- Why are you taking this training?
- What is federal tax information (FTI)?
- What FTI is not
- Access to/Disclosure of FTI
- Restricted Area
- Authorized Access List: Division, BTS and Contract Staff with a Need-to-Know
- Need and Use
- Why won’t FTI be in BLIS or Arts?
- Unauthorized Access and Disclosure
- Criminal Penalties for Misuse
- Civil Penalties for Misuse
- Summary of Penalties
- Penalties after Employment
- Is this really that serious?
- How will I know it’s FTI?
- Secure Storage of FTI
- Protecting FTI
- FTI Record Keeping
- Printing FTI
- Mailing FTI
- Paper Destruction
- Computer Security
- Emailing and FAXing FTI
- Unauthorized Technologies
- FTI Electronic Destruction
- What if I see something that looks wrong, e.g., unusual circumstances or potential events?
The IRS requires annual federal tax information (FTI)* training for all staff who work with FTI or who work in an office where they may have incidental contact with FTI. This includes Revenue personnel, Compass Computing, Water Bureau, Office for Community Technology, FAST Enterprises, Triad, VanderHouwen, and any other non-Revenue Division (Division) staff working in Division Secure Work Area on a full-time, long-term basis on the approval of the Division Director. This training includes:
- General security awareness training through CityLearner
- Social engineering
- Hardware and software best security practices as a user
- Disclosure awareness training
- What FTI is
- How to keep FTI confidential and meet IRS requirements
- Civil and criminal penalties for the misuse of FTI
You are reading the disclosure awareness training.
To receive FTI from the IRS, the Division must build effective security controls into processes, rules, and systems to protect FTI. These protections continue from the time the Division receives FTI until FTI is destroyed.
If you have access to FTI or support FTI systems, this training provides a stepping stone toward certifying your access. Your manager or supervisor will inform you if your work assignment involves FTI. If so, the IRS Liaison & Disclosure Officer (DO) will schedule additional role-based training with you.
Even if you don’t have access, you must understand what FTI is and what to do if you encounter it.
Everyone protects FTI - not just people with access.
*The merging of FTI into expanded Division workflows will happen gradually, beginning with Phase 1 of the Integrated Tax System (ITS) project (August 2019 – August 2020) and pick up speed as ITS progresses toward maturity in future years. This training will be updated in tandem with ITS project phases.
FTI is information received directly from the IRS. It includes:
- Returns: any tax or information return (paper or electronic), estimated tax declaration, refund claim (e.g., 1040, 941, 1120, and other informational forms, such as 1099 or W-2. Forms include supporting schedules, attachments, or lists that are supplemental to or part of such a return)
- Return information: any information collected or generated by the IRS regarding any person’s liability or possible liability, including but not limited to:
o Information, including a return, that the IRS obtained that relates to the potential liability of any person under the law for any tax, penalty, interest, fine, forfeiture, or other imposition or offense
o Information extracted from a return, including names of dependents or business address
o Taxpayer’s name, address, and identification number
o Information collected by the IRS about any person’s tax affairs, even if identifiers, such as name, address, and identification number, are deleted
o Status of whether a return was filed, under examination, or subject to other investigation or processing, including collection activities
o Information contained on transcripts of accounts
- Products created from FTI
o Doing Business letters
o Audit adjustment letters
o Data-modeling summaries of potential recoveries in a certain compliance area
o Notes regarding an FTI tax case that mention data elements received from IRS
o In other words, anything, physical or virtual, derived from FTI is also FTI
- Information provided directly by the taxpayer or third parties, e.g., copies of tax returns and supporting documents
- Information in BLIS, Arts or other Division applications
Unauthorized access to/disclosure of FTI is prohibited. The Division uses FTI for tax administration purposes, per Internal Revenue Code (IRC) 6103.
All FTI-related work happens in the Restricted Area. Where is the Restricted Area*? When entering the Secure Work Area through the hallway door directly opposite the Suite 600 public restrooms, the Restricted Area is located behind the first, and only, locked door on the left.
The Restricted Area has a large sign posted on the door. This sign describes the penalties for unauthorized access.
Only people on the “NO ESCORT NEEDED” section of the Authorized Access List (people with a business need-to-know), a formal assignment to the Governmental Liaison Data Exchange Program (GLDEP, another acronym for the IRS data exchange program), and approval from the DO have badge access to the Restricted Area. Entry into the Restricted Area is monitored by various means, including badge scans, real-time video, motion sensors, and door alarms.
People with a less frequent, but still regular, need to enter the Restricted Area for technical support are on the “MUST BE ESCORTED” section of the Authorized Access List. These people do not have badge access and must be escorted into the Restricted Area by someone on the “NO ESCORT NEEDED” section.
