The IRS has issued some favorable guidance on the tax treatment of identity protection services provided to data breach victims. In Announcement 2015-22, the IRS indicated that when an organization experiences a data breach, and it provides identity protection services to individuals whose information may have been compromised, the IRS will not assert that the individual must include the value of the services in gross income. In addition, the IRS says that when an employer provides such services as a result of a data breach involving the recordkeeping systems of the employer, or the employer’s agent or service provider, the employer will not be required to include the value of the services in the employee’s gross income and wages. The Announcement also indicates that the IRS will not assert that these amounts need to be reported on an information return (such W-2 or 1099-Misc.).
According to the Announcement, the “identity protection services” to which this guidance applies include credit reporting and monitoring services, identity theft insurance policies, identity restoration services and other similar services, but only when provided in connection with a data breach that occurs as a result of “hacking” or otherwise. The tax relief provided by this guidance does not apply where an employer provides these services to its employees as part of its regular compensation and benefits package. Nor does it apply to cash received in lieu of identity protection services. Also, although the value of an identity theft insurance policy is included in the relief, it does not apply to the proceeds received under an identity theft insurance policy. The tax treatment of such amounts is determined under existing tax laws applicable to insurance recoveries.
The Announcement concludes with a request for comments on whether organizations commonly provide identity protection services in situations other than as a result of a data breach and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations. The deadline for providing comments to the IRS is October 13, 2015.