There is arguably no more memorable year than 2015 for data breaches.
May 2015 saw the Internal Revenue Service’s Get Transcript System hacked, breaching the security of more than 100,000 taxpayers’ confidential information.
In the months following was the high-profile hack of the Canadian website Ashley Madison, not to mention many other data breaches around the world.
The U.S. Bureau of Justice Statistics estimated that in 2012 16.6 million people were victims of identity theft. 2012 is the latest year for which data is available.
The IRS released Announcement 2015-22 in mid-August, advising that identity theft services provided after a data breach are not taxable.
When a data breach occurs, an organization may provide services in its response to the breach, to the consumer who has been compromised through the data breach.
Such services that may be provided, and to which the Announcement applies, include credit reporting and monitoring, identity theft insurance policies, identity restoration services, or other similar services referred to in the Announcement as “identity protection services’.
Identity protection services aim to prevent and mitigate losses arising from the theft of an individual’s data.
The IRS has now clarified that the value of such services is not includible in gross income of an affected person, and neither are amounts required to be reported on information returns including Form W-2 and Form 1099-MISC.
Excluded are cash payments in lieu of services, and services which are provided as part of an employee’s remuneration package.