Resources

Thomson Reuters Tax & Accounting News

Featuring content from Checkpoint

Back to Thomson Reuters Tax & Accounting News

Subscribe below to the Checkpoint Daily Newsstand Email Newsletter

Identity protection services provided to individuals affected by data breach aren’t taxable

Ann. 2015-22, 2015-35 IRB

IRS has announced that when an individual receives identity protection services from an organization at no cost following a data security breach, the individual isn’t required to include the value of those services in gross income, and the organization isn’t required to report these amounts on information returns filed with respect to these individuals.

Statutory background.Code Sec. 61 generally provides that gross income means all income from whatever source derived, and in whatever form realized, whether in money, property, or services.Only items specifically exempt may be excluded.

Background on identity theft.Identity theft occurs when a person wrongfully obtains and uses another person’s personal information (for example, name, social security number, or banking or credit account numbers) in a way that involves fraud or deception, typically for economic gain.

Businesses, government agencies, and other organizations make significant efforts to secure the personal information of their customers and employees, but data breaches nonetheless occur.In response to such data breaches, organizations often provide credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services (collectively, “identity protection services”) to the customers, employees, or other individuals whose personal information may have been compromised as a result of the data breach.These identity protection services are intended to prevent and mitigate losses due to identity theft resulting from the data breach.

Issue.Questions have been raised concerning the taxability of identity protection services provided at no cost to customers, employees, or other individuals whose personal information may have been compromised in a data breach.Existing guidance does not specifically address these questions.

IRS’s position.In Ann. 2015-22, IRS said that it:

…would not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach;
…would not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages; and
…would not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.

IRS stressed, however, that the positions described above donotapply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package.Proceeds received under an identity theft insurance policy are also not covered by Ann. 2015-22 but rather are governed by existing law.

Comments requested.IRS requested comments, to be submitted in writing by Oct. 13, 2015, on whether organizations commonly provide identity protection services in situations other than as a result of a data breach, and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations.

References:For gross income defined, see FTC 2d/FIN ¶  J-1000  ; United States Tax Reporter ¶  614  ; TaxDesk ¶  101,000  ; TG ¶  12,001  .

 

Tagged with →