Per the IRS Publication 1075, a data breach is a type of incident involving a loss, theft, or inadvertent unauthorized disclosure of FTI. A data breach is defined as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where:
- A person other than an authorized user accesses or potentially accesses FTI or,
- An authorized user accesses or potentially accesses FTI for an other than authorized purpose.
Some examples of a data breach include:
- A laptop is lost or stolen
- A third party overhears employees discussing FTI
- Documents containing FTI are lost during shipping
- An authorized user sells information containing FTI
- An authorized user accesses information containing FTI for their own personal use
CSS policy OAC-340-25-5-67 spells out how CSS limits disclosure of FTI. Instances of inappropriate access or misuse of confidential information including FTI should be reported to you supervisor.