Revision 24-3; Effective July 1, 2024
All Programs
FTI security incidents include loss of control, unauthorized access, unauthorized disclosure or unauthorized inspection. Upon discovering an actual or possible compromise of IRS FTI or an unauthorized inspection or disclosure of IRS FTI, including breaches and security incidents, the person observing or receiving the information must immediately contact the HHSC IRS coordinator within 24 hours of initial discovery. Send a secure email with the subject line, Urgent: FTI Data Incident Report to the HHSC IRS Coordinator Mailbox.
The HHSC IRS Coordinator reports the incident by:
- contacting the office of the appropriate special agent-in-charge, Treasury Inspector General for Tax Administration (TIGTA); and
- following the IRS Office of Safeguards, as directed in Section 10.2 of IRS Publication 1075.
In the event the HHSC IRS coordinator fails to respond by the close of the next business day, staff immediately inform management by sending an email with the subject line, Urgent – Possible Unauthorized Disclosure or Inspection of FTI to HHSC Offices for Information Technology, Privacy Division, Chief Information Security Office and IRS coordinator.
Examples of FTI security incidents include but are not limited to:
- leaving an agency computer or laptop with FTI unlocked and unattended;
- leaving a file cabinet with FTI unlocked;
- allowing contract IT Help Desk support access to an agency device with FTI while the user is accessing ASOIG;
- printing FTI on Xerox Multi-Factor Office Devices;
- allowing unmonitored contractor access to an FTI hardware server;
- discussing FTI on a Voice over Internet Protocol (VoIP) phone with people or other agency employees;
- viewing FTI remotely without approval;
- sending screenshots of FTI data from the ASOIG application;
- screensharing FTI during virtual meetings, which includes meetings conducted through Microsoft Teams, Zoom, Go To Meeting, Webex and Google Meet; and
- stealing or losing laptop computers, removable devices or non-digital media containing FTI.
Related Policy
Reporting Unauthorized Inspection or Disclosure of Social Security Administration-Provided Information, B-1250
C-1061 Penalties for Disclosing FTI
Revision 24-3; Effective July 1, 2024
All Programs
People responsible for the willful unauthorized inspection or disclosure of FTI may be subject to criminal and civil penalties in addition to disciplinary action. Security incidents may also result in temporary or permanent suspension from ASOIG access.
Criminal penalties for willful unauthorized inspection of FTI are:
- a fine up to $1,000; and
- one year in prison, together with the costs of prosecution.
Criminal penalties for willful unauthorized disclosure of FTI are:
- a fine up to $5,000; and
- up to five years in prison, together with the costs of prosecution.
Civil penalties for willful unauthorized inspection or disclosure of FTI are:
- the greater of $1,000 or actual damages for each incident; and
- court costs and attorney fees to the plaintiff.