EdLawConnect Blog

On August 13, 2015, the IRS issued Announcement 2015-22, addressing the tax treatment of identity protection services for data breach victims. The Announcement states that when victims receive free identity protection services from an organization that suffered a data breach, the IRS will not assert the value of the identity protection services is includible in the victim’s gross income. Additionally, the IRS stated that an employer providing identity protection services to employees who may have been affected by a data breach of the employer’s (or employer’s agent or service providers) records need not include the value of those services in the employee’s gross income and wages. The value of the services is not reportable on an information return such as a W-2 Form or 1099-MISC Form.

An IRS announcement is a public statement that provides immediate or short-term guidance that would otherwise be covered by a regulation, Revenue Ruling or Revenue Procedure. The IRS issues announcements to provide guidance for completing tax forms, directions for compliance with regulations or procedures, or on matters of general interest.

Announcement 2015-22 applies to identity protection services such as credit reporting and monitoring services, identity theft insurance policies, identity restoration services, and other similar services, but only when provided in connection with a data breach that occurs as a result of hacking or otherwise. The tax relief described in the Announcement does not apply when an employer provides these services to its employees as part of its regular compensation and benefits package. Nor does it apply to cash received in lieu of identity protection services or to proceeds received under an identity theft insurance policy. The tax treatment of insurance recoveries is determined under existing tax laws.

The Announcement concludes with a request for comments on whether organizations commonly provide identity protection services in situations other than as a result of a data breach and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations. The deadline for providing comments to the IRS is October 13, 2015.

Data breaches increasingly affect educational institutions. In September 2015, for example, breaches of student data were reported at the California State University, the South Dakota School of Mines, a high school in New Jersey, and a high school in Kentucky, to name a few. In the Kentucky case, a nutrition services worker at the school “ended up at a website that wasn't the site she intended to be on,” using a computer that contained data such as student names, addresses, social security numbers, and dates of birth. The worker’s visit to the unauthorized website resulted in the data being accessed by a cyber-intruder. Also in September, the Charlotte-Mecklenburg Schools system notified more than 7,000 people who applied for jobs that their personal information had been shared with an outside contractor without the applicants’ authorization.

It’s critically important to have a response plan in place before such breaches occur. The plan should include identifying and appropriately notifying individuals whose data is affected by the breach. If identity protection services are offered, the IRS’s Announcement relieves the affected individuals of one potential concern: they need not report the value of the services as income.