Data Security Incident Communication for Departments of Revenue: What Taxpayers Need to Hear First

Few categories of government communication carry the weight that a data security incident notification does when it involves a department of revenue. Tax agencies hold some of the most sensitive personal and financial information that exists in any government data system: Social Security numbers, income details, bank account information for direct deposit, employment history, dependent information, and in many cases a complete financial picture of millions of individuals and businesses. When that information is exposed, accessed without authorization, or potentially compromised, the people affected are not simply inconvenienced. They face genuine, concrete risk of identity theft, fraudulent tax filings, financial fraud, and a range of harms that can take months or years to fully resolve.

The communication that follows a data security incident, whether a confirmed breach, a suspected unauthorized access, or a vulnerability that may have exposed data even without confirmed evidence that it was actually accessed, is among the highest-stakes communication any department of revenue will produce. It arrives at a moment when the affected population is frightened, when trust in the agency is already shaken by the fact that an incident occurred at all, and when the quality of the communication itself, separate from the technical remediation underway, will substantially determine whether that population takes the protective action they need to take and whether they retain any confidence in the agency going forward.

Unlike most of the communication categories that departments of revenue produce routinely, data security incident communication often must be developed under significant legal and forensic constraints. An agency may know that an incident occurred before it knows the full scope of what data was affected, which specific individuals are implicated, or even the precise mechanism of the unauthorized access. Legal counsel, law enforcement coordination, and ongoing forensic investigation can all create genuine reasons why an agency cannot immediately share every detail a taxpayer might want to know. Navigating this tension between the taxpayer’s urgent need for information and the agency’s legitimate inability to provide complete information immediately is the central challenge of data security incident communication.

This article examines how departments of revenue should communicate with taxpayers following a data security incident, addressing what taxpayers need to hear first, how to sequence information as an investigation develops, the specific protective guidance that affected taxpayers need, and the follow-up communication that determines whether an agency emerges from a security incident with its credibility intact or significantly diminished.

The First Communication and the Principle of Calibrated Transparency

The first communication a department of revenue issues after identifying a data security incident sets the tone for the entire episode and should be guided by a principle that can be called calibrated transparency: sharing everything the agency currently knows and can responsibly share, clearly identifying what remains unknown or under investigation, and avoiding both the trap of withholding confirmed information to avoid alarm and the trap of speculating about unconfirmed details that may later prove inaccurate.

Taxpayers who learn about a data security incident affecting their information want answers to a consistent set of questions, regardless of the specific nature of the incident: what happened, what specific information of mine was potentially affected, when did this occur and when did the agency discover it, what is the agency doing about it, and what do I need to do right now to protect myself. The first communication should address each of these questions directly, even if the answer to some of them is currently still under investigation, because acknowledging that a question is unanswered yet is itself a form of honest, useful communication, far more useful than silence or evasion on that point.

The first communication should never wait for complete certainty about every detail before being issued, because the protective actions taxpayers need to take, such as monitoring their credit, placing a fraud alert, or being alert to suspicious tax-related correspondence, are often time-sensitive and benefit from being communicated as early as the agency has reasonable confidence that an incident has occurred and that some population of taxpayers is potentially affected, even before the agency has fully scoped exactly which taxpayers and which specific data elements are involved.

Distinguishing Confirmed Facts From Working Hypotheses

Effective incident communication uses language that clearly distinguishes between what the agency has confirmed through its investigation and what remains a working hypothesis or an area of ongoing inquiry. A communication that says we have confirmed that an unauthorized party accessed a database containing taxpayer names and Social Security numbers for returns filed between specific dates is making a definitive, confirmed statement. A communication that says we are currently investigating whether additional data elements beyond names and Social Security numbers may have been affected is appropriately signaling an open question rather than presenting speculation as established fact.

This distinction matters because taxpayers and the media will scrutinize incident communication closely, and any instance where the agency later has to walk back or significantly revise an earlier confirmed statement creates a credibility problem that compounds the original incident. An agency is far better served by initially stating a more conservative, fully confirmed scope and then expanding that scope as the investigation progresses and additional facts are confirmed, than by an initial communication that overstates certainty and later requires correction.

Clearer Taxpayer Communication: Strategies for State and Local Assessors, Treasurers, Revenue Departments, and Finance Offices

This article is part of our series on strategic communication for State and Local Assessors, Treasurers, Revenue Departments, and Finance Offices. Clear, timely, and accessible taxpayer communication helps government agencies improve compliance, reduce confusion, strengthen public trust, and enhance the citizen experience. To learn more and to see the parent article, which links to additional resources and best practices for taxpayer outreach and engagement, click the button below.

What Affected Taxpayers Need to Know Immediately

Beyond the general principle of calibrated transparency, data security incident communication should prioritize a specific set of practical content elements that affected taxpayers need in order to protect themselves, sequenced in order of urgency rather than in the order that might feel most natural from the agency’s internal investigative perspective.

The single most urgent piece of information is what type of data was potentially exposed, because different categories of data carry different risk profiles and call for different protective responses. Exposure of a Social Security number carries a different and generally more severe risk than exposure of a mailing address alone, and a taxpayer needs to know specifically which category applies to their situation in order to calibrate the appropriate protective response. Communication that uses vague language such as personal information may have been affected, without specifying which categories of personal information are actually implicated, leaves taxpayers unable to determine the actual severity of their individual risk and unable to take appropriately targeted protective action.

Closely following the data type disclosure, taxpayers need clear, specific, and immediately actionable guidance about what protective steps they should take, calibrated to the specific type of data exposure involved. If Social Security numbers were potentially exposed, guidance should address placing a fraud alert or credit freeze with the credit bureaus, monitoring credit reports, and being alert to signs of tax-related identity theft such as a notification that a return has already been filed under their Social Security number when they have not yet filed. If financial account information was potentially exposed, guidance should address contacting the relevant financial institution directly. This guidance should be specific enough that a taxpayer can act on it immediately without needing to research independently what a fraud alert is or how to request one.

Taxpayers also need to know whether the agency is providing any direct support or remediation resources, such as free credit monitoring services, a dedicated incident response hotline separate from the agency’s general taxpayer assistance line, or any other concrete resource the agency is making available specifically in response to this incident. Communication that mentions these resources should provide specific, immediately usable instructions for accessing them, including any enrollment deadlines, rather than a general statement that resources are available without the practical detail needed to actually use them.

Tax-Specific Protective Guidance Beyond General Identity Theft Advice

Because the data potentially exposed in a department of revenue security incident is specifically tax-related, the protective guidance provided should go beyond generic identity theft advice and address the specific risk of tax-related identity theft and fraudulent filing, which is a distinct concern that general credit monitoring services do not directly address. Taxpayers affected by a tax agency data incident should receive specific guidance about how to recognize the signs of tax-related identity theft, such as receiving a notice that a return has already been filed under their identity, or being unable to e-file because a return using their Social Security number has already been accepted.

This guidance should explain the specific process for reporting and resolving suspected tax-related identity theft, including any identity protection PIN program the state offers that can add a layer of protection against fraudulent filing in future tax years, and how affected taxpayers can request enrollment in such a program if it exists and was not already required for their account. Providing this tax-specific guidance, rather than relying solely on generic identity theft protective advice that does not address the specific fraudulent filing risk a tax data incident creates, demonstrates that the agency understands the particular nature of the risk its own systems have created for the affected population.

Sequencing Communication as the Investigation Develops

Data security incidents rarely resolve into a complete, final understanding immediately, and the communication strategy needs to account for a multi-stage sequence that begins with initial notification and continues through updates as the investigation progresses, additional findings are confirmed, and remediation measures are implemented. Each stage of this sequence serves a different communication purpose and should be planned as part of a coherent overall strategy rather than treated as a series of disconnected announcements.

The initial notification, as discussed above, should be issued as soon as the agency has reasonable confidence that an incident has occurred and has identified at least a preliminary scope, even if many details remain under investigation. This initial notification should commit to a specific timeline for the next substantive update, giving affected taxpayers a concrete expectation about when they will receive additional information rather than leaving them to wonder indefinitely.

Follow-up updates, issued as the investigation progresses and as the agency confirms additional facts about the scope, cause, and affected population, should clearly indicate what has changed since the prior communication, including any expansion or narrowing of the previously communicated scope, and should continue to provide whatever additional protective guidance becomes relevant as more specific facts are confirmed. If the investigation determines that the actual scope of affected taxpayers was smaller than initially feared, this should be communicated clearly and promptly, since taxpayers who were initially included in a broader notification but are later confirmed not to be affected deserve to know this as soon as it is confirmed, both to relieve their unnecessary concern and to maintain the agency’s credibility by demonstrating that its investigation is thorough and that it follows through with updated, more precise information as it becomes available.

A final resolution communication, issued once the investigation is substantially complete and remediation measures have been implemented, should provide a comprehensive summary of what occurred, what was ultimately confirmed about the scope and cause, what measures the agency has taken to prevent a recurrence, and what ongoing support, if any, remains available to affected taxpayers. This resolution communication serves an important function in providing closure and a sense that the agency has thoroughly addressed the incident, even though some individual taxpayers may continue to experience downstream consequences, such as resolving a specific instance of attempted fraud, for a longer period after the agency’s formal investigation has concluded.

