There’s no question that identity theft is a problem in the United States. A 2015 study released by Javelin Strategy & Research found that there were 12.7 million victims of identity theft in the U.S. 2014. That works out to a new identity fraud victim every two seconds. Identity theft has topped the list of consumer complaints made to the Federal Trade Commission for the last 15 years. And, of course, identity theft has claimed the top spot on the Internal Revenue Service’s (IRS) Dirty Dozen list for several years running.
It should be no surprise, then, that businesses and other organizations have ramped up their efforts to keep personal information secure, including offering complimentary identity protection services to customers and employees. This includes credit reporting and monitoring services – the same kinds of services that IRS offered to affected taxpayers earlier this year after taxpayer accounts were improperly accessed using the “Get Transcript” app.
These services cost money. Services can range from one time fees to monthly fees upwards of $30 per month. According to Consumer Reports, about 50 million U.S. consumers spent $3.5 billion in 2010 on various identity protection products, a number that has likely grown over the past few years.
We know, however, that there’s no so thing as a free lunch. And it was only a matter of time before someone raised the question of taxability of these kinds of services when they are provided at no cost to customers, employees, or other individuals whose personal information may have been compromised in a data breach. The IRS had not previously taken a position on this matter – until now.
Under Announcement 2015-22 found in the latest Internal Revenue Bulletin (downloads as a pdf), the IRS “will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages.” That’s tax speak that indicates that IRS will not consider these services taxable when provided to a customer or employee after a data or security breach. The IRS goes on to clarify that means that these amounts do not need to be included on a tax form, such as a W-2 or 1099.