Data breaches and identity thefts are ubiquitous and often enormous in size and scope. For example, during the first six months of 2019, data breaches exposed 4.1 billion private records ("Data Breaches Expose 4.1 Billion Records in First Six Months of 2019," by Davey Winder, Forbes (Aug. 20, 2019)), and in a recent identity theft scheme, veterans were bilked out of millions of dollars ("5 Indicted in Identity Theft Scheme That Bilked Millions From Veterans," by Neil Vigdor, The New York Times (Aug. 21, 2019)).
Individual taxpayers and businesses that are targeted experience staggering losses. And after such data breaches and identity thefts occur, taxpayers often employ measures designed to defeat future threats. These preventive steps also commonly come at a steep price.
Given the monetary amounts at stake, the tax consequences of data breaches and identity thefts are thus worthy of exploration.
A data breach, in which hackers gain access to sensitive personal information, such as passwords, credit cards, medical records, and identification documents, typically occurs in two contexts: retailers and second parties that collect sensitive information (e.g., credit bureaus). Some of the nation's largest data breaches targeting companies and governmental agencies are summarized in the chart, "US Data Breaches."
A byproduct of data breaches is often identity theft. Data breaches cost U.S. companies $8.19 million apiece on average ("What's the Cost of a Data Breach in 2019?" by Chris Brook, Digital Guardian (July 30, 2019)). In many instances, the larger cost is the loss of customer confidence, which often evaporates after a cyber incident.
Businesses and individuals often incur additional costs as they take defensive measures to safeguard their data and finances. From 2017 to 2021, global cybersecurity spending is predicted to exceed $1 trillion ("Global Cybersecurity Spending Predicted to Exceed $1 Trillion From 2017—2021," by Steve Morgan, Cybercrime Magazine (June 10, 2019)).
US data breaches
Taxpayers that experience data breaches and identity thefts often experience a financial loss for which they seek tax relief. This section of the article explores the deductibility of the losses taxpayers incur directly from identity theft and of their expenditures to protect themselves.
The Code treats losses of businesses and individual taxpayers differently. Sec. 165(a) broadly allows taxpayers to deduct losses that they sustain during the year. Businesses such as corporations, partnerships, and sole proprietorships can deduct losses resulting from data breaches and identity theft. Alternatively, businesses can opt to deduct losses under Sec. 162(a) as "ordinary and necessary" expenses (see, e.g., Federation Bank & Trust Co., 27 T.C. 960 (1957), aff'd, 256 F.2d 764 (2d Cir. 1958) (to settle claims, a bank's payment to its depositors could be deducted under either Sec. 162 or Sec. 165)).
But Sec. 165 severely limits loss deductions for individual taxpayers, who under Sec. 165(c) may deduct only losses that (1) are incurred in a trade or business; (2) are incurred in a transaction entered into for profit, other than through a trade or business; or (3) "arise from fire, storm, shipwreck, or other casualty, or from theft."
On the face of the statute, losses resulting from data breaches and identity thefts appear to fall squarely within the realm of this third category of permissible deductions. However, under the legislation known as the Tax Cuts and Jobs Act (TCJA), P.L. 115-97, for losses arising in tax years 2018 through 2025, such losses must be "attributable" to a federally declared disaster (Sec. 165(h)(5)(A)). Because federally declared disasters (e.g., COVID-19 shutdowns and hurricane damage) do not give direct rise to data breaches and identity thefts, as a practical matter and until the current law sunsets, individual taxpayers who incur losses from data breaches and identity thefts are not afforded tax relief under this provision.
Example 1: A taxpayer has a brokerage account through which he has purchased securities. These securities cost him $100,000 and over the years have generated $900,000 in dividends, which were reinvested in additional securities. Unbeknownst to the taxpayer, someone has stolen his user ID and password and has sold his securities, sending the proceeds to the thief's bank account. Under these circumstances, the Code would disallow these losses. (By way of contrast, had the taxpayer sold the securities for $1 million, no gain or loss would have been recognized, and, alternatively, if the taxpayer had sold the securities for $25,000, he would have commanded a $975,000 loss ($25,000 − $1,000,000).)
Expenditures related to preventive measures
Like losses, the tax treatment of protective measure expenditures depends upon the type of taxpayer seeking to deduct the expense. In the case of businesses, cybersecurity measures should constitute ordinary and necessary expenses and, as such, be deductible in the year that they are incurred. Generally, expenses are necessary insofar as they are "appropriate and helpful" and "ordinary" if they result in an immediate benefit to the taxpayer and are not in the nature of a capital expenditure (Tellier, 383 U.S. 687 (1966)).
For individual taxpayers, the Code generally precludes deductions. While Sec. 212 provides deductions related to investment expenses and in connection with tax preparation and the handling of tax controversies, it also permits deduction of all the ordinary and necessary expenses paid or incurred during a tax year "for the management, conservation, or maintenance of property held for the production of income" (Sec. 212(2)). Like the expenses related to a safe deposit box (which historically have been deductible — Temp. Regs. Sec. 1.67-1T(a)(1)(ii)), expenditures designed to safeguard one's identity serve essentially the same function, namely, to protect one's financial assets from being stolen.
However, such expenditures constitute miscellaneous itemized deductions and were only deductible to the extent they exceeded 2% of a taxpayer's adjusted gross income (AGI) (Sec. 67(b)). And, under the TCJA, until 2026, the Code disallows such deductions (Sec. 67(g)). Therefore, whatever out-of-pocket expenditures individual taxpayers incur related to data breaches and identity theft, they cannot be reflected on a Form 1040, U.S. Individual Income Tax Return, unless Congress amends the Code or they are incurred after 2025.
