In Announcement 2015-22, the Internal Revenue Service (IRS) notes that data breaches at organizations’ recordkeeping systems can, and do, happen, and in response to such events, customers and/or employees are offered identity protection services.
The IRS says it will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the agency will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. The IRS will also not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.The agency says the announcement does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received as part of an employee’s compensation benefit package. The announcement also does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.