All other people are considered guests. the disclosure officer must approve all guest entry into the restricted area.
*The ITS project will expand the Restricted Area, possibly to the entire Secure Work Area.
Limiting FTI access to people on a need-to-know basis reduces opportunities for unauthorized access to or unauthorized disclosure of FTI
Under need-to-know restrictions, even if someone has the authority to access FTI, the person should only exercise that authority if it's necessary to complete official duties.
These are the only people with a need-to-know who are authorized to enter the Restricted Area unescorted (current as of 10/18/2019):
- Seth Kabala, Revenue, IRS Liaison and Disclosure Officer (DO)
- Tyler Wallace, Revenue, Tax Division Manager (TDM)
- Scott Karter, Revenue, Back-up Liaison and Disclosure Officer (BDO), Audit & Accounting Division Manager
- Adrienne Brown-Dunn, Revenue, Tax Supervisor
- Thomas Carrasco, Revenue, RTS IV
- Nayeli Serna-Flores, Revenue, RTS IV
- Iana Spada, Revenue, RTS III
- Kelly Jones, Revenue, Business Systems Analyst II
- Tressa Barclay, Revenue, Business Systems Analyst II
- Kita Xayachack-Fraser, Revenue, Business Systems Analyst I
These people are authorized to enter the Restricted Area if escorted by someone on the previous list:
- Christopher Paidhrin, BTS, Information Security Manager
- Brian Ventura, BTS, Information Security Architect
- Dean Musson, BTS, Information Security Architect
- Mike Lamb, BTS, Server Team Supervisor
- Mike Nichols, BTS, Server Team Support
- David Carter, BTS, Server Team Support
- [vacant], BTS, Database Supervisor
- Mark Krampits, BTS, Database Team Support
- Hanh Matthews, BTS, Database Team Support
- Chenai Nziramasanga, BTS, Desktop Team Supervisor
- Thai Nguyen, BTS, Desktop Team Support
- Armin Sedaghat, BTS, Desktop Team Support
- Erin Poole, BTS, Communications Manager
- Cameron Rutis, BTS, Network Team Support
- Matt Cavaness, BTS, Network Team Support
- Frank Bubenik, Compass Computing, Legacy Software Development
- Rachele Gorsegner, Revenue, Interim BSD Manager, ITS Project Manager
- Thomas Lannom, Revenue, Director
*This list changes frequently. Check with DO for the current list.
Revenue's FTI uses are limited per IRC 6103 and other requirements, which are described in Revenue’s agreements with the IRS.
Prohibited activities from non-FTI staff: ad hoc queries, requests for information, BSA requests, and requests to view tax records (including your own).
All requests to explore a data extract must originate from managers and supervisors with GLDEP assignment privileges. Managers and supervisors take their requests directly to the TDM and DO. The TDM and DO will decide whether the request is compliant with existing IRS agreements. If a request is non-compliant, the TDM and DO will determine whether to request a change to Revenue's IRS agreement.
Accepted FTI requests will go through the FTI work process flow.
Requestors may not discuss requests with non-FTI staff*.
*In ITS, all staff working in the Division Secure Work Area will also be GLDEP staff. However, not all staff will have GLDEP assignments. If you have a GLDEP assignment, i.e., involves the use of FTI, you may only discuss your assignment with other GLDEP staff with a need-to-know.
Due to disclosure regulations, information security requirements, and comingling restrictions, the Division will not integrate FTI into BLIS, Arts, or any other legacy application* that does not already contain FTI. Federal Tax Information Management Application (FTIMA, the Division’s legacy FTI processing software) is the lone exception.
FTI does not lose its character even if it is verified by a third-party (e.g., taxpayer). Verification means we acquired identical information from a non-IRS source. Said identical information is not subject to FTI regulations. The source FTI that was verified, however, remains FTI until the end of time. If we loaded FTI into our existing information system applications, our business processes would be subject to all IRS requirements, including computer systems and system behaviors, a more restrictive clean desk policy**, and other security requirements.
*ITS will integrate FTI seamlessly into select compliance programs hosted in GenTax. In ITS, the Division will host FTI on offsite servers. These servers will make FTI available through GenTax at any authorized employee or contractor’s workstation.
**ITS will bring new, more restrictive policies to life. These new policies are in draft form. All managers and supervisors are part of a working group to advance these to publication when ITS goes live.
Unauthorized access* occurs when an entity or person receives or has access to FTI without authority. Access to FTI is permitted only to people who need FTI to perform their official duties.
