OFFICE OF CHIEF COUNSEL OPERATION R.E.D. GUIDANCE

Transcription

1 OFFICE OF CHIEF COUNSEL OPERATION R.E.D. GUIDANCE Operation R.E.D. is a two-month Chief Counsel event the goal of which is to refresh employees awareness of existing policies and procedures regarding safeguarding of sensitive information. During this event, employees are given time to: Review their electronic files and paper holdings for sensitive information that is required to be secured; Encrypt (electronic) and/or safeguard (paper) all sensitive information for which they have a continued business need to keep in their possession; Decide whether information that they no longer have a continued business need to keep should be archived or destroyed. Operation R.E.D. your possessions for PII and SBU information PII and SBU information you have a continued business need to keep in your possession to archive or properly destroy PII and SBU information you no longer need in your possession PII is Personally Identifiable Information SBU is Sensitive But Unclassified Information CCDM (1) states that, Employees are responsible for the protection and proper disposition of all information, documents and property in their possession and control. They must make every effort to protect information, documents and other property entrusted to their care and prevent unauthorized entry into areas where information, documents and property are located. Similarly, IRM (1) states that, The protection of information is of vital concern to the Service. Every effort must be made to ensure that all documents are provided protection commensurate with the information therein all Service personnel must take care to ensure they recognize information which requires protection regardless of the media on which that information is contained. What information needs to be protected? As part of its vital mission to the United States, IRS and Chief Counsel employees are entrusted with a tremendous amount of sensitive information, including Sensitive But Unclassified (SBU) information and Personally Identifiable Information (PII). Protecting this information is vital to maintaining the public trust that encourages voluntary compliance with the tax law and enables the IRS and Chief Counsel to conduct business effectively. 1

2 Sensitive But Unclassified (SBU) Information CCDM (1) defines SBU information as any information considered sensitive or critical due to the risk and magnitude of loss or harm that could result from unintentional or deliberate disclosure, alteration or destruction. SBU information includes: Tax data (i.e., returns and return information) subject to the disclosure provisions of section 6103 of the Internal Revenue Code Law enforcement information Proprietary information (e.g., contracts, solicitations) Mission-critical information Individually Identifiable Information subject to the Privacy Act (5 U.S.C. 552a) SBU also includes other statutorily protected information, such as grand jury information subject to Rule 6(e) of the Federal Rules of Criminal Procedure and tax convention information subject to section 6105 of the Internal Revenue Code. See IRM for a more comprehensive definition of SBU information. Personally Identifiable Information (PII) is sensitive information that, either alone or in combination with other information, may be used to uniquely identify, contact or locate a person. Unauthorized disclosure of PII places individuals at serious risk for identity theft and invasion of privacy. Some examples of PII are: Names Addresses addresses Telephone numbers Social Security numbers Bank account numbers Date and place of birth Mother s maiden name Biometric data (height, weight, eye color, fingerprints, etc.) See IRM , for a more comprehensive definition of PII. SBU information and PII require similar protections. Even where existing guidance referenced below refers only to PII or only to SBU, such guidance applies with equal force to the other category of information. REVIEW Chief Counsel employees maintain SBU/PII in a variety of forms in records stored on network drives (e.g., the G: drive), computer hard drives (e.g., records created and stored on the employee s desktop (the C: or D: drive) or on the employee s laptop when the employee is not connected to the network), in messages and Calendar appointments maintained in Microsoft Office Outlook, in information stored on removable media (e.g., CD-ROMs, flash drives or diskettes), and in paper records. During Operation R.E.D., employees are being asked to review both their electronic files and paper holdings to ensure that they are 2

3 only in possession of SBU/PII that they have a need to know (i.e., a continuing business need to keep in their possession). Need to know Under the Privacy Act of 1974 (5 U.S.C. 552a) and Internal Revenue Code 6103, an employee should only have access to sensitive information if that employee s official duties require access to that information. When an employee no longer has an ongoing need to retain sensitive information (e.g., upon issuance of advice, upon notice of final judicial disposition of the litigation, upon publication of the final regulations or other item of published guidance), the employee must ensure that all documentation is included in the case file. The case file should then be closed in accordance with case closing procedures set forth in CCDM , , or There may, however, be instances when an employee does have a need to retain a case file after his or her office s involvement in the matter is complete. In such instances, the assignment/file should be closed in CASE-MIS and then charged out from the location where closed files are maintained in the employee s facility (so that the office knows where the closed file is located). When the employee no longer has a need to retain the closed file, the file must be promptly returned to the closed files facility. Generally, once the file is closed, the employee should not continue to retain PII or SBU information on his/her computer s hard drive, on removable media, or in paper records otherwise readily available to them, unless immediate access is necessary to the performance of the employee s official duties. ENCRYPT/SAFEGUARDS Once employees have completely reviewed their inventories of SBU/PII, they must follow the proper procedures for safeguarding information that they have a continuing business need to maintain in their immediate possession. Safeguarding Electronic Data Employees should store all electronic records containing SBU/PII on the Chief Counsel network, the G: drive. IRM requires that all SBU/PII that is processed, stored, or transmitted by computer equipment (such as laptops and memory storage devices), outside of IRS facilities, be encrypted. 1) Laptops Laptops are automatically encrypted with the WinMagic s SecureDoc Disk Encryption to protect the contents of the hard drive when the computer is at rest (turned off or rebooted). If the computer is lost or stolen, unauthorized users will not be able to access any data on the hard drive. 3

