Post-data breach identity theft protection services will be excluded from recipients’ gross incomes, the IRS has announced. This treatment, however, does not extend to cases where an identity theft victim receives cash in lieu of identity protection services or proceeds under an identity theft insurance policy.
Criminals can steal taxpayers’ identities in a variety of ways. One method is to breach the security protocols of business, associations, governments, and other organizations. In response, organizations typically provide identity protection services to affected individuals. These include credit reporting and monitoring services, identity theft insurance policies, identity restoration services, and/or other similar services. The IRS reported that questions have arisen about the taxability of identity protection services after a data breach.
Identity theft protection companies may flag or freeze an individual’s credit reports. A credit freeze generally stops all access to an individual’s credit report. A fraud alert generally allows creditors to obtain an individual’s credit report if certain verification steps are satisfied.
The IRS explained that it will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of identity protection services provided by the organization that experienced the breach.
Further, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. These amounts need not be reported on an information return (for example, Form W-2 or Form 1099-MISC) filed with respect to the affected individual.
The IRS carved some exceptions. Cash received in lieu of identity protection services is excluded as are proceeds received under an identity theft insurance policy. Identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package, are also excluded. To be continued? The IRS has requested comments on whether organizations commonly provide identity protection services in situations other than as a result of a data breach, and whether more guidance would be helpful.