Originally Authored by: Miknon Go |Senior Director, Strategic Advisors, AvePoint
It’s not just the Internal Revenue Service (IRS) or federal agencies, every state government has a department responsible for taxation or revenue.
By their very nature, these agencies handle both personally identifiable information (PII) as well as federal tax information (FTI).
PII is any sensitive information that can be used to identify an individual, such as social security numbers, whereas FTI is defined very broadly in Internal Revenue Code 6103 as return information received from the IRS or a secondary source. This includes information on a person’s tax affairs even if it is anonymized and identifiers are stripped out.
Information provided by the IRS must be classified as FTI, but the exact same information obtained in a different manner, may need to be classified as PII.
The sensitivity levels of PII and FTI require that agencies are extremely diligent in the protection of the confidentiality of this information.
In fact, Internal Revenue Code 7213 makes it a felony offense for federal and state employees and others who illegally disclose federal tax returns and return information. It is “punishable upon conviction by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years.”
Many state agencies are challenged in their handling of FTI by a few key factors. Some are common communication challenges and risks for sensitive data types that aren’t specific to the nature of FTI such as:
But perhaps the largest challenge to modernizing collaboration surrounding FTI data is that the unique restrictions and requirements placed on this data preclude the use of powerful collaboration platforms, such as Microsoft 365 (formerly Office 365), unless configured appropriately.
The obstacle to proper configuration often rests with how Microsoft 365 is deployed across the state government. In virtually every case, the entirety of the state’s government leverages a single Microsoft 365 tenant for all their agencies.
This is advantageous as it allows state governments to purchase at scale and enables faster, easier collaboration while removing data silos. It becomes a challenge, however, when agencies with specific data restrictions, like FTI data, require a different set of configuration settings than other agencies.
While Microsoft 365 is incredibly extensible and flexible, there are still certain settings, such as how you provision Groups, that follow a “one tenant, one rule,” architecture. As a result, the central state IT provider is often reluctant to put tighter restrictions on other agencies to support one agency’s use case and the agency handling the sensitive data must find alternative means for collaboration.
But Microsoft 365’s incredibly robust security and compliance features make it the ideal environment to host and protect these sensitive data types.
As previously mentioned, FTI data is governed by unique rules and regulations that are enforced by strong punitive measures for non-compliance.
The rules and regulations for managing both physical as well as digital FTI data can be accessed in Publication 1075, “Tax Information Security Guidelines For Federal, State and Local Agencies.”
It’s important to note that it’s a detailed document that provides guidelines for a wide range of modern digital systems—in no part of the document does it limit the use of FTI data to older legacy systems such as secure email.
If combing through the 163 pages sounds a bit daunting, we have summarized what we see as the most relevant requirements for any system managing and storing FTI content. The system must be able to:
So if these restrictions are preventing state agencies from leveraging Microsoft 365 to handle FTI what are they using? The typical workflow we have seen is:
Now let’s take a second to imagine additional, modern collaboration scenarios that can be enabled by Microsoft 365 and Microsoft Teams such as persistent chat in channels, ad-hoc chat, and an underlying enterprise collaboration management system to store and access files.
What would FTI compliant versions of these scenarios look like?
Use Case: Collaboration and real-time chat for a regular series of collaborators around ongoing initiatives and reoccurring tasks.
Tool: A “Confidential” Team in Microsoft Teams
Advantages: Chat, voice and collaboration can be in context with the relevant documents and specific information stored within the Team. Membership is restricted to those who need access.
Use Case: An agency employee that also handles FTI information (agency FTI user) needs to communicate and collaborate regarding non-sensitive information.
Tool: “Non-Sensitive” Team in Microsoft Teams
Advantages: The agency FTI user is now able to communicate with other state employees using the tool they are using, which removes information silos. Any sensitive information is caught and contained.
Use Case: The agency responsible for handling FTI data needs to communicate with an external taxpayer regarding their FTI data.
Tool: “Confidential” Internal Audit Team and “Confidential” External Audit Team in Microsoft Teams
Advantages: Chat, voice and collaboration can be in context with the relevant documents and specific information stored within the Team. Membership is restricted to those who need access, including specific external users.
The core technologies enabling these modern collaboration scenarios are of course Microsoft 365 and Microsoft Teams. Microsoft 365 has the most robust security and compliance features available of any collaboration platform today.
The Security and Compliance Center allows organizations to confidently identify, classify, manage and protect all types of sensitive content leveraging sensitivity labels.
These features can be extended and configured uniquely for a specific agency using third-party solutions, which you can see in this table mapping FTI requirements to technical solutions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.