The Internal Revenue Service said it will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach.

Announcement 2015-22, issued Thursday, also states that the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. 

Data breaches have been a growing problem in private industry and the federal government, including the IRS, which revealed in May that organized criminals had used its online Get Transcript application to access the tax returns of an estimated 104,000 taxpayers (see IRS Detects Massive Data Breach in ‘Get Transcript’ Application).

Despite the efforts of many businesses, government agencies and other organizations, data breaches and computer hacking can expose the personal information of employees and customers to identity thieves. In response to such data breaches, the IRS noted that organizations often provide credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or similar services to their customers, employees and other individuals whose personal information may have been compromised as a result of a data breach. These identity protection services aim to prevent and mitigate losses due to identity theft resulting from the data breach.

However, questions have been raised concerning the taxability of identity protection services provided at no cost to customers, employees or other individuals whose personal information may have been compromised in a data breach. The IRS’s existing guidance has not specifically addressed these questions.

The IRS said in Thursday’s announcement that it will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed for those individuals.

The IRS added that the announcement does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package. The announcement also does not apply to proceeds received under an identity theft insurance policy, as the treatment of insurance recoveries is governed by existing law.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access