Not a Member? Get access to HR news and resources that you can trust.
Change can be scary, but deploying new HR software doesn't have to be.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
We don’t just visit a city, we take it over. Join the HR community in NOLA -- June 18-21, 2017.
Identity theft services given at no cost by breached employers is not taxable, IRS says
Update: IRS Oks Excluding ID Protection Benefits from Taxable Income
The IRS released on Dec. 30, 2015, its
Announcement 2016-02, which allows preferential tax treatment for employer-provided identity theft benefits depite the absence of a data breach.
In August 2015, the IRS had released
Announcement 2015-22, which provided that those whose personal information may have been compromised in a data breach need not include as taxable gross income the value of identity protection services provided to them by the breached organization (see article below).
The new Announcement 2016-02 extends the prior guidance to include identity protection services provided to employees or others before a data breach occurs. Accordingly, the value of identity protection services provided by the individual's employer can be excluded from the employee’s gross income and wages, and does not need to be reported on an employee’s Form W-2 or on a Form 1099-MISC. The announcement does not apply to cash provided by employers to employees in lieu of identity protection services.
—SHRM Online editors
On Aug. 13, 2015, the IRS issued guidance on the tax treatment of identity protection services for data-breach victims.
The guidance generally provides that the value of identity theft protection services provided at no cost to data-breach victims by the organization experiencing the breach (including employers and their service providers) is not taxable and does not have to be reported on information returns such as Forms W-2 or 1099-MISC.
High-profile data breaches—like that of the U.S. Office of Personnel Management earlier this year—have potentially compromised the personal data of millions and garnered national attention. As computer hacking and cyberattacks have become more commonplace, companies have looked for ways to improve the security of their customers’ and employees’ nonpublic personal information.
In situations where their records have been breached, companies have taken steps to provide assistance for individuals whose information may be vulnerable as a result of the breach. Among other things, companies have provided those individuals with credit and identity theft monitoring and protection services to mitigate the potential risks of identity theft.
IRS Guidance on Taxability of Identity Protection Services
Announcement 2015-22, the IRS addressed—for the first time—the federal tax treatment of credit reporting and monitoring services, identity theft insurance policies, identity restoration services or other similar services (collectively “identity protection services”) provided to data-breach victims. The guidance provides some tax relief to individuals whose personal information may have been compromised in a data breach.
Specifically, the IRS stated that it will not assert that:
This relief does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach (such as identity protection services received as part of an employee’s compensation or benefits package). Because the tax treatment of insurance recoveries is governed by existing law, it also does not apply to proceeds received under an identity theft policy.
Employers that provide identity theft protection to employees for reasons other than a data breach should consult their tax or legal advisors on the proper tax treatment based on the individual facts and circumstances of the program.
Finally, the Treasury Department and IRS invited comments by Oct. 13 on whether: (1) organizations commonly provide identity protection services in situations where there has been no data breach; and (2) additional guidance on the tax treatment of the provision of those services would be helpful.
Limiting the Damage
To limit the potential damage following a data breach, companies are providing affected individuals with free credit monitoring and other identity protection services, often for a period of years. Until this month, the IRS had not addressed whether the value of such services were taxable to the individuals who receive them.
The IRS has now clarified that, with certain limited exceptions, the value of services provided to data-breach victims will not be taxable as income.
While this guidance clarifies the federal tax treatment of identity protection services, companies will also want to confirm the state tax treatment with their tax advisors.
Nancy Vary, JD, is a director of the
Knowledge Resource Center atBuck Consultants. Leslye Laderman, JD, LLM, is a principal in the Knowledge Resource Center at Buck Consultants. This article originally appeared in the Aug. 31, 2015, issue of
For Your Information, produced by Buck Consultants’ Knowledge Resource Center. © 2015 Xerox Corp. and Buck Consultants. All rights reserved. Republished with permission.
Related SHRM Article
The Case for Legal Services and ID Theft Benefits,
SHRM Online Benefits, July 2014
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies