• On October 1, 2015, T-Mobile announced that hackers breached Experian’s network and stole information relating to 15 million T-Mobile customers. Experian is providing affected individuals with two years of free credit monitoring and identity resolution services.
  • In June, the U.S. Office of Personnel Management announced a massive security breach potentially affecting 21.5 million government workers.  Impacted individuals have been offered credit and identity monitoring, identity theft insurance, and identity restoration services for a three-year period.
  • In February, customers of health insurance company Anthem, Inc. were offered two years of free credit monitoring following a breach impacting nearly 80 million individuals, including current and former members of Anthem health plans, as well as members of some independent insurance companies whose paperwork is administrated by Anthem. 

In today’s cyber-risk filled environment, what are the income tax and payroll tax implications for receiving these benefits?

In Announcement 2015-22, the IRS has stated that it will not include the value of identity protection services provided by an organization that experienced a data breach in the gross income of an individual whose personal information may have been compromised in that breach.  

In addition, the IRS will not require employers providing identity protection services to employees whose personal information may have been compromised in a recordkeeping system data breach to include the value of the identity protection services in the employees’ gross income and wages. The reporting of these amounts on an information return (such as a Form W-2 or Form 1099) related to the impacted individual will also not be required.

It should be noted that Announcement 2015-22 does not apply to (1) cash received in lieu of identity protection services, (2) identity protection services received for reasons other than as a result of a data breach (such as identity protection services received by an employee in connection with his or her compensation benefit package), or (3) proceeds received under an identity theft insurance policy.