The IRS has issued some favorable guidance on the tax treatment of identity protection services provided to data breach victims. In Announcement 2015-22, the IRS indicated that when an organization experiences a data breach, and it provides identity protection services to individuals whose information may have been compromised, the IRS will not assert that the individual must include the value of the services in gross income. In addition, the IRS says that when an employer provides such services as a result of a data breach involving the recordkeeping systems of the employer, or the employer’s agent or service provider, the employer will not be required to include the value of the services in the employee’s gross income and wages. The Announcement also indicates that the IRS will not assert that these amounts need to be reported on an information return (such W-2 or 1099-Misc.).
According to the Announcement, the “identity protection services” to which this guidance applies include credit reporting and monitoring services, identity theft insurance policies, identity restoration services and other similar services, but only when provided in connection with a data breach that occurs as a result of “hacking” or otherwise. The tax relief provided by this guidance does not apply where an employer provides these services to its employees as part of its regular compensation and benefits package. Nor does it apply to cash received in lieu of identity