IRS Issues Guidance on Tax Treatment of Identity Theft Protection Services
UPDATE: After considering public comments, the IRS extended the below guidance to include identity protection services that are provided to employees or other individuals before a data breach actually occurs. Additionally, an employer providing identity protection services to its employees does not have to include the value of the services in the employees' gross income and wages. Also, an employer does not have to report these amounts on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals. Announcement 2016-02, 2016-3 IRB LEXIS January 19, 2016.
Author: Rena Pirsos, XpertHR Legal Editor
August 14, 2015
To help combat the growing problem of identity theft in the US, the IRS has issued guidance on the taxability of identity protection services provided by an employer at no cost to employees whose personal information may have been compromised in a data breach. The IRS is also requesting comments from employers on other related issues.
Recent high-profile data breaches at various organizations have exposed millions of people to the risk of identity theft - when someone illegally obtains and uses another individual's personal information, such as their name, Social Security Number or banking or credit card account numbers. Despite the significant efforts an employer may be making to secure the personal information of its employees, a data breach of the employer's recordkeeping systems can expose employees' confidential information to identity thieves, such as computer hackers. The IRS notes that this type of fraud has been the number one consumer complaint to the Federal Trade Commission for 15 years.
The guidance provides for three tax relief measures:
- An individual whose personal information may have been compromised in a data breach does not have to include in gross income the value of identity protection services provided by the employer that experienced the data breach;
- An employer providing identity protection services to an employee who is the victim of a personal data breach in the employer's (or an agent's or service provider's) recordkeeping system does not have to include the value of the identity protection services in the employees taxable income and wages; and
- An employer does not have to report the value of identity protection services provided to an affected employee on an information return (i.e., Form W-2) filed with respect to the employee.
The guidance does not apply to:
- Cash received in lieu of identity protection services, or identity protection services received in connection with an employee's compensation benefit package; and
- Proceeds received under an identity theft insurance policy (existing law governs the treatment of insurance recoveries).
The IRS is requesting comments to determine in what other circumstances employers commonly provide identity protection services, and whether additional guidance would be helpful to employers in clarifying the tax treatment of the services provided in those circumstances. Employers that wish to submit comments should do so, in writing, by October 13, 2015. Comments may be sent electronically to firstname.lastname@example.org. The words "Announcement 2015-22" must be included in the subject line. All comments will be available for public inspection.