One of the fundamental tenets of the Code is that, unless otherwise provided, all accretions to wealth are taxable (Sec. 61(a)). This general precept raises two important issues regarding the taxability of (1) payments made to victims of data breaches and identity thefts to make them financially whole and (2) in-kind benefits that employees and consumers receive when employers and retailers, free of charge, institute safeguards to try to protect these taxpayers from further intrusions.
Taxation of reimbursement payments
As a starting point, a reimbursement constitutes an accretion to wealth, and thus, absent any countervailing provisions in the Code, administrative rulings, or case law, it would be taxable.
Example 2: A taxpayer has an online retail account and, due to a data breach, his personal information is stolen. Using this stolen information, the perpetrator is able to exact $100,000 from the taxpayer's bank account. If the retailer, as a goodwill gesture, voluntarily reimburses $100,000 to the taxpayer for his loss, it might appear that the receipt of the sum would be taxable.
Clark, 40 B.T.A. 333 (1939) (acq.), addressed this issue. A lawyer proffered erroneous advice to the taxpayer, resulting in an overpayment of tax. To make the taxpayer financially whole, the lawyer voluntarily reimbursed the taxpayer for the financial damage. The IRS claimed that the sum paid was taxable. The Board of Tax Appeals disagreed, however, offering two justifications for its holding. The first (which subsequent cases have largely discredited) was that "recoupment on account of such losses is not income since it is not 'derived from capital, from labor or from both combined'" (Clark, at 335). The second, and more compelling, argument was that this payment was "compensation for a loss which impaired petitioner's capital" (id.) and, in the words of one treatise, "the reimbursement was therefore a nontaxable recovery of capital" (Boris Bittker and Lawrence Lokken, Federal Income Tax ¶5.8.1 (2020)).
As long as the taxpayer's loss is not deductible, the IRS has accepted the Clark position that reimbursements of the loss that constitute a recovery of capital are not taxable (Rev. Rul. 57-47). Therefore, if a taxpayer is reimbursed for damages resulting from a data breach/identity theft and did not have any concomitant deduction, no income inclusion is required.
Receipt of in-kind benefits by employees and consumers
One of the most common ways that companies respond to instances of data breaches and identity theft is to provide victims with monitoring services. For instance, after the Target breach of 2013, the retailer provided affected consumers with free credit monitoring services ("Target Says Sorry Again, Offers 10% Off and Free Credit Monitoring," Nathan Mattise, ARS Technica (Dec. 21, 2013)). An important tax question concerns the taxability of the value of such in-kind services to its recipients, such as employees, customers, or others whose data has been stolen or exposed by a breach.
In Announcement 2015-22, the IRS addressed this issue with the blanket declaration, "The IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach." The announcement adds that with respect to employers providing identity protection services to their employees in the aftermath of a data breach, the IRS will "not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals." However, that treatment "does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee's compensation benefit package."
After the release of the announcement, the IRS solicited comments from the public on how to treat similar payments for identity-theft-related services provided to an employee, a consumer, or other impacted person. Some comments requested clarification of the taxability of identity protection services provided at no cost to employees or other individuals before a data breach occurs. After considering those comments and the severity and ubiquity of the problem, the IRS released Announcement 2016-2. In it, the IRS stated that, regardless of whether the services are provided before or after a breach:
[T]he IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual's employer or by another organization to which the individual provided personal information (for example, name, [S]ocial [S]ecurity number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees' gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.
This generous position has no support in statutory authority, and the IRS did not explain its rationale. But it might be assumed that, akin to frequent flyer miles (for which the IRS has similarly taken the position that it will not challenge their nontaxability), the agency did not wish to generate a political uproar.
ALLEVIATING SOME BURDENS
As data breaches and identity thefts have become all too familiar, victims have sought tax relief. As evidenced by this analysis, in some instances the IRS has been sympathetic to taxpayers' travails. However, it remains to be seen whether Congress will endorse these magnanimous policies via amendments to the Code. In the meantime, those taxpayers who endure data breaches and identity thefts must confront the reality that while tax provisions may sometimes mitigate the damages they sustained, they are unlikely to entirely alleviate financial burdens associated with this problem.
About the authors
Patrick M. Ryle, J.D., is an assistant professor of accounting at Dalton State College in Dalton, Ga. Leonard Goodman, CPA, Ph.D., and Jay A. Soled, J.D., are both tax professors at Rutgers Business School in Newark and New Brunswick, N.J.
To comment on this article or to suggest an idea for another article, contact Paul Bonner, a JofA senior editor, at Paul.Bonner@aicpa-cima.com or 919-402-4434.
- Cyberattacks, Data Breaches, and Privacy
- Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate
- Cybersecurity Risk Management
- Client Identity Checklist (member login required)
- Protecting Yourself From Tax ID Theft brochure (member login required)
- Tax Identity Theft Information and Tools
The Tax Adviser and Tax Section
Subscribe to the award-winning magazine The Tax Adviser. AICPA Tax Section members receive a subscription in addition to access to a tax resource library, member-only newsletter, and four free webcasts. The Tax Section is leading tax forward with the latest news, tools, webcasts, client support, and more. Learn more at aicpastore.com/taxsection. The current issue of The Tax Adviser and many other resources are available at thetaxadviser.com.