A recent IRS announcement raises questions about how Canadian tax authorities will treat the free data protection services that organizations often provide in order to mitigate data breaches.

Here’s a less-than-cheerful thought: data breaches are now more common and costly than ever before—and one of the most common ways of mitigating the damage, offering free identity theft and fraud protection services, may have significant tax consequences for organizations, employees, and customers alike.

Credit Monitoring and Identity Theft Protection Services

According to a recent report by the Ponemon Institute and IBM, the total cost of a data breach increased 23% between 2013 and 2015, with the average cost to organizations now US$3.79 million. Credit monitoring and identity theft protection services (collectively, “data protection services”) can help mitigate risk to customers and to organizations in a few ways:

  • They can protect customers against fraud and identity theft by monitoring credit reports, financial services, and other personal data records for signs of suspicious activity, and sometimes by scanning the darker corners of the internet for evidence of stolen data.
  • They can also help avoid expensive lawsuits. According to one study, the likelihood of litigation drops by a factor of six if an organization provides free credit monitoring promptly after the breach.
  • They can also act like “early warning systems”. Some organizations proactively offer data protection services to employees and customers, which can help detect any occurrence of a breach in their information systems.

Current Tax Treatment: Canada versus the United States

In the United States, the Internal Revenue Service (IRS) recently announced that complimentary data protection services offered by organizations to those people affected by a data breach will not be taxable, even if the services are provided before a breach occurs. Specifically, the IRS clarified that individuals who receive identity protection services will not have to report the value of the services in their gross income, and that employers will not need to include the value of the services in their employees’ gross income and wages.

The Canada Revenue Agency (CRA) hasn’t (yet) announced a similar policy, leaving Canadian organizations uncertain about the tax status of identity protection services. One thing is clear, though: when drafting organizational data breach preparation plans, organizations should factor the potential tax consequences into the equation.

Are Data Protection Services a Taxable Benefit?

Since data protection services can be expensive when purchased directly, they might be considered a form of taxable benefit if organizations provide them for free.

However, under Announcement 2015-22 found in the latest Internal Revenue Bulletin , the IRS has stated that it “will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages.”

The situation is clearer in the United States than it is for Canada.In Canada, the CRA has not announced a similar policy. Some key issues therefore remain unclear for Canadian organizations that want to offer identity protection services (either before or after a breach occurs) as part of their data security strategy:

  • Who benefits from data protection services? Under the Income Tax Act’s (ITA) rules on employer-provided services, a service that primarily benefits an employee is taxable to the employee as income from employment, while a service that primarily benefits the employer is tax-deductible as a business expense (for more information, see the CRA’s guide for employers on taxable benefits and allowances). Data protection services offered before a data breach occurs seem to primarily benefit an employer: the services’ purpose is to alert the organization if a breach occurs, and since a breach hasn’t occurred, from the point of view of an employee the services are of neutral value. Once a breach occurs, employees may benefit more from data protection services than employers: an employee would need protection from identity theft and other misuse of their personal information, while from the employer’s perspective, data protection services won’t do much good if the data has already been breached. Clarity is therefore needed from the CRA regarding the property characterization of data protection services, and regarding how the benefits from data protection services should be apportioned between employers and employees.
  • Where do customers and other third parties fit in? Organizations that suffer (or anticipate suffering) data breaches often offer data protection services not just to employees, but also to their customers and other affected parties. It’s unclear whether these services would be taxable in Canada. Broadly speaking, income isn’t taxable if doesn’t fall under one of one of the four traditional sources of income: office, employment, business, and property. If a customer receives data protection services from an organization following a breach, the CRA might not consider the value of the services to be “income from a source”, meaning that the data protection services offered to third parties might be tax-free. Clarity is therefore needed from the CRA regarding how, and under what circumstances, it will categorize the value of data protection services.
  • Are data protection services a “benefit” or a form of settlement? If the data protection services come with a promise to indemnify the organization from future liability, the CRA’s rules regarding settlement payments may come into play—creating potentially significant tax implications for the organization and the person receiving the services. Again, some clarity is needed from the CRA on how it will classify data protection services.

In the absence of clear guidance, organizations may wish to obtain advance rulings from the CRA regarding the tax treatment of data protection services. In any case, it’s clear that data breaches will have tax consequences that an organization should be ready for. The IRS announcement is an important reminder that tax planning is an essential part of data breach preparation.