITRE) expertise and leveraging the non-FTI information in the ISAC to provide enrichment and analytic results to the specified industry members who can receive FTI. The enrichment and analytic process will provide added value and actionable data to our partners.

This will be an evolving process. It is important to note that the results of the enrichment and analytics performed by MITRE that contain FTI, is FTI and must be protected under the same responsibility and requirements. I will now turn it over to 7216. Marilyn? your responsibilities under Marilyn Jordan to talk about

Marilyn Jordan: Thank you, Mary.

Your responsibilities under Internal Revenue Code Section 7216 have not changed. The Taxpayer First Act allows IRS to share specific return information with your organization under code Section 6103(k)(14). This data becomes subject to code Section 7216 once received by the industry partner.

As an added responsibility and to ensure that all of you who have access to and use FTI understand your responsibilities., you must review annually the security and the IRS and on our industry safeguards materials provided by partner's security, data protection and safeguarding requirements and responsibilities pertaining to the FTI shared under this code section.

Being a recipient of FTI information brings the return information and the responsibilities to safeguard record keeping requirements for the data. Safeguarding or protecting the data includes, maintaining the confidentiality of the FTI from receipt to disposal, maintain the FTI information or to the extent separate from other non-7216 access or use. stored to prevent unauthorized possible. Keep the FTI securely

As important as it is to protect tax return information, it is equally important to know when and how to destroy tax return information. Destroying the FTI, once there is no further need or use for the return information, it must be destroyed, adhering at a minimum to the following standards: Paper materials generated from the FTI such as copies, computer printouts, notes or work papers must be shredded or burned. Electronic media containing the FTI data intended for reuse must be destroyed by electromagnetic erasing. If the electronic media is not intended for reuse, it must be destroyed by burning or shredding. Mary will now discuss disclosure requirements related to the Identity Theft Tax Refund Fraud, ISAC. Mary?

Mary Brunelle: Thank you, Marilyn. Your responsibility is to protect tax return information under Internal Revenue Code 7216 have not changed. You can find detailed responsibilities in IRS Publication 1345.

Internal Revenue Code 7216 requirements also covers the disclosure of return information to a person under contract with a tax return prepare in connection with the programming, maintenance, repair, testing or procurement of equipment or software used for purposes of tax return preparation, only to the extent necessary for the person to provide the contracted services, and only if the tax return prepare ensures that all individuals who are to receive disclosures of tax return information receive a written notice that informs them of the applicability of Section 6713 and 7216, and also describes the requirements and penalties of these sections.

Neither the IRS nor the industry partner will disclose FTI in a manner not authorized by law.

The industry partner will comply with and is subject to sections 6713, 7213, 7213A and 7216. This applies to you even when you are no longer employed with your organization. There is a lifetime prohibition from the unauthorized disclosure of tax return information. We'll cover this in more detail on the next few slides.

There are consequences for the misuse of tax return information that includes several penalty provisions. As an individual using the FTI, you must be aware of the following penalty provisions. Section 6713 imposes a civil penalty for unauthorized use or disclosure of tax return information. The penalty is $250 for each disclosure or use, and a maximum penalty of $10,000.

There is an enhanced penalty for improper use or disclosure relating to identity theft, it shall be applied by substituting $1,000 for $250 and by substituting $50,000 for $10,000. Section 7213 makes the willful unauthorized disclosure of FTI a felony punishable by a fine of up to $5,000 or imprisonment of both, together with the costs of not more than five years or prosecution. Section 7213A makes a willful unauthorized inspection of returns or return information a demeanor punishable by a fine of up to $1,000 or imprisonment of not more than one year or both, together with the cost of prosecution.

And Section 7216 has a maximum criminal penalty of $1,000 for a knowing or reckless use or disclosure of tax return information and/or imprisonment of not more than one year or both together with the costs of prosecution. The IRC 7216 penalty can be raised to $100,000 if Section 6713(b)

applies. IRC section 6713(b) is the enhanced penalty for improper use or disclosure relating to Identity Theft.

I will now turn it over to Steve Matteson to talk about incident reporting. Steve?

Steve Matteson: Thank you, Mary.

On the next few slides, we're going to cover incident reporting procedures that all the ISAC industry partners that receive FTI must have in place in accordance with this legislation.

Your organization must have a written policy, covering Incident Management and Procedures that defines the actions to be initiated if an improper inspection or disclosure occurs. This is consistent with your requirements under the Federal Trade Commission's Safeguard rule.

If you or any individual within the organization discovers an improper inspection or disclosure, you must take action as indicated in your organization's procedures to report the incident.

Immediate notification of an incident is very crucial.

Notification should be made as soon as possible, but no later than the next business day.

It's also important to report data incidents to both the Treasury Inspector General Field Office or the Treasury Inspector General Cybercrimes Division at the links provided or to the hotline phone number from the previous slide, as well as reporting to the Office of Safeguards' mailbox at the address on this slide.

The incident report should include documentation of the specifics of the incident or breach known at the time to include name of the industry partner and point of contact for resolving the data incident. A description of the incident, the date involved and how the incident was discovered. Date, time and address, when and where the incident occurred, the IT incident, for example, laptop, systems are involved in the server, mainframe or email and potential number of federal return information records that were involved. Reports must be sent electronically and encrypted via incident report in the subject IRS-approved encryption techniques. Use the term data include any FTI in the data line of the email. Do not incident report.

I will now turn it back over to Mike to close this out. Mike Oser: Thank you, Steve. I hope that our presentation was of help in assisting you in understanding your responsibilities and that of your organization in protecting, Federal Tax Information. We all securing and safeguarding have a shared responsibility to ensure that tax return information is disclosed only to those with a need to know and only used as authorized by statute or regulation. In establishing the security and industry partners, we aligned safeguard requirements for our your responsibilities to the Taxpayer First Act legislation and the return information protection standards already required under Internal Revenue Code 7216, the FTC safeguard rules and our Publication 1345 requirements.

We are confident in your using it appropriately. We diligence in protecting FTI and encourage you to ensure that the data you hold is secure and protected at all times. It is important to emphasize that all of your employees and contractors who access FTI in the ISAC have reviewed this presentation and understand it.

security requirements within Please remember to follow the your organization.

I know that we have covered a lot of material today. If you have any questions, please contact Lynn Brennan at lynn.m.brennan@irs.gov or at (763) 347-7319. Lynn's contact information is also listed on the slide number 39. Upon receipt of your questions, we will engage the appropriate IRS subject matter experts and provide a timely response. In closing, I want to thank you for your time today and for your efforts to protect the confidentiality of federal tax information and thank you for your valued partnership.