♫♫
Joyce Peneau: Hello.
I am Joyce Peneau
from the IRS
Office of Safeguards.
Welcome to Safeguards Disclosure
Awareness Training.
The purpose of this video
is to provide training
for federal, state,
and local agency employees,
agents, and contractors.
The Office of Safeguards
verifies compliance
with 6103(p)(4)
safeguard requirements.
It does this
through the identification
and mitigation
of any risk of loss, breach,
or misuse
of federal tax information
by over 300 external
government agencies.
Each year, billions of pieces
of FTI are disclosed,
as the law allows.
The laws that permit disclosure
also require its protection.
We partner with each agency
to protect
federal tax information.
Our agency partners play
a vital role in safeguarding FTI
by building
effective security controls
into your processes, procedures,
and systems.
You are responsible
for ensuring the information
is protected appropriately
from the time you receive it
until the time it´s destroyed.
The American public
expects two things
from both of us.
First, that we work together
proactively
to be as effective as possible,
and second, that we safeguard
their personal data.
A good security awareness
program is, by far,
the most effective
and the least expensive part
of the overall security program.
For many of you,
this is simply a refresher
on disclosure awareness,
while for others, this may be
the first time
you have been exposed
to the concepts.
Before we move
into the substance
of the discussion,
I would like to thank you
for everything you do
to protect the confidentiality
of federal tax information.
I truly appreciate it.
Kevin Woolfolk: Hello.
I´m Kevin Woolfolk,
and I´ll be the moderator
for this discussion.
I have extensive experience
with the IRS
and have worked
in many capacities
within the Safeguards office.
Joining me as the panel
are Shawn Finnegan,
Chief of
Safeguard Review Team 2,
Megan Ripley,
lead computer security reviewer,
and Joi Bridgers,
program analyst.
Shawn, Joi,
and I have all served
as disclosure enforcement
specialists
in the safeguards operation
before moving
into our current positions.
We have all conducted
on-site reviews.
We´re grateful
for the opportunity
to visit with you today.
We´ll be discussing
several key concepts
that are used in protecting
federal tax information, or FTI.
It´s up to us to protect
this sensitive information
while creating and cultivating
confidence in our agencies.
So let´s get started.
We will begin our discussion
today
with a question
we´re often asked.
Megan, what do we mean by
federal tax information, or FTI?
Megan Ripley: Kevin,
that´s a very good question.
FTI consists of two things.
One, a tax return,
and two, return information.
FTI can be either or both.
FTI is any return
or return information received
from the IRS
or a secondary source such as
Social Security Administration,
Federal Office
of Child Support Enforcement,
Bureau of Fiscal Services,
or the Center of Medicare
and Medicaid Services.
FTI is also shared
under agreements allowed
by the statute or regulations.
Joi Bridgers: A tax return
includes all amendments,
supplements, supporting
schedules, attachments,
or lists filed
on paper or electronically
along with the return,
such as forms 1040, 941, 1120,
and other informational forms,
such as a Form 1099 or a W-2.
Kevin Woolfolk: So now
we know what is considered
FTI for the return.
What is return information?
Joi Bridgers: I´d like
to answer that, Kevin.
Return information, in general,
is any information
collected or generated
by the IRS regarding
any person´s liability
or possible liability.
The Internal Revenue Code
defines return information
very broadly.
It includes,
but is not limited to,
the return itself,
as well as any information
that the IRS obtained
or developed
that relates
to the potential tax liability.
It could be from anywhere.
Shawn Finnegan: FTI
includes the information
extracted from a return,
including names of dependents,
the location of a business,
the taxpayer´s name, address,
and identification number.
Even if identifiers
such as name, address,
and identification number
are deleted
from this information,
it is still considered FTI.
Megan Ripley:
We need to emphasize
that the definition
of return information
includes anything
relating to a tax account.
Return information
includes the status
of whether return was filed,
if it´s being processed,
if it is under examination,
if it´s subject
to other investigation,
or in collection status.
It also includes information
contained on transcripts
of the taxpayer´s account.
This information is all FTI.
Kevin Woolfolk: What about
the copies of tax returns
that clients
or their representatives
have given to the agency
to verify their data?
Are those returns
considered FTI?
Shawn Finnegan: No, Kevin.
Returns from clients
are not federal tax information.
Source is the key to knowing
whether or not the data is FTI.
The information
must be derived
from the IRS
or a secondary source,
as previously mentioned,
for it to be considered
federal tax information.
This is
what you need to remember.
If the source
is your agency´s client
or a client´s representative,
it is not FTI.
If the source is the IRS
or an IRS secondary source,
the information is FTI.
Kevin Woolfolk:
Megan, what happens
when the information
from the return
is transferred
to a different format, document,
or computer application?
Megan Ripley:
Agency personnel often forget
that any information
derived from the FTI
is considered
federal tax information
and must be safeguarded.
Derived FTI includes things
like photocopies, scanned data,
or information transcribed
into a form, letter,
application, or spreadsheet.
It could be something as basic
as a sticky note
where information from FTI
was jotted down
for quick reference.
The information
on the sticky note
then becomes FTI,
which requires safeguarding.
Shawn Finnegan: When there is
any doubt, ask yourself,
where did the data originate?
If the answer is IRS
or one of the secondary sources,
it is FTI
and must be safeguarded.
Kevin Woolfolk:
Joi, what requires FTI
to be kept confidential?
Joi Bridgers: Title 26
of the Internal Revenue Code,
section 6103,
gives the IRS the authority
to disclose FTI
to federal, state,
and local agencies.
It also dictates
that the disclosed FTI
must be held confidential.
IRS shares billions
of tax records each year
to increase compliance,
enforcement,
and service to taxpayers.
These records
help agencies generate
hundreds of millions of dollars
in revenue
and provide verification
for those requesting assistance.
With all this
information sharing
comes great responsibility
to protect it.
Kevin Woolfolk:
Joi, disclosure´s
a running statement of law.
Please explain what the term
"disclosure" means.
Joi Bridgers:
The Internal Revenue Code
defines disclosure
as making known
of return or return information
to any person in any manner.
We must be mindful
that when congress gave IRS
the authority to disclose FTI,
it also provided
IRS statutory provisions
to protect
the private information
of U.S. citizens.
The provisions
provide the foundation
for safeguarding FTI,
which is where agency personnel
and the Office of Safeguards
entered the picture.
Shawn Finnegan: The law
only allows FTI to be disclosed
to those who are authorized
and who have a need to know.
Kevin Woolfolk:
Thank you, Shawn.
Megan, can you please tell us
about Publication 1075
and why it´s important
to the agencies who receive
federal tax information?
Megan Ripley:
Publication 1075
tax information
security guidelines
for federal, state,
and local agencies
details the security
requirements for all agencies
that receive, process, store,
or transmit FTI.
The Publication 1075,
for all intents and purposes,
is the guiding document
for the Office of Safeguards
and our agency partners.
It provides the information
needed
to meet the strict requirements
for requesting, receiving,
safeguarding,
and destroying FTI.
Joi Bridgers: The requirements
within the publication
originate from several
different sources.
Internal Revenue Code, or IRC,
Section 6103,
IRS policy and procedures,
and the National Institute
of Standards and Technology
Special Publication 800-53.
These requirements are designed
for moderate-risk systems
and are the backbone
of information technology
confidentiality requirements.
Shawn Finnegan:
Each agency that receives
federal tax information
must become familiar
with Publication 1075
and its requirements.
It outlines all the policies
and procedures
for safeguarding FTI
within your agency.
Publication 1075
is periodically updated
and published electronically.
The latest version
is always available
in the Safeguard section
of the IRS´ website at IRS.gov.
Kevin Woolfolk:
Wow. That´s really helpful
information, Shawn.
Megan,
could you please tell us more
about the Safeguard section
of the IRS website?
Megan Ripley: Certainly.
You can find comprehensive
information by going to IRS.gov
and searching for
the "Safeguards Program" page.
Type the words
"Safeguards Program"
into the search box.
We update the website often,
so I encourage you
to visit the page frequently
for most current information.
Our website has a lot
of useful features
and information you´ll need.
It includes alerts,
technical information,
and computer security
requirements,
which are documented
in safeguards computer security
evaluation matrices.
Shawn Finnegan: You´ll find
recommendations on how to comply
with Publication 1075
requirements,
templates
for internal inspections,
and guidance on
how to complete the forms.
Instructions for reporting
unauthorized accesses,
disclosures,
or data breaches
are on our site.
And a link
to this video is on the webpage
in case you need to revisit it
or share it
with new staff members.
Kevin Woolfolk:
That´s great information.
It sounds like that Safeguards
website´s a one-stop shop
for all of the safeguarding
information.
Now we´re going to examine
the key tenets of safeguarding.
The eight areas
of focus are as follows --
recordkeeping, secure storage,
restricting access,
employee awareness
and internal inspections,
reporting, disposal,
need and use,
and computer security.
Let´s begin with recordkeeping.
Joi, can you please tell us a
little bit about recordkeeping?
Joi Bridgers: Recordkeeping
requires that each agency
maintain a system
of standardized records
or logs for all FTI.
Records and logs come into play
at the time
that the FTI is received,
and they must remain active
until the FTI is destroyed.
The logs may be in paper format,
or they may be electronic.
The recommended data elements
for the logs
and their retention schedule
are listed in Publication 1075.
An agency must be able
to show the movement of FTI
on their logs
as it flows through the process.
If you provide FTI to
the next person in the process,
you must log where it went.
And the next recipient,
or the new recipient,
must log that they received it.
Shawn Finnegan: Whether the FTI
is on a computer system
or on a piece of paper,
it must be tracked on a log
from receipt to disposal.
Kevin Woolfolk:
Thanks, Shawn.
Secure storage is the second
of the key tenets.
What are the requirements
for secure storage of FTI?
Shawn Finnegan: Secure storage
is based on the concept
of minimum protection standards,
or the two-barrier rule.
Basically, there must always
be two barriers
between someone who is not
authorized to see the FTI
and the information itself.
Megan Ripley: Let´s talk
a minute about storage of FTI.
Tangible items such as
a piece of paper, folder,
or CD are usually locked
in a filing cabinet
or secured in a locked office.
So the locked filing cabinet
and the locked office
constitute your two barriers.
But during business hours,
the FTI may need to be
outside of the locked cabinet.
So, in this instance,
an employee who is present
at all times
while the FTI is in use
can serve as the second barrier.
This person should have
their badge above their waist,
indicating
they are agency personnel.
Shawn Finnegan:
The two-barrier rule
applies to all agency locations.
It could be
the headquarters office
or an alternate work site
if personnel are allowed
to work at home
or elsewhere
outside the office setting,
certainly,
the computer facilities
where mainframes,
servers, routers,
and switches are located,
as well as off-site storage,
where backup tapes are kept,
and field offices.
Federal tax information housed
in any location
within an agency
must have two barriers
protecting it at all times.
Megan Ripley: One of the things
we commonly see
when we do on-site reviews
is a situation
where an agency is looking
at the two barriers
from the outside in,
beginning at the guards.
The two-barrier rule
starts with the FTI
and proceeds
from the inside out.
In other words, start at the FTI
and look for what prevents it
from being accessed by someone
who is not authorized.
It´s likely that you´ll never
identify the guards
as one of your two barriers.
Remember, people
enter your agency every day,
going past the guards.
However,
they are not allowed in the area
where the FTI resides.
Look for the two barriers
from the inside out.
Kevin Woolfolk:
Thanks, Megan.
Again,
that´s helpful information.
The two-barrier rule
is a pretty common question
that we get when it comes
to FTI and safeguarding FTI.
Why is limiting access, however,
such a key part of
an effective security program?
Joi Bridgers: Restricting access
is based on the premise
that only agency employees,
agents,
and contractors
who have a need to know
are allowed access to FTI.
Basically, need to know
is based on position.
If you need
federal tax information
to complete your job,
then you have a need to know.
Restricting access
to the greatest extent possible
makes FTI less vulnerable.
Megan Ripley:
You can restrict access
by locking paper
in a file cabinet,
by requiring key or card access
to rooms where FTI is stored,
and through a secure log-in
and password process
on the computer systems.
When mailing FTI, double package
it to prevent exposure
if the outer packaging
is damaged.
Always be mindful
of the need-to-know aspect,
and grant access
within your agency
to only those
who have that need.
Shawn Finnegan:
In some agencies,
contractors are not allowed
access to FTI by statute.
In these agencies,
contractors may have access
to any of your agency data,
but it is the agency´s
responsibility
to ensure the contractors
never have access to FTI.
For example,
if a contractor comes in
to repair a computer,
the contractor would need
to be escorted at all times,
and security controls
must be in place
protecting the FTI.
Kevin Woolfolk:
An essential practice
in restricting access
is a notification requirement
to alert others that data is,
indeed, FTI and is restricted.
How are agencies expected
to provide notification?
Joi Bridgers: I´ll be glad
to explain that, Kevin.
Labeling
is an important component
of restricting access to FTI,
whether it´s stored
electronically or on paper.
