IRS asserts no taxable income from certain identity theft protection
TAX ALERT |
The IRS has issued Announcement 2015-22 to address the tax treatment of identity theft protection provided to customers of organizations that have been the victim of a data breach as well as employees whose employer or a service provider to that employer has had its confidential data breached.
Specifically, the announcement indicates that the IRS will assert that the value of the protection provided to the employee or customer is not includible in gross income or reported on informational Forms W-2 or 1099-MISC. This announcement provides welcome clarity given the increase in the number and size of data breaches and the practices of many organizations to provide some protection to the exposed individuals when such breaches occur.
It is important, however, to understand the announcement only applies to identity theft protection provided in connection with specifically identifiable data breaches and not identity theft protection provided to employees or customers in other circumstances.
The announcement specifically states that it does not apply to:
- Cash received in lieu of identity protection services
- Identity protection services received for reasons other than a data breach, such as identity protection services received in connection with an employee's compensation benefit package
- Proceeds received under an identity theft policy
For example, one of the major health insurers recently announced new identity protection services will be available to their customers by Jan. 1, 2016. In addition, many employers aware of the increased threat of data breaches and employee personal information stored in their systems are considering offering identity theft protection to employees. While it is not clear that protection services provided to potentially effected individuals of an actual data breach are not taxable to the protected individuals, the IRS made it clear that the announcement did not address all potential situations.
Until the IRS offers further guidance, organizations that choose to provide identity theft protection before any actual data breach occurs will have to consider whether the value of that protection is taxable to the recipients. Employers, for example, may have a position that the protection is excluded from taxable income under a specific tax provision, such as the working condition fringe benefit rules that exclude certain employee benefits from income. This position will depend on the facts and circumstances of each protection program, though, as the IRS's current fringe benefit guidance did not contemplate the existence or the need for such protection services. In the absence of additional clarifying guidance from the IRS that may apply to similar benefits provided in advance of a breach, organizations that currently offer or plan to offer identity theft protection should consult with their tax advisor on the specific facts of their plan to determine whether there is risk that the value of the protection is includible in the recipients' income.