Privacy Act of 1974, as Amended

AGENCY:

Internal Revenue Service, Treasury.

ACTION:

Notice of proposed alteration of a Privacy Act system of records.

SUMMARY:

In accordance with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a, the Department of the Treasury, Internal Revenue Service (IRS), gives notice of proposed alteration of the system of records entitled Treasury/IRS 34.037, Audit Trail and Security Records.

DATES:

Comments must be received no later than April 10, 2013. The proposed altered system will become effective April 22, 2013, unless the IRS receives comments which cause reconsideration of this action.

ADDRESSES:

Comments should be sent to the Office of Privacy, Governmental Liaison and Disclosure, Internal Revenue Service, 1111 Constitution Avenue NW., Washington, DC 20224. Comments will be available for inspection and copying in the IRS Freedom of Information Reading Room (Room 1621) at the above address. The telephone number for the Reading Room is (202) 622-5164 (not a toll-free number).

FOR FURTHER INFORMATION CONTACT:

David Silverman, Management and Program Analyst, IRS Office of Privacy, Governmental Liaison and Disclosure, (202) 622-5625 (not a toll-free number).

SUPPLEMENTARY INFORMATION:

The IRS is proposing to alter the Privacy Act system of records entitled Treasury/IRS34.037, Audit Trail and Security Records, to add records for the monitoring of electronic communications exiting IRS computer networks to detect sensitive but unclassified (SBU) information that is being transmitted in violation of IRS security policy (e.g., to ensure the information is secured by an adequate level of encryption). The monitoring will allow the IRS to comply with Office of Management and Budget (OMB) Mandates 6-16, 6-19 and 7-16, Treasury Mandate TCIO-M-09-04/S-SDP 6 & S-SDP 7, and Treasury Inspector General for Tax Administration (TIGTA) audit findings recommending such action.

The IRS will review detections of potential violations to determine whether there has been an actual violation of security policy. The records will include items such as suspected and actual policy violations, violation match count (volume), sender, recipient, computer network protocol, and the date and time of the suspected or actual violation.

Corrective action may be taken in accordance with established processes including but not limited to: notification of potential violation to employee and/or supervisor; retention of violation data for statistics and further evaluation; and corrective action according to established labor relations processes and policies.

A notice describing Treasury/IRS 34.037 was most recently published at Volume 77, Number 155 (Friday, August 10, 2(12). The IRS proposes to alter the system of records to include these monitoring records.

TREASURY/IRS 34.037

System name:

Audit Trail and Security Records—Treasury/IRS 34.037.

Categories of individuals covered by the system:

Description of changes: The categories of individuals will be altered to include IRS employees, contractors, and other individuals whose communications are monitored to detect violations of IRS security policies with electronic mail and to include individuals whose records were accessed.

When altered as proposed, the Categories of individuals covered by the system section will read as follows:

Individuals who have accessed, by any means, information contained within IRS electronic or paper records or who have otherwise used any IRS computing equipment/resources, including access to Internet sites; individuals whose information is accessed using IRS computing equipment/resources; and IRS employees and contractors who use IRS equipment to send electronic communications.

Categories of records in the system:

Description of changes: The Categories of records will be altered to include information about individuals who send electronic communications using IRS systems and other individuals who have or may have knowledge of such incidents, and to include records about individuals whose records were accessed.

When altered as proposed, the Categories of records in the system section will read as follows:

Records concerning the use of IRS computing equipment or other resources by employees, contractors, or other individuals to access IRS information; records concerning individuals whose information was accessed using IRS computing equipment/resources; records identifying what information was accessed; records concerning the use of IRS computing equipment and other resources to send electronic communications; and records concerning the investigation of such incidents.

Purpose:

Description of changes: The purpose of the system will be altered to include monitoring for security violations in addition to the current purpose of detecting unauthorized access.

When altered as proposed, the Purpose section will read as follows:

To identify and track any unauthorized accesses to SBU and potential breaches or unauthorized disclosures of such information or inappropriate use of government computers to access Internet sites for any purpose forbidden by IRS policy (e.g., gambling, playing computer games, or engaging in illegal activity), or to detect electronic communications sent using IRS systems in violation of IRS security policy.

Retrievability:

Description of changes: The retrievability will be altered to add new identifiers used to retrieve information in the system.

When altered as proposed the retrievability section will read as follows:

By name, Social Security Number (SSN), or the employee identification number (SEID) of employee, contractor, or other individual who has been granted access to IRS information, or to IRS equipment and resources, and by incident number. Also by name, SSN or Taxpayer Identification Number (TIN) of entities whose records were accessed.

The report of the altered system of records, as required by 5 U.S.C. 552a(r) of the Privacy Act, has been submitted to the Committee on Oversight and Government Reform of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate and the Office of Management and Budget.