4 When the employee s laptop is connected to the Chief Counsel network (the G: drive), all files should be saved to the network directory. When the employee s laptop is not connected to the network, the employee must save all files to the Encrypted File System (EFS) protected data folder (see item 3, below). When the employee s laptop is later reconnected to the network, the employee must move the information that had been stored in the EFS protected data folder to the G: drive, which will automatically decrypt the information. Detailed information on how employees may access their EFS protected folder may be found in item 3), below. 2) Information saved to removable media All Chief Counsel workstations, both desktops and laptops, are installed with Guardian Edge Removable Storage (GERS) software. GERS will automatically encrypt any files saved to removable media such as floppy diskettes, CDs, flash/thumb drives, and USB-attached hard drives. GERS will also decrypt GERS-encrypted files that employees receive from other Chief Counsel or IRS offices. Employees who save information to removable media for their own use may access that information without any password, as long as they are accessing the information on a Chief Counsel system. Although there is the ability to read GERS-encrypted files on non- Chief Counsel computers, employees are prohibited from doing so on their home/ personal computers. Employees may share information saved to removable media by providing the recipient with the password used to encrypt the file. Employees who need to save information to removable media without encryption, (e.g., training materials created for use at an off-site seminar) should contact their Administrative Officer or Office Manager in order to produce the unencrypted removable media. Files containing SBU/PII may only be saved to government-approved removable media. SBU/PII may never be placed on non-government owned or approved media. 3) Computer hard drives When circumstances require employees to store information on their computer s hard drive (e.g., the network is down or employees are using their laptops in a location where they cannot connect to the network), the employees must temporarily store the information in the EFS protected folder. All Chief Counsel employees have an EFS protected data folder on their computer s local D: drive. The EFS protected data folder is located as follows: D:\users\[Your Username]. For example, a Chief Counsel employee with the user name, noclxyz, will find the EFS protected data folder in the following location: D:\users\noclxlz. 4

5 When employees save records to their EFS protected data folder, it will be automatically encrypted. No login or password is needed. The employee can open an encrypted file, save the file, or delete the file, just the same as if the file were not encrypted. If the employee wants to copy an encrypted file to a non-encrypted folder, such as moving an encrypted Word file from the D:\Users\[Your Username] folder to the Documents folder, the file maintains its encrypted status. This is true as long as employees keep the file or folder on their computer s local hard drive (C: or D: drive). If an employee attempts to move or copy a file from the employee s EFS protected data folder to the network drive (G: drive), the employee will be prompted as follows: By selecting Ignore or Ignore All, the unencrypted file is moved or copied to the G: drive. 4) Microsoft Office Outlook Use of Microsoft Office Outlook raises two key issues with respect to data security: a) messages sent within Chief Counsel using Microsoft Office Outlook are protected; no further encryption is required. b) messages sent to IRS addresses must be encrypted using Secure Messaging (S/MIME) whenever the text of the message (or any attachments thereto) contains SBU/PII. Information on enrolling in and using Secure Messaging may be found by clicking on the Microsoft Office Outlook Settings Update at: NOTE: SBU/PII can never be included in the subject lines of messages because subject lines cannot be encrypted. c) messages containing SBU/PII sent externally may be transmitted solely to those entities with whom Chief Counsel enters into an information sharing agreement. For example, the IRS Office of Cybersecurity and the U.S. Department of Justice (DOJ) Tax Division have entered into an agreement that allows for Chief Counsel attorneys and DOJ Tax Division counterparts to transmit information containing SBU/PII in WinZip9-encrypted attachments to messages. The Chief Counsel attorney must 5