Unauthorized disclosure occurs when FTI or access to FTI is given to an entity or person who has neither authority nor a need-to-know. FTI must never be improperly disclosed.
Be aware that you cannot access or disclose FTI unless the access or disclosure is authorized by law and the DO.
Unauthorized access or disclosure could subject you to criminal penalties or civil liability.
*Inadvertent access by staff working in the Restricted Area is incidental contact (a term the IRS recognizes), not unauthorized access or unauthorized disclosure. In ITS, incidental contact may occur when, e.g., someone working in the Secure Work Area who does not have a GLDEP assignment accidentally catches a passing glance of someone’s screen that was displaying FTI. Because the person without a need-to-know was trained per IRS specifications (what you’re doing right now + security awareness training + a background check + confidentiality oath), such occurrences of incidental contact may be considered Events (discussed later in this training, handled internally) but will not rise to Incidents (also discussed later, requires a report to IRS) unless evidence dictates otherwise.
Unauthorized access or inspection (UNAX): IRC 7213A
Willful unauthorized access or inspection (UNAX) of taxpayer records by an employee/contractor or former employee/contractor is a MISDEMEANOR. This applies to both paper documents and electronic information. The penalty can be a FINE of up to $1,000 and/or up to one (1) year in PRISON.
Unauthorized disclosure: IRC 7213
Willful unauthorized disclosure of returns or return information by an employee/contractor or former employee/contractor is a FELONY. The penalty can be a FINE of up to $5,000, or up to five (5) years in JAIL, or BOTH, PLUS the cost of prosecution.
A taxpayer whose return or return information has been knowingly or negligently inspected or disclosed by an entity or person may seek civil damages.
A taxpayer may initiate action in district court for damages where there is unauthorized inspection or disclosure. The taxpayer may receive damages of $1,000 for each unrestricted access or disclosure, or actual damages, whichever is greater, PLUS punitive damages (in cases of willful or gross negligence), and the cost of the action (court costs).
IRC Section 7213
- Up to $5,000 fine
- Imprisonment up to 5 years
- Cost of prosecution
- Damages (see IRC 7431)
- Up to $1,000 fine
- Imprisonment up to 1 year
- Cost of prosecution
- Damages (see IRC 7431)
IRC Section 7431
Damages may include:
- $1,000 per act
- Actual damages
- Punitive damage
- Cost of legal action
- Attorney fees
Even after you leave Division employment (or working as a service provider, project manager, contractor, etc.), you are still responsible for maintaining the confidentiality of the information to which you had access during your employment.
Fines and penalties still apply to you as a former employee or contractor.
The IRS wants you to understand what's at stake.
Knowing what FTI is, what it looks like, and how it's handled helps protect sensitive taxpayer information from misuse and upholds the public’s trust in the Division. Further, if the IRS isn’t satisfied with the Division’s safeguarding of FTI, IRS could revoke our access. Revocation would cost the City millions of dollars per year in lost tax recoveries directly related to FTI data matches and audit leads.
You must report activities that deviate from Division policies.
If you see something you think looks wrong, it's your duty to report it!
Any document or computer system (including system hardware) containing or processing FTI must be labeled as such.
Unless you are on the Authorized Access List, you should not encounter FTI. However, it is important to be able to identify FTI should it be found outside the Restricted Area.
FTI must be handled in a special way to prevent UNAX.
FTI must be stored within the Restricted Area*, where no one, other than staff authorized to work with FTI, may have access.
*ITS will store electronic FTI off-site on FAST Enterprises servers. Paper FTI will be kept to an absolute minimum and stored securely in the Restricted Area.
To meet the minimum IRS protection standards, the Division must enforce a Secure Work Area as defined by RB-6*, Workplace Access. The Division is updating the Workplace Access policy due to numerous changes to the make-up of staff using the Division’s Secure Work Area, e.g., Water Bureau, Office for Community Technology, Compass Computing, FAST Enterprises, Triad, and VanderHouwen.
Changes include redefining Common Areas, Restricted Area, and Secure Work Area.
Facilities Access (white) and Authorized Movement (green) Badges
- Worn above the waist always
- If lost, notify the DO immediately
- Sign in and out using the paper log at the Front Counter**
- Wear a visitor badge (red) and be escorted continuously while visiting the Division Secure Work Area
A holder of a white badge or green badge may escort a red badge anywhere in the Secure Work Area. DO authorization is required before entering the Restricted Area.
*As ITS progresses, we may go through several versions of RB-6.
