This article is contributed. See the original author and article here.
Defining FTI and Consequences of Non-Compliance
Originally Authored by: Miknon Go |Senior Director, Strategic Advisors, AvePoint
It’s not just the Internal Revenue Service (IRS) or federal agencies, every state government has a department responsible for taxation or revenue.
By their very nature, these agencies handle both personally identifiable information (PII) as well as federal tax information (FTI).
PII is any sensitive information that can be used to identify an individual, such as social security numbers, whereas FTI is defined very broadly in Internal Revenue Code 6103 as return information received from the IRS or a secondary source. This includes information on a person’s tax affairs even if it is anonymized and identifiers are stripped out.
Information provided by the IRS must be classified as FTI, but the exact same information obtained in a different manner, may need to be classified as PII.
The sensitivity levels of PII and FTI require that agencies are extremely diligent in the protection of the confidentiality of this information.
Note: there are other types of regulated PII and the strategies provided can be easily modified to address regulations such as the Healthcare Insurance Portability and Protection Act (HIPAA) and others as well.
In fact, Internal Revenue Code 7213 makes it a felony offense for federal and state employees and others who illegally disclose federal tax returns and return information. It is “punishable upon conviction by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years.”
Challenges to Compliant Collaboration
Many state agencies are challenged in their handling of FTI by a few key factors. Some are common communication challenges and risks for sensitive data types that aren’t specific to the nature of FTI such as:
- Multiple siloed divisions and agencies;
- Dispersed office locations across the state; and
- The need to work with a diverse range of external collaborators including taxpayers, vendors and contractors.
But perhaps the largest challenge to modernizing collaboration surrounding FTI data is that the unique restrictions and requirements placed on this data preclude the use of powerful collaboration platforms, such as Microsoft 365 (formerly Office 365), unless configured appropriately.
The obstacle to proper configuration often rests with how Microsoft 365 is deployed across the state government. In virtually every case, the entirety of the state’s government leverages a single Microsoft 365 tenant for all their agencies.
This is advantageous as it allows state governments to purchase at scale and enables faster, easier collaboration while removing data silos. It becomes a challenge, however, when agencies with specific data restrictions, like FTI data, require a different set of configuration settings than other agencies.
While Microsoft 365 is incredibly extensible and flexible, there are still certain settings, such as how you provision Groups, that follow a “one tenant, one rule,” architecture. As a result, the central state IT provider is often reluctant to put tighter restrictions on other agencies to support one agency’s use case and the agency handling the sensitive data must find alternative means for collaboration.
But Microsoft 365’s incredibly robust security and compliance features make it the ideal environment to host and protect these sensitive data types.
FTI Rules and Regulations
As previously mentioned, FTI data is governed by unique rules and regulations that are enforced by strong punitive measures for non-compliance.
The rules and regulations for managing both physical as well as digital FTI data can be accessed in Publication 1075, “Tax Information Security Guidelines For Federal, State and Local Agencies.”
It’s important to note that it’s a detailed document that provides guidelines for a wide range of modern digital systems—in no part of the document does it limit the use of FTI data to older legacy systems such as secure email.
If combing through the 163 pages sounds a bit daunting, we have summarized what we see as the most relevant requirements for any system managing and storing FTI content. The system must be able to:
- Generate a report of all FTI content in the collaboration environment for audits
- Determine everyone in a department or agency who has had access to FTI content
- Leverage encryption that is FIPS 140-2 compliant for data at rest and in motion
- Manage, monitor and control who has access to FTI content, this frequently includes internal employees, contractors cleared by the IRS, and external taxpayers accessing their own FTI content
- Retain all FTI content and associated activity logs for 7 years
LEGAL DISCLAIMER: The information contained in this publication is provided for informational purposes only, and should not be construed as professional advice on any subject matter. We expressly disclaim all liability for actions taken or not taken based on any content herein. All information is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of the information.
Current Common Collaboration Scenarios
So if these restrictions are preventing state agencies from leveraging Microsoft 365 to handle FTI what are they using? The typical workflow we have seen is:
- States access FTI data through a proprietary application, specific to the IRS
- Any new content developed with information derived from this application becomes classified as FTI content
- FTI content is often stored in network drives (or even personal hard drives!) and shared through secure email . While this is a compliant system, the collaboration with internal and external users is inefficient. Much of this is a result of the limitations of email attachments: co-authoring is prohibited, large files are difficult to send, versioning creates confusion over a single truth and there is no granular permission access.
- Alternative common collaboration methods include cumbersome secure FTP, costly to maintain proprietary systems, and verbal communications.
New Possible Collaboration Scenarios
Now let’s take a second to imagine additional, modern collaboration scenarios that can be enabled by Microsoft 365 and Microsoft Teams such as persistent chat in channels, ad-hoc chat, and an underlying enterprise collaboration management system to store and access files.
What would FTI compliant versions of these scenarios look like?
Ongoing Group FTI Discussion
Use Case: Collaboration and real-time chat for a regular series of collaborators around ongoing initiatives and reoccurring tasks.
Tool: A “Confidential” Team in Microsoft Teams
Advantages: Chat, voice and collaboration can be in context with the relevant documents and specific information stored within the Team. Membership is restricted to those who need access.
- A monthly “Confidential” Team is requested and provisioned for the working group.
- The group uses this “Confidential” Team to discuss and share FTI content
- Any documents uploaded to the Team is tagged and classified as FTI
- Any conversation in the Team with FTI will be tagged with “#FTI”
- At the end of the month, the Team will be archived and a new one provisioned
Use Case: An agency employee that also handles FTI information (agency FTI user) needs to communicate and collaborate regarding non-sensitive information.
Tool: “Non-Sensitive” Team in Microsoft Teams
Advantages: The agency FTI user is now able to communicate with other state employees using the tool they are using, which removes information silos. Any sensitive information is caught and contained.
- Agency FTI user requests a new Non-Sensitive Team
- If a Team member uploads a document or shares something in a Team conversation with PII or FTI the system scans the content and creates a security incident.
Use Case: The agency responsible for handling FTI data needs to communicate with an external taxpayer regarding their FTI data.
Tool: “Confidential” Internal Audit Team and “Confidential” External Audit Team in Microsoft Teams
Advantages: Chat, voice and collaboration can be in context with the relevant documents and specific information stored within the Team. Membership is restricted to those who need access, including specific external users.
- Audit working group requests a new “Confidential” Internal and External Audit Teams be provisioned
- FTI information is captured from the tax system of records and copied into a document
- Document is uploaded into the Internal Team and tagged/classified as FTI
- Audit team discusses the audit in the Internal Audit Team conversation using “#FTI”
- The taxpayer is added to the External Audit Team
- Audit Team copies appropriate FTI documents from the external team and tags as FTI
- Document is then uploaded to the External Team and tagged as External Confidential
- Any conversation with the taxpayer has the “#FTI” tag
- Once the audit complete, both Teams are archived
The core technologies enabling these modern collaboration scenarios are of course Microsoft 365 and Microsoft Teams. Microsoft 365 has the most robust security and compliance features available of any collaboration platform today.
The Security and Compliance Center allows organizations to confidently identify, classify, manage and protect all types of sensitive content leveraging sensitivity labels.
These features can be extended and configured uniquely for a specific agency using third-party solutions, which you can see in this table mapping FTI requirements to technical solutions.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.