Labeling provides a warning
that the data is restricted.
FTI must be clearly labeled
as federal tax information
and handled in such a manner
that it is not misplaced
or that it becomes available
to unauthorized personnel.
Shawn Finnegan: Publication 1075
provides information
on how to order labels
for paper documents
and backup tapes
in the appropriate language
needed for warning banners
displayed on the screens
of computers
providing access to FTI.
It makes sense
that labeling all FTI
would deter unauthorized access.
Kevin Woolfolk: We´ve been
talking about the key tenets
of safeguarding FTI
for the last few minutes.
Obviously, it´s important
for those of us
who have access to data
to understand
each of these tenets.
How does an agency
impart that knowledge?
Megan Ripley:
Agencies are required
to provide awareness training
for their employees
to help them gain
an understanding
of the agency´s
security policies
and procedures
for safeguarding FTI.
The training must be provided
before access to FTI is granted
and annually thereafter.
The requirements
for the training
are in Publication 1075.
Joi Bridgers: Each employee
who completes the training
must sign a form acknowledging
their understanding
of the requirements
to protect FTI
and the sanctions
for unauthorized browsing
or unauthorized disclosure.
Your agency must retain these
acknowledgement certificates
according
to the retention schedule
in Publication 1075.
Kevin Woolfolk:
After the training,
how does an agency verify
those individuals are following
the security policies
and procedures
for protecting FTI?
Shawn Finnegan: Agencies must
conduct internal inspections
which should be similar to
our safeguards on-site reviews.
These inspections
provide your agency with a way
to identify its compliance with
Publication 1075 requirements.
Inspections must be conducted
at all locations
where FTI resides.
Megan Ripley: The time frames
for conducting these inspections
are listed in Publication 1075.
Templates are available on
Safeguards´ webpage of IRS.gov.
These templates must be notated
and included
in the agency´s annual
Safeguards Security Report.
Kevin Woolfolk: Wow,
another acknowledgement
of the Safeguards website.
How does an agency report
its safeguarding efforts to us?
Joi Bridgers:
Each agency must submit
an annual
Safeguards Security Report.
The SSR describes the procedures
established
and used for safeguarding.
The SSR is certified by the head
of your agency,
indicating
the agency´s compliance
with safeguarding requirements.
Shawn Finnegan: Then,
every six months, each agency
submits
a corrective action plan,
which provides a status update
on any findings
from the on-site review.
This documents
the corrective actions completed
and those planned.
The IRS Safeguards Office
tracks the status
of all findings
until they are closed.
Megan Ripley: Advanced
notification and approvals
must be submitted 45 days
before your agency secures
contracting services
or begins specific
IT infrastructure changes.
As the IT environment changes,
so do the requirements
for notifications,
so be sure and check our website
and the current version
of the Publication 1075
to determine
whether the activity
your agency is considering
requires a notification.
Joi Bridgers: We answer
technical inquiries
that your agency sends via
e-mail regarding the processes
and procedures
for safeguarding FTI.
Shawn Finnegan: If you discover
a possible improper inspection
or disclosure of FTI,
and this could include a breach
or security incident
of any kind,
the individual
making the observation
or receiving information
must contact TIGTA immediately.
TIGTA stands for
Treasury Inspector General
for Tax Administration,
and their phone numbers are
provided in Publication 1075.
The number you call will depend
on your geographic location.
The contact should be made
as soon as possible
but no later than 24 hours
after the discovery.
Joi Bridgers: At the same time
as the notification to TIGTA,
your agency must notify the
Office of Safeguards by e-mail.
Even if all information is not
available about the incident,
immediate notification is still
the most important factor.
Review Publication 1075
for details
on how to report data incidents.
Megan Ripley:
All reports, notifications,
technical inquiries,
and data incidents
must be sent encrypted
to SafeguardReports@IRS.gov
or through secure data transfer
if your agency
has the capability.
Current templates
and submission procedures
are available on our website.
Kevin Woolfolk: We talked
earlier about recordkeeping
from receipt to destruction.
Are there requirements
for destroying FTI?
Shawn Finnegan: Absolutely.
As important as it is
to track the FTI received,
it is equally important to know
when and what FTI
has been destroyed.
The agency
must document the destruction
in their annual SSR
and provide a sample
of the log used to record it.
Joi Bridgers:
FTI may be disposed of
by destroying
or returning it to the IRS,
as outlined in Publication 1075.
