Cybersecurity and Data Privacy: Belated Holiday Gift - The IRS Doubles Down on Tax Free Identity Protection Services

January 19, 2016

By: Clifford G. Tsan and Michael D. Billok

Following several high-profile breaches of business and government databases affecting the personal information of millions of Americans (including the IRS’s "Get Transcript" app) many businesses, governmental agencies and other organizations have increased efforts to keep their customers’ and employees’ personal information secure. In particular, some entities offer complimentary identity protection services, both before and after the occurrence of a data breach. Generally, these services include credit monitoring and reporting services, identity theft insurance policies, and identity restoration services intended to prevent or mitigate losses due to identity theft from a data breach.

Earlier this year, the IRS issued Announcement 2015-22, Federal Tax Treatment of Identity Protection Services Provided to Data Breach Victims, setting forth its position that the value of identity protection services provided by an organization that suffered a data breach is not includible in the gross income of victims of data breaches (customers, employees, and others). The tax relief provided under Announcement 2015-22, however, specifically excludes (i) identity protection services received other than as a result of a data breach (for example, as part of a compensation package), (ii) cash received in lieu of identity protection services, and (iii) insurance proceeds received under an identity theft policy (governed under existing law).

The IRS requested comments in connection with Announcement 2015-22 concerning whether organizations commonly provide identity protection services in situations other than as a result of a data breach, and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations. According to the commenters, these services are being provided with increasing frequency in order to allow early detection of data breaches and minimize the impact of breaches when they occur.

In response to the comments received, on December 30, 2015, the IRS issued Announcement 2016-02, Federal Tax Treatment of Identity Protection Services, which extends favorable federal tax treatment to identity protection services provided by an entity that receives personal information to employees and other individuals BEFORE a data breach occurs. Although Announcement 2016-02 does not define "personal information," several examples are included, such as name, SSN and banking or credit account number.

As under Announcement 2015-22, the relief provided by Announcement 2016-02 does not apply to cash payments received in lieu of identity protection services or to insurance proceeds received under an identity theft policy.

Announcement 2016-02 provides welcome relief to employers interested in providing identify protection services to employees without increasing federal tax burdens (payroll or income).

For more information, please contact Clifford G. Tsan or Michael D. Billock (Co-Chairs of Bond’s Cybersecurity and Data Privacy Group), or Lisa A. Christensen.

Clifford G. Tsan

Michael D. Billok