6 separately provide the password that will allow the DOJ attorney to open the file, either telephonically or by fax. Chief Counsel employees may not send SBU/PII data by to taxpayers, taxpayer representatives, or other non-chief Counsel/IRS party, even if the other party uses encryption software. See IRM (7), Standards for Using . Employees should contact their immediate supervisor if they have questions concerning the sending of messages containing SBU/PII. d) Information entered into the Microsoft Office Outlook Calendar cannot be encrypted; therefore, Calendar entries must not contain SBU/PII. Employees should use subject matter descriptions (e.g., summons matter) in lieu of taxpayer names when sending Calendar invitations or entering their own Calendar appointments into Microsoft Office Outlook. However, if the subject of a Calendar entry is a docketed case, the case name alone may be included. Employees should send an encrypted to meeting/conference call invitees if additional SBU/PII is needed as background to the appointment. Attached is the most recent IRS guidance on the use of the Microsoft Office Outlook Calendar. IG- PII On Outlook Calendar Final_10310 The Encryption Aids File icon located on every Chief Counsel workstation contains stepby-step guidance for the various methods of encryption available to Chief Counsel employees. Detailed information on computer security and encryption may also be found on the Chief Counsel home page in the Useful Information section by clicking on the Computer Security link: Safeguarding Paper Records 1) Records located at IRS facilities Employees should use measures appropriate to the circumstances to protect information containing SBU/PII left on desks or workstations, or in conference or other work rooms, when they are not present during the workday, in order to prevent unauthorized access. IRS and Chief Counsel security rules for protecting paper records containing SBU/PII require that when the records are not in the custody of an authorized Counsel employee that the records are to be stored in a file cabinet, desk drawer, overhead storage bin, credenza, or similar locked compartment. The records may also be stored in a room or area with physical access control measures affording adequate protection and preventing unauthorized access by the public, visitors, or other persons without a need-to-know. Examples of acceptable access control measures include, but are not limited to, a key-locked room, or a restricted-access work area controlled by a cipher lock or card reader. 6

7 2) Records located off-site There may be certain circumstances where an employee may have a legitimate need to store records containing SBU/PII in a location other than a secured IRS facility. Such circumstances include, but are not limited to, Flexiplace arrangements, situations where the employee is on business travel, and the transmittal of records via mail or other carrier service. Flexiplace Employees working under Flexiplace agreements are required to secure records containing SBU/PII in the same manner that they would be required to secure those same records at an IRS facility. Travel Employees on business-related travel or otherwise transporting SBU/PII should follow the policies for protecting SBU/PII while outside of IRS offices found in IRM and IRM requires that SBU/PII transmitted from one location to another must be afforded adequate safeguards. Employees who hand carry information containing SBU/PII in connection with business trips or during the course of their daily activities should keep that information with them, to the extent possible. If circumstances require that the employee leave SBU/PII information in a vehicle, the employee must lock the information in the vehicle s trunk. If the vehicle does not have a trunk, the employee should conceal the information from plain view and secure the information in some manner. In any case, the vehicle must be locked if SBU/PII is left unattended, even if only for a short period of time. Hotel and motel rooms are usually not good locations in which to secure SBU/PII; however, if SBU/PII must be left in a hotel or motel room, the employee should maintain the SBU/PII in a locked briefcase and conceal the briefcase, to the extent possible. Records stored off-site IRM details the requirements for protecting SBU/PII that is necessarily stored off-site. Transmission of records via mail or carrier When transmitting SBU/PII in paper or removable media format from one IRS facility to another by mail or other carrier service, employees are required to do so in a manner that ensures that the information does not become misplaced or disclosed to unauthorized personnel. Chief Counsel has adopted IRS-recommended shipping guidelines that have enhanced security of SBU/PII during shipment. These practices are as follows: Double wrap or double box all materials Place address labels on both inside and outside packages Ship via United Parcel Service (UPS) Monitor the package during shipment using the basic tracking number provided by UPS and confirm receipt 7

