I probably shouldn't be blogging on a Friday during the dog days of August, as many readers are on vacation. However, legal developments – the IRS and other government agencies – like time, “wait for no man,” and this is good news. IRS Announcement 2015-22, scheduled to be published in Internal Revenue Bulletin 2015-35 dated August 31, announces that:

  • IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. (The Announcement doesn't specify whether a company must provide this protection to all employees or could limit it, for example, to officers only.)
  • IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach.
  • IRS will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.

The Announcement does not specify an effective date, but apparently is effective immediately and retroactively.

Importantly, this treatment does not apply to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package or to cash received in lieu of identity protection services. However, it seems like every employee at every company has or will eventually experience a data breach, sadly. The announcement also does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.