According to the IRS, identity theft has been the number one consumer complaint to the Federal Trade Commission for 15 consecutive years. The Bureau of Justice Statistics estimates that 17.6 million people were victims of identity theft in 2014. Organizations at every level are trying to protect employee and customer personal information from computer hacking that can disclose sensitive information to identity thieves. As a protective measure, some businesses are providing identity theft protection services in the hopes of preventing and mitigating damage from a data breach. Some insurance carriers are now also offering identity protection services to their customers at no additional cost. Questions were posed to the IRS concerning the taxability of identity protection services provided at no cost to customers, employees, or other individuals whose personal information may have been compromised in a data breach.
The taxation of this identity protection benefit/service was considered by the IRS in 2015 and again in early 2016. Originally, the IRS determined that an individual whose personal information may have been compromised in a data breach does not have to include the value of such an identity protection service in his or her gross income. Similarly, the IRS had ruled that an employer providing such data protection services to employees whose personal information may have been compromised in a data breach of the employer’s recordkeeping system (or employer’s agent or service provider) does not have to include the value of such service in the employee’s gross income or wages. The value does not have to be reported on an individual’s W-2. (See IRS Announcement 2015-22.)
But what about identity theft protection services that are offered as a precautionary measure before a breach occurs? Blue Cross Blue Shield, for example, is now offering identity protection services to all eligible BCBS members on an opt-in basis as of January 1, 2016. The offering includes credit monitoring, fraud detection and fraud resolution support. After the IRS elicited comments on Announcement 2015-22, it decided to extend the same tax treatment to identity protection services provided to employees or other individuals before a breach occurs, similar to that offered by Blue Cross Blue Shield. (See Announcement 2016-02.) The reasoning behind this ruling is that providing identity protection services to employees and others before a data breach occurs will foster earlier detection of a data breach and may minimize the impact of a breach on operations.