Reporting and Tracking Improper Access and Disclosure of IRS Information 448-01-50-10-25

(Revised 11/1/14 ML #3418)

View Archives

 

 

The state and county social service offices must immediately report breaches of access and disclosure requirements applicable to IRS information to the:

 

• Director of Economic Assistance; and

 

• Treasury Inspector General for Tax Administration (TIGTA)

• Via phone to the regional office 312-886-0620, or to the hotline 800-366-4484.

 

• Or by mail to:

Treasury Inspector General for Tax Administration

Ben Franklin Station

PO Box 589

Washington, DC 20044-0589

• Office of Safeguards
  • Via e-mail to SafeguardReports@irs.gov
  • Or by mail to:

    Internal Revenue

    1111 Constitution Avenue NW

    Washington, DC 20224

 

The reporter is responsible for providing information until the process is complete.

NOTE: Disclosure means information given, without the consent of the recipient, to another agency or individual who does not require the information to determine eligibility for Economic Assistance or Health Care Coverage Programs.

 

When an improper disclosure of this information occurs, complete records will be kept of any disclosure of information obtained from IRS. A record of the disclosure must be reported to the Director of Public Assistance and retained for five years or the life of the records, whichever is longer. The record must include:

 

• Date and time of incident

• Date and time incident was discovered

• How the incident was discovered

• Description of the incident and data involved (include specific data elements if known but do not include client specific information)

• Potential number of Federal Tax Information records involved (if unknown provide a range if possible)

• The address where the incident occurred

• Information technology involved (laptop, server, mainframe)
• Do not include any FTI in the Data Incident Report

• Reports must be sent electronically and encrypted via IRS-approved encryption techniques. Use the term Data Incident Report in the subject line of the email

Note: Even if all information is not available, immediate notification is the most important factor, not the completeness of the Data Incident Report. Additional information must be provided to the Office of Safeguards as soon as it is available.