Last year, the Privacy Clearinghouse confirmed 223 major data breaches that compromised the identities of nearly 160 million Americans. In 2016, the trend continues with 42 breaches occurring in the first two months alone. The sophistication of organized identity theft rings keeps the government, educational institutions, public and private businesses struggling to combat ongoing threats. The IRS, recognizing the vulnerabilities and prevalence of this crime, is offering a tax incentive to employers offering identity theft protection benefits.
The IRS recently issued guidance outlining preferential tax treatment for employer-provided identity theft benefits, even in the absence of a data breach. Previous guidance created a tax free exclusion for identity theft protection services, but only after a breach and only for individuals whose personal information might have been compromised. Generally, all benefits provided to an employee by an employer must be treated as income, unless the tax code provides an exclusion.
Most companies offer identity theft protection to their customers and employees following a breach. However, taking a more proactive approach and providing protection services as a benefit to employees can help minimize financial and administrative costs associated with an event. It also favorably positions an employer in the event the company experiences a data breach later on.
The IRS’s latest announcement notes that several commenters requested guidance regarding the tax treatment of identity protection services provided before a data breach. According to the commenters, these services are being provided with increasing frequency in order to allow early detection of data breaches and minimize the impact of breaches when they occur. In response, the IRS has concluded that its previous guidance should be extended.
“The IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals,” the guidance states.
One important note, this preferential tax treatment does not apply to cash received in lieu of identity protection services or to proceeds received under an existing identity theft insurance policy.