When victims of data breaches receive free identity protection services from an organization that suffered a data breach, the IRS will not assert that the value of those identity protection services is includible in the victim’s gross income, the Service announced on Thursday (Announcement 2015-22). The announcement applies to anyone whose personal information may have been compromised in a data breach, including customers, employees, and others. The announcement comes on the heels of several high-profile breaches of business and government databases, affecting the personal information of millions of Americans.
The IRS noted that identity theft was the top consumer complaint to the Federal Trade Commission for the past 15 years and also alluded to the numerous recent high-profile data breaches. (The IRS’s own Get Transcript system was compromised in May, allowing criminals to access over 100,000 taxpayers’ information.)
Many companies and organizations provide identity protection services to the victims of these breaches so they can monitor their financial and other accounts. These services include credit monitoring and reporting services, identity theft insurance policies, and identity restoration services. They are intended to prevent or mitigate losses due to identity theft from the data breach.
According to the IRS, the amounts paid for those services do not have to be included in Forms W-2, Wage and Tax Statement, or Forms 1099-MISC, Miscellaneous Income. The relief does not apply to cash payments received as a result of a data breach or payments for identity theft protection as part of a compensation package. It also does not change the treatment of payments from identity theft insurance contracts. The IRS is requesting comments by Oct. 13 on whether this relief should be extended to similar services provided in situations other than as a result of data breaches.
—Sally P. Schreiber (firstname.lastname@example.org) is a JofA senior editor.