Earlier this year, we reported that the Internal Revenue Service clarified that it would not consider the value of credit monitoring and other identity protection services provided by employers to employees in connection with a data breach to be taxable income to the employees. IRS Announcement 2015-22. In response to comments, the IRS expanded this tax treatment to apply when employers provide such services before a breach happens. IRS Announcement 2016-02.
In the more recent Announcement, the IRS concludes:
Accordingly, the IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals. Any further guidance on the taxability of these benefits will be applied prospectively
This is welcomed news for employers looking for ways to help their employees avoid being affected by a data breach, and mitigating the effects should employees become victims of a breach. The employer can provide the services without increasing its federal payroll taxes and employees can receive the services without incurring any additional federal tax liability. Employers and employees will still have to consider any potential state and local tax implications, and should confer with their tax advisors accordingly.
The Announcement states, however, that it does not apply to cash received in lieu of identity protection services, or to proceeds received under an identity theft insurance policy. Thus, for example, the tax treatment of proceeds received under an identity theft insurance policy continues to be governed by existing law.
As a result of this action, and because of how prevalent data breaches have become, it is likely that more employers will be looking to provide data breach monitoring and related services to their employees. While these services would not constitute benefits covered under the Employee Retirement Income Security Act (ERISA), as with other employee benefits, employers will want to carefully select the vendors that will provide the services, and take other steps to incorporate this into their overall benefit offerings.