As reported here [http://www.proskauertaxtalks.com/2015/09/irs-provides-some-relief-after-data-hacks/], after last year’s customer data security breaches at major U.S. corporations, the IRS announced special tax relief for identity protection services provided to individuals affected  by a security breach.  In response to comments solicited in connection with that announcement, the Treasury Department and IRS have in Announcement 2016-02 [https://www.irs.gov/pub/irs-drop/a-16-02.pdf] extended that relief to no-cost identity protection services provided before a data breach.

In statements to the IRS, commenters stated that data security is a major concern for many organizations and cited statistics showing a significant increase in the number of data breaches that result in unauthorized access to information systems containing personal information of employees and other individuals.  Commenters also stated that some organizations are making security decisions based on the belief that breaches of their information systems are inevitable.  In addition, commenters stated that an increasing number of organizations are combating data breaches by providing identity protection services to employees or other individuals before a data breach occurs in order to help detect any occurrence of a breach in their information systems, and to minimize the impact to their operations.

Citing these considerations as the basis for its extension of its former tax relief on identity protection services, Announcement 2016-02 provides that the IRS will not assert:

  • that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers), or
  • that an employer providing identity protection services to its employees must include the value of such services in the employees’ gross income and wages.

Nor will the IRS assert that the value of such service needs to be reported on information returns such as Forms W-2 or 1099.

However, this relief does not apply to cash that an individual may receive in lieu of identity protection services, or to proceeds received under an identity theft insurance policy.

Proskauer’s Perspective:  This guidance is welcome news for employers that want to offer identity protection services to employees as part of their data security strategy.  They may now offer these services without increasing their (or their employees’) federal tax liability.  However, employers should be mindful of state and/or local tax laws as they may differ from federal tax law.