Treasury Department and IRS issue updated guidance on tax treatment of identity protection services

Last August, we reported that the Treasury Department and Internal Revenue Service (IRS) issued Announcement 2015-22, 2015-35 I.R.B. 288, which provides information on the federal tax treatment of identity theft protections services provided to data breach victims. The announcement states that the IRS will not assert that an individual whose personal information may have been compromised in a breach must include in gross income the value of the identity protection services provided by the organization that experienced the breach. Also, the IRS will not require an employer providing identity protection services to employees as a result of a data compromise to include the value of the identity protection services in employees’ gross income and wages. The Treasury Department and IRS requested comments on whether organizations commonly provide identity protection services in situations other than due to a data breach, and whether additional guidance would be helpful in clarifying the tax treatment of the services.

Four comments were received, which the Treasury Department and IRS addressed in Announcement 2016-02. Commenters noted the increasing risks of data breaches, despite heightened prevention efforts. Some organizations are making security decisions based on the belief that breaches of their information systems are inevitable. Consequently, an increasing number of organizations are providing identity protection services to employees and other individuals before a data breach occurs, which is done to further detection of any occurrence of a breach in their information systems and minimize the impact to their operations.

As noted in Announcement 2016-02, the Treasury Department and the IRS have determined that Announcement 2015-22 should be extended to include identity protection services provided to employees or others before a breach. Such services do not have to be included in the recipient’s gross income, nor must an employer include their value in employees’ gross income and wages. The announcement does not apply to cash received in lieu of identity protection services, or to proceeds received under an identity theft insurance policy.