Data breaches and the identity fraud that may result from breaches can wreak personal and professional havoc. Recent large-scale data breaches have affected major retailers and companies, financial institutions, health insurers, and government agencies and have demonstrated that all forms of sensitive personal information can be vulnerable to exploitation. According to data from the Bureau of Justice Statistics, an estimated 16.6 million people (or 7 percent of all U.S. residents who are 16 and older) were victims of identity theft in 2012 (which, at the time of publication, was the latest year for which the Bureau of Justice Statistics had data) and direct and indirect losses from identity theft totaled $24.7 billion that year.
To prevent and mitigate potential losses, companies that experience a data breach involving consumer or employee personal information may take a number of actions. These include providing credit reporting and monitoring services, identity-theft insurance policies, identity-restoration services, and other identity-protection services to individuals whose personal information may have been compromised. Note that some state laws require companies to provide these services to individuals whose information has been put at risk.
One notable example of a serious data breach involved the Internal Revenue Service (IRS). In May of 2015, the IRS announced that taxpayer accounts had been illegally accessed using the “Get Transcript” application on its website. When the IRS first announced the breach, it reported that the data breach resulted in the theft of the personal information of 114,000 taxpayers. In August of 2015, the IRS revised its original estimate up to 330,000 affected taxpayers. As part of its mitigation strategy, the IRS offered free credit monitoring to taxpayers whose accounts were accessed.
Tax Implications of Identity Protection Services
When an employer is responding to a data breach involving its employees’ personal information, one of the last things it may think about is whether the value of the identity-protection services it makes available to affected employees should be considered taxable to the employees and reported as such. In general, all benefits provided to an employee by an employer must be treated as income unless the Tax Code provides an exclusion. Until recently, no guidance specifically addressed whether the value of identity-protection services should be treated as income.
In response to this issue (and perhaps as a result of its own data breach), on August 13, 2015, the IRS announced that it will not require an employer that provides identity-protection services to its employees as a result of an employment-based recordkeeping data breach to include the value of those services in the employees’ gross income and wages. Specifically, Announcement 2015-22, Federal Tax Treatment Of Identity Protection Services Provided To Data Breach Victims, states that:
- An individual whose personal information may have been compromised in a data breach need not include in gross income the value of the identity-protection services provided by the organization that experienced the data breach.
- An employer providing identity-protection services to employees whose personal information may have been compromised in a data breach of the employer’s recordkeeping system or of the recordkeeping system of the employer’s agent or service provider need not include the value of the identity-protection services in the employees’ gross income and wages.
- The value of the identity-protection services need not be reported on an information return, such as a Form W-2 or a Form 1099-MISC filed with respect to the affected individuals.
Importantly, this tax treatment does not apply to:
- identity-protection services received for reasons other than a data breach, such as identity-protection services received with an employee’s compensation benefit package;
- cash received in lieu of identity-protection services (even if it was received because of a data breach); or
- any proceeds received under an identity-theft insurance policy, as treatment of these policies is governed under distinct rules governing insurance recoveries.
Flashback to Frequent Flyer Benefits
The IRS’s recent announcement regarding the taxability of identity-protection services is reminiscent of the IRS’s 2002 announcement regarding the taxability of frequent flyer miles earned from employee business travel and used by employees to get free personal travel benefits from airlines. In 2002, the IRS announced that it would not assert that an employee has taxable income because he or she received or used frequent flyer miles earned while flying on an employer’s business. Neither the IRS’s identity-protection services announcement nor the frequent-flyer announcement provides much clarity to the law and instead merely states that the IRS will not assert that the benefits are taxable income.