ID Protection Provided to Data-Breach Victims Is Now Tax-Free

Identity theft services given at no cost by breached employers is not taxable, IRS says

By Nancy Vary, JD, and Leslye Laderman, JD, LLM © Buck Consultants September 3, 2015

Update: IRS Oks Excluding ID Protection Benefits from Taxable Income

The IRS released on Dec. 30, 2015, its Announcement 2016-02, which allows preferential tax treatment for employer-provided identity theft benefits depite the absence of a data breach.

In August 2015, the IRS had released Announcement 2015-22, which provided that those whose personal information may have been compromised in a data breach need not include as taxable gross income the value of identity protection services provided to them by the breached organization (see article below).

The new Announcement 2016-02 extends the prior guidance to include identity protection services provided to employees or others before a data breach occurs. Accordingly, the value of identity protection services provided by the individual's employer can be excluded from the employee’s gross income and wages, and does not need to be reported on an employee’s Form W-2 or on a Form 1099-MISC. The announcement does not apply to cash provided by employers to employees in lieu of identity protection services.

SHRM Online editors

On Aug. 13, 2015, the IRS issued guidance on the tax treatment of identity protection services for data-breach victims.

The guidance generally provides that the value of identity theft protection services provided at no cost to data-breach victims by the organization experiencing the breach (including employers and their service providers) is not taxable and does not have to be reported on information returns such as Forms W-2 or 1099-MISC.


High-profile data breaches—like that of the U.S. Office of Personnel Management earlier this year—have potentially compromised the personal data of millions and garnered national attention. As computer hacking and cyberattacks have become more commonplace, companies have looked for ways to improve the security of their customers’ and employees’ nonpublic personal information.

In situations where their records have been breached, companies have taken steps to provide assistance for individuals whose information may be vulnerable as a result of the breach. Among other things, companies have provided those individuals with credit and identity theft monitoring and protection services to mitigate the potential risks of identity theft.

IRS Guidance on Taxability of Identity Protection Services

In Announcement 2015-22, the IRS addressed—for the first time—the federal tax treatment of credit reporting and monitoring services, identity theft insurance policies, identity restoration services or other similar services (collectively “identity protection services”) provided to data-breach victims. The guidance provides some tax relief to individuals whose personal information may have been compromised in a data breach.

Specifically, the IRS stated that it will not assert that:

  • An individual who may be affected by a data breach must include the value of the identity protection services provided by the organization that experienced the data breach in gross income.
  • An employer providing identity protection services to employees who may have been affected by a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of those services in the employees’ gross income and wages.
  • These amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.

This relief does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach (such as identity protection services received as part of an employee’s compensation or benefits package). Because the tax treatment of insurance recoveries is governed by existing law, it also does not apply to proceeds received under an identity theft policy.

Employers that provide identity theft protection to employees for reasons other than a data breach should consult their tax or legal advisors on the proper tax treatment based on the individual facts and circumstances of the program.

Finally, the Treasury Department and IRS invited comments by Oct. 13 on whether: (1) organizations commonly provide identity protection services in situations where there has been no data breach; and (2) additional guidance on the tax treatment of the provision of those services would be helpful.

Limiting the Damage

To limit the potential damage following a data breach, companies are providing affected individuals with free credit monitoring and other identity protection services, often for a period of years. Until this month, the IRS had not addressed whether the value of such services were taxable to the individuals who receive them.

The IRS has now clarified that, with certain limited exceptions, the value of services provided to data-breach victims will not be taxable as income.

While this guidance clarifies the federal tax treatment of identity protection services, companies will also want to confirm the state tax treatment with their tax advisors.

Nancy Vary, JD, is a director of the Knowledge Resource Center atBuck Consultants. Leslye Laderman, JD, LLM, is a principal in the Knowledge Resource Center at Buck Consultants. This article originally appeared in the Aug. 31, 2015, issue of For Your Information, produced by Buck Consultants’ Knowledge Resource Center. © 2015 Xerox Corp. and Buck Consultants. All rights reserved. Republished with permission.

Related SHRM Article

The Case for Legal Services and ID Theft Benefits, SHRM Online Benefits, July 2014


Job Finder

Find an HR Job Near You
Search Jobs


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.