8 Please refer to specific requirements for shipping returns and return information, which are outlined in IRM In addition, employees must follow the recordkeeping requirements of IRM , Recordkeeping and Accounting for Disclosures. DECIDE (to Archive or Destroy) After employees have reviewed their complete inventories of SBU/PII, they must decide whether they are required to archive certain files/media in accordance with the Record Control Schedules published in IRM , or whether they are permitted to destroy the information. The Record Control Schedules found in IRM pertain specifically to Chief Counsel files and records. In addition, CCDM provide detailed information concerning Chief Counsel s file maintenance, retention and storage requirements. Adhering to these schedules is vital to ensuring the Service s compliance with statutory requirements for the maintenance of federal records. Preservation/Archiving of Records IRM , Types of Records and Their Life Cycle, provides an overview of the types or records maintained by the IRS and Chief Counsel. Records are classified as either temporary or permanent. The majority of records maintained by Chief Counsel employees are temporary records. Temporary records are subject to the specific retention and destruction time lines found in IRM Over the next two months, Operation R.E.D. will require Chief Counsel employees to undertake serious file maintenance activities. During this two-month period, employees are to ensure that all documentation, as set forth in CCDM and , is properly organized and maintained in case files, especially traffic. When the matter to which the case file relates is resolved, then the case file should be submitted promptly for closing. If, after researching the IRM and CCDM, employees require further assistance on Chief Counsel policies and procedures pertaining to records management, they should contact their immediate supervisor, or their local Area or HQ Records Manager, as appropriate. Where the Records Control Schedules require employees to preserve electronic data, they must do so in accordance with IRM , Managing Electronic Records. This section applies to all electronically stored information, including messages and Microsoft Office Word, PowerPoint, and Excel records. Paper Records and Removable Media The procedures for retiring records to the Federal Records Center and the National Archives are contained in IRM and IRM , respectively. Employees should note that there are specific shipping procedures contained in those sections that differ from the routine shipping procedures for return and return information. 8

9 Destruction of Temporary Records Electronic Stored Information (ESI) Chief Counsel employees have an obligation to preserve and retain all relevant ESI within their control, as well as paper files, whenever civil litigation is reasonably anticipated or has commenced. This obligation exists regardless of whether the legal action is brought against or on behalf of the agency. When litigation is ongoing or is reasonably anticipated, a litigation hold on relevant or potentially relevant ESI must be established and any steps taken in this regard must be fully documented. The obligations under the litigation hold to search, identify, preserve, and isolate ESI related to specific, predictable, and identifiable litigation supersedes all records management policies that would otherwise result in the alteration or destruction of ESI. As highlighted in Chief Counsel Notice CC , ESI has always been subject to discovery. The Federal Rules of Civil Procedure, as amended, however, focuses attention on the existence and availability of ESI and formalizes a uniform discovery process for dealing with ESI. ESI is defined broadly in the amended rules to account for both present technology as well as the development of future technology. Generally, ESI includes, but is not limited to, all and attachments; word processing, spreadsheet, graphic and presentation files; image and text files; and other information stored on hard drives or removable media (e.g., laptops and portable thumb drives). ESI also includes metadata, databases, instant messages, transaction logs, audio and video files, voic , webpages, computer logs, text messages, and backup and archived material. Preservation of ESI means that the information is not to be altered, destroyed, or removed from its existing location until such time that it has been isolated and preserved for purposes of the litigation. This means that Chief Counsel employees must also ensure that all retention schedules related to relevant ESI are suspended in order that the ESI not be destroyed after the initial notification is received. Employees should work closely with IT personnel to assist in this process, especially with regard to preservation of metadata and in recognition that they may be required to produce the ESI in its native format. Issues concerning ESI should be coordinated with the Office of the Associate Chief Counsel (Procedure & Administration), Branch 6 or 7. When, in accordance with the appropriate Records Control Schedule, Chief Counsel employees are no longer required to retain or archive information containing SBU/PII, they should destroy the information in accordance with the following guidelines. NOTE: As previously stated, there should be no destruction of records, including electronically stored information, involving litigation that is anticipated, pending, or ongoing. 9

10 Destruction of Electronically Stored Records When the life cycle of an electronically stored record containing SBU/PII is complete (e.g., the employee no longer has an ongoing business reason to maintain the information, the applicable Records Control Schedule authorizes destruction, and there is no litigation hold on the information), the employee must delete the information from all locations where it may be stored. That means that the employee must delete the information from the network drive (the G: drive), the computer hard drive, and any removable media on which the information is electronically stored. Destruction of Paper Records When the life cycle of a paper record is complete, the record must be destroyed in accordance with the policies found in IRM and CCDM Generally, the employee s office will have a system in place to destroy paper records via burning or shredding. Disposal during Operation R.E.D. will follow established office-specific procedures. Sanitization of Removable Media (CD-ROMs, diskettes, etc.) If employees review of their electronically stored information reveals unencrypted PII and SBU stored on removable media and employees have a continuing business need to maintain the information, the employees must move the information to the network drive (G: drive). Employees must then secure any removable media containing unencrypted electronic PII and SBU in a locked cabinet or locked desk until the sanitization procedures identified in IRM are implemented. For purposes of Operation R.E.D., Chief Counsel employees should contact their local IT personnel to determine whether removable media should be sanitized or destroyed. If the local IT personnel are not equipped to sanitize or dispose of removable media, employees must secure any unneeded removable media on which PII/SBU is stored in locked containers. See IRM (2). Descriptions of the types of containers appropriate for this purpose may be found in IRM