**The Division is working with BTS to bring back the iPad sign-in app.
Protect all confidential information: Remember your Security Awareness Training
- Label and lock up files, notes, and documentation containing FTI when not in use
- Follow security steps in RB-14, Cash and Personally Identifiable Information Security
- Lock computer screen when not in line-of-sight. To lock:
- Depress and hold the Windows icon key
- Press “L” key
- Release both keys simultaneously
- No password sharing
- No writing down passwords and storing in places accessible to others
- Division recommends using a password-protected password manager on your personal device of choice
Never leave FTI unattended in the Restricted Area.
Never remove FTI from the Restricted Area unless as part of a defined business process, e.g., mailing a Doing Business letter.
FTI is tracked and monitored from the time it is received until it is destroyed or returned to the IRS.
The IRS requires GLDEP agencies to monitor physical and IT security, including, but not limited to, visitor and door logs, changes to the IT environment, all user and system interactions with electronic FTI, chain of custody for all products created from FTI, Incidents, and Events.
Due to extensive record keeping and data protection requirements, printing FTI is discouraged unless absolutely necessary. There must be a business need for printing FTI, e.g., mailing a Doing Business letter. FTI must be clearly labeled and printed on gray FTI paper.
After printing, FTI must be tracked, including who has access and when and how FTI was destroyed.
An FTI letter must be:
- Addressed to the taxpayer of record or their authorized representative, e.g. POA
- Documented on a transmittal form
Mailed FTI must be transported in two sealed envelopes (or containers), one inside the other, only if transported from one GLDEP agency office to another office within that same GLDEP agency, e.g., if the Division had an eastside office and needed to courier paper FTI from downtown to eastside, the two-barrier standard would apply. However, since the Division is the only City office that receives FTI, and we share one contiguous office space, mailing FTI in two envelopes is not, at this time, required.
All paper must be destroyed using an IRS-approved method such as shredding, pulping (after shredding), or burning.
Disposal is logged.
All computer actions are logged and monitored.
The IRS requires specific computer settings and will audit settings to make sure they meet requirements.
System settings need checking after an upgrade or system change to make sure the upgrade did not create a security vulnerability.
All system updates must be logged. These are run-and-maintain-style events, such as bug fixes and security patches that manufacturers and developers release on a regular schedule.
All system changes that add/remove functionality and materially alter system appearance and operation must be logged and follow standard change control methodologies. The Division has a Change Control Board that oversees material system alterations.
Issues (e.g., non-compliant security configurations, unclear policies, inefficient processes) are tracked on the Plan of Action & Milestones from inception through resolution. This is the Division’s internal audit record of GLDEP issue identification and remediation. We use this to proactively fix problems before the IRS finds them. IRS audits us every three years to check compliance with federal information security regulations.
Emailing and/or FAXing FTI are prohibited
Processing FTI outside the Restricted Area is prohibited*.
FTI cannot be used with other technologies, such as flash drives, cameras, tablets, cell phones, via remote access, discussed on an Avaya (VOIP) phone, transmitted wirelessly or to the cloud, or used on multi-functional devices (e.g., a printer that also serves as a scanner and FAX machine).
*The Division is updating all workplace policies and procedures in conjunction with ITS. Some policies may change to allow more technologies to process FTI than current policies allow.
When the Division no longer uses a given FTI element, and we cannot justify our need to keep it, we must destroy said FTI using an approved IRS method, e.g., shredding paper to near dust levels, running software data overwriting programs, pulverizing hard drives in a conical press.
It's your responsibility to respond to Events.
Event has a specific definition in the Division’s FTI Incident Response Plan (under revision). Event: An action or circumstance that represents a policy deviation and that may lead to UNAX.
Anyone who thinks they have seen, or received information about, a possible disclosure of or unauthorized access to FTI must immediately tell the DO. If the DO is out-of-office or otherwise unreachable, contact the BDO.
The DO will ask you to give as much detail as possible about the alleged Event. The DO investigates all reports of Events, determines if an Event has occurred, and further determines if an Event has escalated to an Incident.
Incident also has a specific definition in the Incident Response Plan. Incident: UNAX has occurred or, based on the evidence, UNAX likely has occurred.
Classification of a reported Event as an actual Event, or escalation of an Event to an Incident, is at the discretion of the DO and Division Executive Team.
The DO reports all Incidents to the IRS Regional Inspector or the Treasury Inspector General for Tax Administration (TIGTA).
Events that could escalate to incidents:
- FTI on the FAX machine
- FTI in a conference room
- FTI in a shred bin
- FTI on a desk
- FTI in BLIS or ARTS
- Someone showing FTI to a friend or colleague without a need-to-know
- People talking about FTI accounts / FTI taxpayers (by name) outside the Restricted Area