By Josie Martinez
Senior Part­ner and Gen­er­al Coun­sel at EBS Capstone
a UBA Part­ner Firm

IDTheftAccord­ing to the IRS, iden­ti­ty theft has been the num­ber one con­sumer com­plaint to the Fed­er­al Trade Com­mis­sion for 15 con­sec­u­tive years. The Bureau of Jus­tice Sta­tis­tics esti­mates that 17.6 mil­lion peo­ple were vic­tims of iden­ti­ty theft in 2014. Orga­ni­za­tions at every lev­el are try­ing to pro­tect employ­ee and cus­tomer per­son­al infor­ma­tion from com­put­er hack­ing that can dis­close sen­si­tive infor­ma­tion to iden­ti­ty thieves. As a pro­tec­tive mea­sure, some busi­ness­es are pro­vid­ing iden­ti­ty theft pro­tec­tion ser­vices in the hopes of pre­vent­ing and mit­i­gat­ing dam­age from a data breach. Some insur­ance car­ri­ers are now also offer­ing iden­ti­ty pro­tec­tion ser­vices to their cus­tomers at no addi­tion­al cost. Ques­tions were posed to the IRS con­cern­ing the tax­a­bil­i­ty of iden­ti­ty pro­tec­tion ser­vices pro­vid­ed at no cost to cus­tomers, employ­ees, or oth­er indi­vid­u­als whose per­son­al infor­ma­tion may have been com­pro­mised in a data breach.

The tax­a­tion of this iden­ti­ty pro­tec­tion benefit/service was con­sid­ered by the IRS in 2015 and again in ear­ly 2016. Orig­i­nal­ly, the IRS deter­mined that an indi­vid­ual whose per­son­al infor­ma­tion may have been com­pro­mised in a data breach does not have to include the val­ue of such an iden­ti­ty pro­tec­tion ser­vice in his or her gross income. Sim­i­lar­ly, the IRS had ruled that an employ­er pro­vid­ing such data pro­tec­tion ser­vices to employ­ees whose per­son­al infor­ma­tion may have been com­pro­mised in a data breach of the employer’s record­keep­ing sys­tem (or employer’s agent or ser­vice provider) does not have to include the val­ue of such ser­vice in the employee’s gross income or wages. The val­ue does not have to be report­ed on an individual’s W‑2. (See IRS Announce­ment 2015–22.)

But what about iden­ti­ty theft pro­tec­tion ser­vices that are offered as a pre­cau­tion­ary mea­sure before a breach occurs? Blue Cross Blue Shield, for exam­ple, is now offer­ing iden­ti­ty pro­tec­tion ser­vices to all eli­gi­ble BCBS mem­bers on an opt-in basis as of Jan­u­ary 1, 2016. The offer­ing includes cred­it mon­i­tor­ing, fraud detec­tion and fraud res­o­lu­tion sup­port. After the IRS elicit­ed com­ments on Announce­ment 2015–22, it decid­ed to extend the same tax treat­ment to iden­ti­ty pro­tec­tion ser­vices pro­vid­ed to employ­ees or oth­er indi­vid­u­als before a breach occurs, sim­i­lar to that offered by Blue Cross Blue Shield. (See Announce­ment 2016-02.) The rea­son­ing behind this rul­ing is that pro­vid­ing iden­ti­ty pro­tec­tion ser­vices to employ­ees and oth­ers before a data breach occurs will fos­ter ear­li­er detec­tion of a data breach and may min­i­mize the impact of a breach on operations.
While this tax treat­ment does not apply to cash received in lieu of the iden­ti­ty pro­tec­tion ser­vice or pro­ceeds received under an iden­ti­ty theft insur­ance pol­i­cy, it is a ben­e­fit that is worth­while to flag for your clients at a time when iden­ti­ty theft con­tin­ues be a grow­ing prob­lem in the Unit­ed States.

Read more here …