Taxing Benefits: What About Identity Theft Protection?
In a previous blog, we discussed what state law (VA) requires when a company is the victim of a data breach and personal information is compromised. For example, a notice that tells someone their information may have been stolen must include, among other things, advice that directs the person to monitor their accounts and credit. Some companies go beyond giving advice to actually providing credit monitoring services to victims, whether employees or consumers. The IRS just announced that those benefits are not taxable.
This is, of course, good news for those who are already worried about their stolen information and potential identity theft – the IRS won’t add insult to injury — but it also prevents a compliance headache for companies who are trying to do the right thing. The IRS won’t make businesses keep records or show the cost of providing ID theft services on W-2s or 1099-MISC forms. There are limits to this policy. If a company is providing identity protection services not in connection with a data breach, for example as part of a compensation package, those costs would not be exempt from taxation. Also, cash in lieu of services or proceeds from an identity theft insurance policy are not covered by the IRS announcement.
The IRS is asking for feedback on its policy. They are interested in how common it is for companies provide such identity theft services outside of a breach so they can determine if additional guidance would be helpful. Comments should be filed before October 13th. They may be sent in writing to Internal Revenue Service, CC:PA:LPD:PR (Announcement 2015-22),P.O. Box 7604, Ben Franklin Station, Washington, DC 20044 or electronically to notice.comments@irscounsel.treas.gov (include “Announcement 2015-22” in the subject line).