Resources

Thomson Reuters Tax & Accounting News

Featuring content from Checkpoint

Back to Thomson Reuters Tax & Accounting News

Subscribe below to the Checkpoint Daily Newsstand Email Newsletter

IRS expands definition of nontaxable identity protection services

Ann. 2016-2, 2016-3 IRB

IRS has announced an expansion to the types of nontaxable identity protection services that an entity can provide at no cost to employees or other individuals, to include those provided before a data breach occurs. An individual who receives these services isn’t required to include their value in gross income, and the entity isn’t required to consider these amounts as includible in the employees’ gross income or report them on information returns filed with respect to the individual.

Statutory background. Code Sec. 61 generally provides that gross income means all income from whatever source derived, and in whatever form realized, whether in money, property, or services. Only items specifically exempt may be excluded.

Background on identity theft. Identity theft occurs when a person wrongfully obtains and uses another person’s personal information (for example, name, social security number, or banking or credit account numbers) in a way that involves fraud or deception, typically for economic gain.

Businesses, government agencies, and other organizations make significant efforts to secure the personal information of their customers and employees, but data breaches nonetheless occur. In response to such data breaches, organizations often provide credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services (collectively, “identity protection services”) to the customers, employees, or other individuals whose personal information may have been compromised as a result of the data breach. These identity protection services are intended to prevent and mitigate losses due to identity theft resulting from the data breach.

Earlier guidance. In Ann. 2015-22, 2015-35 IRB 288, IRS provided guidance on the tax consequences of identity protection services provided at no cost to customers, employees, or other individuals whose personal information may have been compromised in a data breach. IRS said that it:

…would not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach;
…would not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages; and
…would not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.

For more details, see Weekly Alert ¶  2  08/20/2015.

Expanded relief. IRS decided to expand the above relief to include identity protection services provided to employees or other individuals before a data breach occurs, citing statements received by commenters that providing such services before a data breach occurs will allow earlier detection of a data breach and minimize the impact of a breach on operations.

IRS stated, however, that the nontaxable treatment described above does not apply to cash received in lieu of identity protection services or proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.

References: For gross income defined, see FTC 2d/FIN ¶  J-1000; United States Tax Reporter ¶  614; TaxDesk ¶  101,000; TG ¶  12,001.