Coordinating Legal, Technical, and Communication Functions

Data security incident communication requires close coordination between the agency’s communications function and its legal counsel, information technology and security teams, and in many cases external forensic investigators and law enforcement partners who may be involved in the investigation. This coordination is essential because legal counsel may have specific guidance about what can and cannot be disclosed at various stages of the investigation, particularly if a law enforcement investigation is ongoing and premature public disclosure of certain details could compromise that investigation.

This coordination requirement should not become an excuse for indefinite delay in communicating with affected taxpayers. Most jurisdictions have specific legal notification requirements and timelines that govern data breach communication, often requiring notification within a specific number of days of discovery, and these legal requirements represent a floor, not necessarily the optimal communication timeline from the perspective of taxpayer protection and trust preservation. Agencies should work to establish, in advance of any actual incident, a clear internal protocol for how quickly the legal, technical, and communication functions can collaborate to produce an appropriately calibrated initial communication, recognizing that every day of delay between discovery and notification is a day during which affected taxpayers are not yet taking the protective action they need to take.

Establishing this coordination protocol in advance, including pre-identifying which specific individuals from each function need to be involved in incident response decision-making and what the expected timeline for moving from discovery to initial public communication should be, significantly reduces the risk that an actual incident becomes paralyzed by uncertainty about internal process at the exact moment when speed matters most.

When Law Enforcement Involvement Constrains Public Communication

In some incidents, particularly those involving suspected criminal activity such as a deliberate hacking attempt rather than an inadvertent data exposure, law enforcement agencies may request that the department of revenue delay or limit certain public disclosures to avoid compromising an active investigation. When this constraint applies, the agency should still communicate as much as it can responsibly share given this constraint, including acknowledging that an incident has occurred and providing whatever protective guidance does not depend on the specific details being withheld, rather than allowing a law enforcement coordination requirement to become a justification for withholding all communication. Agencies should work proactively with law enforcement partners to identify the minimum information that must be withheld to protect the investigation, rather than defaulting to a maximally restrictive interpretation that delays useful protective communication to taxpayers without a clear, specific investigative justification for each withheld detail.

Tone and Accountability in Incident Communication

The tone of data security incident communication matters significantly to how taxpayers receive and respond to it. Communication that feels evasive, overly legalistic, or focused primarily on minimizing the agency’s apparent culpability rather than on genuinely helping affected taxpayers protect themselves tends to generate more anger, more distrust, and more negative media and public attention than communication that takes clear ownership of the situation and focuses directly on what affected taxpayers need to know and do.

This does not mean an agency should make legal admissions of fault that are not warranted or accurate, particularly while an investigation is still determining the precise cause and circumstances of an incident. It means that the communication should be written from a place of genuine concern for the affected taxpayers’ wellbeing, acknowledging directly that the agency understands the seriousness of the situation and the legitimate concern it creates, rather than communication that reads as though it was drafted primarily to satisfy a legal notification requirement with the minimum necessary content.

Agencies should avoid language that minimizes the incident’s significance, such as describing a confirmed unauthorized access as a minor technical issue, or language that shifts responsibility onto the affected taxpayers, such as suggesting that taxpayers should have been more careful with their own information in a situation where the exposure occurred entirely within the agency’s own systems. Taking clear, direct ownership of the incident and its consequences, while still providing accurate and appropriately calibrated information about what is confirmed versus still under investigation, is the tone that best preserves taxpayer trust through a genuinely difficult episode.

Multilingual and Accessible Incident Communication

Data security incident notifications, like other high-stakes tax communication, need to reach the full breadth of an agency’s taxpayer population, including taxpayers with limited English proficiency and taxpayers who may have accessibility needs that affect how they can receive and act on the communication. The urgency and protective importance of incident communication makes this accessibility requirement especially important, since a taxpayer who does not receive or cannot understand the notification is not only missing routine information but missing time-sensitive guidance that directly affects their exposure to identity theft and financial fraud risk.

Agencies should ensure that incident notifications are translated into the agency’s priority languages as quickly as possible, ideally simultaneously with the English-language release rather than as a delayed follow-up, given the time-sensitive nature of the protective guidance involved. Where the scope of an incident is large enough to warrant broad public notification beyond direct mail to affected individuals, such as media coverage or a public website notice, that broader communication should also be available in the agency’s priority languages from the outset.

Strategic Communication Support for Departments of Revenue

Data security incident communication is, like high-volume system outage communication, a discipline that most agencies engage with only rarely, but the stakes involved, given the sensitivity of the data tax agencies hold and the severity of the harm that can result from its exposure, make advance preparation even more critical than in most other crisis communication contexts. An agency that has not developed and rehearsed an incident communication framework before an actual breach occurs is significantly more likely to produce a delayed, inconsistent, or poorly calibrated response when an actual incident demands immediate, confident action.

