Identity-Protection Services You Receive After a Data Breach: Taxable or Not?
Authors: Jeanne E. Floyd (Richmond), Vicki M. Nielsen (Washington DC)
Published Date: September 23, 2015
Data breaches and the identity fraud that may result from breaches can wreak personal and professional havoc. Recent large-scale data breaches have affected major retailers and companies, financial institutions, health insurers, and government agencies and have demonstrated that all forms of sensitive personal information can be vulnerable to exploitation. According to data from the Bureau of Justice Statistics, an estimated 16.6 million people (or 7 percent of all U.S. residents who are 16 and older) were victims of identity theft in 2012 (which, at the time of publication, was the latest year for which the Bureau of Justice Statistics had data) and direct and indirect losses from identity theft totaled $24.7 billion that year.
To prevent and mitigate potential losses, companies that experience a data breach involving consumer or employee personal information may take a number of actions. These include providing credit reporting and monitoring services, identity-theft insurance policies, identity-restoration services, and other identity-protection services to individuals whose personal information may have been compromised. Note that some state laws require companies to provide these services to individuals whose information has been put at risk.
One notable example of a serious data breach involved the Internal Revenue Service (IRS). In May of 2015, the IRS announced that taxpayer accounts had been illegally accessed using the “Get Transcript” application on its website. When the IRS first announced the breach, it reported that the data breach resulted in the theft of the personal information of 114,000 taxpayers. In August of 2015, the IRS revised its original estimate up to 330,000 affected taxpayers. As part of its mitigation strategy, the IRS offered free credit monitoring to taxpayers whose accounts were accessed.
Tax Implications of Identity Protection Services
When an employer is responding to a data breach involving its employees’ personal information, one of the last things it may think about is whether the value of the identity-protection services it makes available to affected employees should be considered taxable to the employees and reported as such. In general, all benefits provided to an employee by an employer must be treated as income unless the Tax Code provides an exclusion. Until recently, no guidance specifically addressed whether the value of identity-protection services should be treated as income.
An individual whose personal information may have been compromised in a data breach need not include in gross income the value of the identity-protection services provided by the organization that experienced the data breach.
An employer providing identity-protection services to employees whose personal information may have been compromised in a data breach of the employer’s recordkeeping system or of the recordkeeping system of the employer’s agent or service provider need not include the value of the identity-protection services in the employees’ gross income and wages.
The value of the identity-protection services need not be reported on an information return, such as a Form W-2 or a Form 1099-MISC filed with respect to the affected individuals.
Importantly, this tax treatment does not apply to:
identity-protection services received for reasons other than a data breach, such as identity-protection services received with an employee’s compensation benefit package;
cash received in lieu of identity-protection services (even if it was received because of a data breach); or
any proceeds received under an identity-theft insurance policy, as treatment of these policies is governed under distinct rules governing insurance recoveries.
Flashback to Frequent Flyer Benefits
The IRS’s recent announcement regarding the taxability of identity-protection services is reminiscent of the IRS’s 2002 announcement regarding the taxability of frequent flyer miles earned from employee business travel and used by employees to get free personal travel benefits from airlines. In 2002, the IRS announced that it would not assert that an employee has taxable income because he or she received or used frequent flyer miles earned while flying on an employer’s business. Neither the IRS’s identity-protection services announcement nor the frequent-flyer announcement provides much clarity to the law and instead merely states that the IRS will not assert that the benefits are taxable income.
Jeanne is a member of the employee benefits and executive compensation group. Jeanne focuses her practice on issues concerning health and welfare benefits, including Section 125 cafeteria plans, medical savings accounts (such as flexible spending arrangements (FSAs), health reimbursement arrangements (HRAs) and health savings accounts (HSAs)), and wellness programs. Jeanne also frequently advises clients with respect to COBRA and HIPAA Privacy and Security Rule compliance (such as electronic...
Ms. Nielsen is a member of the employee benefits and executive compensation group. She has worked extensively in the areas of executive compensation arrangements, equity compensation and benefits provided to executives, employees, directors and independent contractors. She has experience with all issues relating to executive compensation arrangements, including Code § 409A, performance-based compensation and Code § 162(m), equity compensation, change in control agreements, golden...