Identity theft, also known as identity fraud, occurs when a person wrongfully obtains and uses another person’s personal information (for example, name, social security number, or banking or credit account numbers) in a way that involves fraud or deception, typically for economic gain. Identity theft is a growing problem in the United States. Identity theft has been the number one consumer complaint to the Federal Trade Commission for fifteen consecutive years. The Bureau of Justice Statistics estimates that 16.6 million people were victims of identity theft in 2012, the latest year for which data is available. In addition, recent high-profile data breaches at various organizations have exposed many more millions of persons to the risk of identity theft.
Businesses, government agencies, and other organizations make significant efforts to secure the personal information of their customers and employees. Notwithstanding these efforts, a data breach of an organization’s recordkeeping systems, whether due to computer “hacking” or otherwise, can expose this information to identity thieves. In response to such data breaches, organizations often provide credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services (collectively “identity protection services”) to the customers, employees, or other individuals whose personal information may have been compromised as a result of the data breach. These identity protection services are intended to prevent and mitigate losses due to identity theft resulting from the data breach.
Questions have been raised concerning the taxability of identity protection services provided at no cost to customers, employees, or other individuals whose personal information may have been compromised in a data breach. Existing guidance does not specifically address these questions.
The IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. The IRS will also not assert that these amounts must be reported on an information return (such as Form W–2 or Form 1099–MISC) filed with respect to such individuals. This announcement does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package. This announcement also does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.
The Treasury Department and the IRS request comments on whether organizations commonly provide identity protection services in situations other than as a result of a data breach, and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations. Comments should be submitted in writing on or before October 13, 2015 to the following address:
Internal Revenue Service
CC:PA:LPD:PR (Announcement 2015–22)
P.O. Box 7604
Ben Franklin Station
Washington, DC 20044
Comments also may be sent electronically to notice.comments@irscounsel.treas.gov. Please include "Announcement 2015–22” in the subject line. All comments will be available for public inspection.
The principal author of this announcement is Seoyeon Sharon Park of the Office of Associate Chief Counsel (Income Tax & Accounting). For further information regarding this announcement, contact Ms. Park at (202) 317-7006 (not a toll-free number).
The Internal Revenue Bulletin is produced and published by the Internal Revenue Service and contains IRS pronouncements affecting tax analysis under the Code and the Regulations, including but not limited to Revenue Procedures, Revenue Rulings, Notices and Announcements. Access the IRS site at https://www.irs.gov/help/irsgov-accessibility for information concerning accessibility of IRS materials. While every effort has been made to ensure that the IRB database files available through the TouchTax application are accurate, those using TouchTax for legal research should verify their results against the printed versions of the IRBs available from the IRS.