As FTI
is increasingly maintained
in electronic systems,
destruction requirements
are continually changing.
Check our website regularly
for any alerts and changes
to these requirements.
Shawn Finnegan:
Regardless of how the agency
is destroying the FTI,
the method must make it
unreadable or unusable.
Kevin Woolfolk:
Another consistent theme
seems to be logging,
whether electronic or physical.
Joi, can agencies use the FTI
for any agency purposes
once they receive it?
Joi Bridgers:
No, Kevin. They cannot.
The Internal Revenue Code
is very direct
on how agencies can use it.
They are prohibited
from using FTI
for any purpose other
than that authorized by statute.
Before the agency receives FTI,
the IRS must approve
its intended use.
Part of the Safeguards
on-site review is to verify
that the data is being
used as approved.
Kevin Woolfolk: Deficiency
in computer security account
for 97% of the weaknesses
identified during
Safeguards´ on-site reviews.
Computer security methods
are constantly changing.
Megan, can you tell us a bit
about computer security
and how it applies
to safeguarding FTI?
Megan Ripley: The focus
of the computer security portion
of the on-site review
is based on requirements
outlined
in the National Institute
of Standards and Technology
Special Publication 800-53.
We review your agency´s
IT security controls
using evaluation matrices
and automated testing tools.
We also examine
written documentation
and policies and procedures
in your IT environment.
To be proactive
with safeguarding,
your agency can verify
their IT systems
receiving, processing, storing,
or transmitting FTI
are compliant with
Publication 1075 requirements
by using the Safeguards computer
security evaluation matrices
found on our website.
Shawn Finnegan: Logging
and auditing are required
to effectively capture all
access, modification, deletion,
and movement of FTI
by each unique user.
This will identify any external
breaches or suspicious activity.
Megan Ripley: Automated testing
is performed on various systems
during an on-site review.
We use an industry-standard
compliance
and vulnerability
assessment tool
to evaluate
the security of systems
that store, process, transmit,
or receive FTI.
This tool conducts the
configuration compliance checks
using Center for Internet
Security benchmarks
supplemented
with IRS-specific requirements.
The audit files are available
on our website.
Kevin Woolfolk: Shawn,
are there any consequences
for the misuse of FTI?
Shawn Finnegan: Yes.
There are two criminal penalties
associated with either
or both unauthorized access
or unauthorized disclosures
of FTI.
This applies to individuals
even after they´re no longer
employed with your agency.
There´s a lifelong prohibition
from disclosing
federal tax information.
The most severe penalty
is for unauthorized disclosure,
which means that you were
providing FTI to someone
that is not entitled to have it.
The penalty is five years,
a $5,000 fine, or both,
plus the cost of prosecution.
Joi Bridgers: The penalty
for unauthorized access
is one year, $1,000 fine,
or both,
again with the cost
of prosecution.
Unauthorized access
is reviewing the data
when you are not entitled
to look at it.
You can actually be guilty
of both offenses
and prosecuted
for both unauthorized disclosure
and unauthorized access.
Let´s not forget that taxpayers
who are harmed
by unauthorized access
or unauthorized disclosure
may seek civil damages.
The taxpayer may receive
a minimum of $1,000
for each unauthorized access
or disclosure
or actual damages,
whichever is greater,
plus punitive damages
and the cost of the action.
Shawn Finnegan:
It is important to remember
that you, not your agency,
are liable for these penalties.
Kevin Woolfolk:
Wow, Shawn. Those are pretty
significant penalties.
I definitely wouldn´t want
to run afoul of that.
I would like to thank the panel
for their discussion
on this important subject
of protecting
federal tax information.
Their answers have given us
insight to safeguarding.
We encourage you
to visit our website
and review the current revision
of Publication 1075.
Remember, when you´re
successful, we´re successful.
I would like to turn this back
to Joyce to close out.
Joyce Peneau: We all have
a shared responsibility
to ensure
that federal tax information
is disclosed only
to those with a need to know
and only used as authorized
by statute or regulation.
We at the IRS are confident
in your diligence,
that you adhere
to good security protocols,
that you are as vigilant
as we are about protecting FTI
and using it appropriately.
As our IRS Disclosure Awareness
Training video concludes,
I encourage you at all times
to ensure that the data you hold
is secure and protected.
Please remember to follow
the security requirements
within your agency.
Thank you for your time,
but most of all,
thank you for your efforts
to protect the confidentiality
of federal tax information.