On August 13, 2015, the Treasury Department and the IRS released Announcement 2015–22, 2015–35 I.R.B. 288, which provides information on the Federal tax treatment of identity protection services that are provided to victims of a data breach. The announcement provides that the IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Announcement 2015–22 also provides that the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. The announcement further provides that the IRS will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099–MISC) filed with respect to such individuals.
In Announcement 2015–22, the Treasury Department and the IRS requested comments on whether organizations commonly provide identity protection services in situations other than as a result of a data breach, and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations. The IRS received four comments. Several commenters requested that the Treasury Department and the IRS clarify the taxability of identity protection services provided at no cost to employees or other individuals before a data breach occurs. The commenters stated that data security has become a major concern for many organizations due to data breaches. Some commenters cited statistics showing a significant increase in the number of data breaches that result in unauthorized access to information systems containing personal information of employees and other individuals. Despite heightened efforts by organizations to prevent data breaches using traditional information technology security features (such as firewalls and antivirus software), some organizations are making security decisions based on the belief that breaches of their information systems are inevitable. The commenters further stated that an increasing number of organizations are combating data breaches by providing identity protection services to employees or other individuals before a data breach occurs in order to help detect any occurrence of a breach in their information systems, and to minimize the impact to their operations.
The Treasury Department and the IRS have considered the comments received, including statements by commenters that providing identity protection services to employees and other individuals before a data breach occurs will allow earlier detection of a data breach and minimize the impact of a breach on operations. The Treasury Department and the IRS have determined that Announcement 2015–22 should be extended to include identity protection services provided to employees or other individuals before a data breach occurs. Accordingly, the IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099–MISC) filed with respect to such individuals. Any further guidance on the taxability of these benefits will be applied prospectively.
This announcement does not apply to cash received in lieu of identity protection services. This announcement also does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.
The Internal Revenue Bulletin is produced and published by the Internal Revenue Service and contains IRS pronouncements affecting tax analysis under the Code and the Regulations, including but not limited to Revenue Procedures, Revenue Rulings, Notices and Announcements. Access the IRS site at https://www.irs.gov/help/irsgov-accessibility for information concerning accessibility of IRS materials. While every effort has been made to ensure that the IRB database files available through the TouchTax application are accurate, those using TouchTax for legal research should verify their results against the printed versions of the IRBs available from the IRS.