A data breach is a type of incident that involves a loss, theft, or inadvertent disclosure of Federal Tax Information (FTI). IRS Publication 1075 defines a data breach as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition or any similar occurrence where:
- a person other than an authorized user accesses or potentially accesses FTI or,
- an authorized user accesses or potentially accesses FTI for an unauthorized purpose.
A data breach is not limited to an occurrence where someone other than an authorized user accesses FTI by a network intrusion, a targeted attack on a website or an attack executed through an email message or attachment. It may also include the loss or theft of physical documents that include FTI and portable electronics that store FTI. It also includes disclosure of FTI to a person that is not authorized to receive the information or an authorized user accessing FTI for unauthorized purposes.
Some common examples of a data breach include:
- A laptop or other electronic device that stores FTI is lost or stolen
- An email containing FTI is inadvertently sent to the wrong person
- A box of documents that contain FTI is lost or stolen during transport
- An unauthorized third party overhears employees discussing FTI
- An authorized person sells FTI for person gain or disseminates it
- A system that maintains FTI is accessed by a malicious actor
- FTI is posted inadvertently on a public website
CSS policy OAC-340-25-5-67 spells out how CSS limits disclosure of FTI. Instances of inappropriate access or misuse of confidential information including FTI should be reported to you supervisor immediately.
For related articles, try clicking one of the tags at the bottom of this page.