A structured assessment of an agency’s data security incident communication readiness typically identifies a consistent set of gaps: no pre-established communication framework or template structure, unclear internal protocols for coordinating legal, technical, and communication functions under time pressure, no established multilingual translation process calibrated for incident response speed, and no clear approach for sequencing communication as an investigation develops from initial notification through to final resolution.

Stegmeier Consulting Group (SCG) helps departments of revenue build data security incident communication frameworks that protect taxpayers and preserve agency credibility when the inevitable security incident occurs. That support may include incident communication framework and template development, legal and technical coordination protocol design, tax-specific protective guidance content development, multilingual incident communication planning, and tone and accountability review for incident communication drafts.

The goal of this work is an agency that, when faced with a data security incident, can move quickly from discovery to a calibrated, honest, genuinely protective communication that gives affected taxpayers what they need to protect themselves immediately, and that continues to communicate with consistency and transparency through every subsequent stage of the investigation and resolution.

Future Trends in Data Security Incident Communication

The landscape of data security incident communication for departments of revenue is evolving as the frequency and sophistication of cyberattacks against government systems continues to increase, as legal notification requirements continue to develop in many states, and as public expectations for rapid, transparent breach communication continue to rise based on standards set across both public and private sector incident response.

Pre-built incident response communication infrastructure, including dedicated incident notification webpages, pre-established multilingual translation relationships that can be activated rapidly, and pre-negotiated contracts with credit monitoring service providers that can be deployed quickly when an incident occurs, is becoming a more common element of agency incident preparedness, reducing the lag time between incident discovery and the availability of concrete protective resources for affected taxpayers.

Growing legislative attention to data breach notification timelines and content requirements, in many states, is likely to continue tightening the legal floor for how quickly and how specifically agencies must communicate following a confirmed incident, making proactive readiness an increasingly important compliance matter as well as a trust preservation strategy.

Increased use of dedicated incident response communication channels, including a specific phone line and webpage created specifically for a given incident rather than relying solely on the agency’s general communication channels, allows affected taxpayers to access incident-specific information and support more efficiently, separate from the agency’s routine taxpayer service channels that are not specifically staffed or resourced to handle a sudden surge of incident-related inquiries.

Finally, growing recognition that data security incident communication and broader scam and fraud prevention communication, discussed in other contexts of taxpayer outreach, are closely related disciplines, since a real data security incident at a department of revenue creates an environment that fraudulent actors can exploit by impersonating the agency’s own incident communication to conduct secondary phishing schemes targeting the same affected population. Agencies should anticipate this risk and include guidance within their incident communication that helps taxpayers distinguish the agency’s genuine incident notifications and follow-up communication from fraudulent communications that may attempt to exploit the heightened anxiety and information-seeking behavior the incident itself has created.

Conclusion

A data security incident at a department of revenue places the agency’s most sensitive responsibility, the protection of taxpayers’ personal and financial information, directly into question at the exact moment when taxpayers most need to trust that the agency is handling the situation competently and transparently. The communication that follows such an incident cannot undo the exposure that has already occurred, but it can substantially determine whether affected taxpayers take the protective action they need to take in time to limit the harm, and whether the agency’s relationship with the public it serves emerges from the incident damaged or, through honest and competent handling, ultimately reinforced.

Departments of revenue that approach incident communication with calibrated transparency, sequenced and honest updates, specific and immediately actionable protective guidance, and a tone that takes genuine ownership of the situation are giving their affected taxpayers the best possible foundation for protecting themselves during a genuinely difficult moment. That standard of communication, built and rehearsed before any actual incident occurs, is one of the most consequential investments a department of revenue can make in both taxpayer protection and the long-term credibility of the agency itself.

SCG’s Strategic Approach to Communication Systems

Align your agency’s messaging, processes, and public engagement strategies.

Departments of revenue need data security incident communication frameworks that protect taxpayers and preserve agency credibility from the first moment an incident is discovered. That means calibrated transparency that clearly distinguishes confirmed facts from ongoing investigation, immediate and specific guidance about what data was affected and what protective steps to take, tax-specific identity theft guidance beyond generic advice, sequenced updates that maintain a reliable cadence through resolution, and coordination protocols that let legal, technical, and communication functions move quickly together rather than stalling under uncertainty.

SCG helps departments of revenue build data security incident communication frameworks that protect affected taxpayers and preserve trust through one of the most consequential communication challenges an agency can face. Whether your agency needs an incident communication framework, legal and technical coordination protocols, tax-specific protective guidance development, multilingual incident planning, or tone and accountability review, SCG can help you build a system that is ready before the incident occurs, not improvised after it.

Use the form below to connect with our team and explore how strategic data security incident communication can help your agency protect taxpayers, meet legal notification obligations, and preserve public trust when a security incident occurs.