Tax Benefit for Early Cybersecurity Protections

By Mary Kathryn Curry

In August 2015, the Internal Revenue Service announced (IRS Announcement 2015-22) that credit monitoring and other identity protection services provided by employers to employees following a data breach are not taxable.  In response to comments, the IRS has now expanded that decision to include identity protection services offered before a breach occurs.

The comments received by the IRS noted that data breaches are a major concern for companies, and despite heightened efforts to prevent breaches from occurring, the reality is that companies must make decisions based on the belief that data breaches are inevitable.  Because of this, more and more organizations are providing identity protection services to employees before a data breach to help detect problems and minimize the negative impact to operations.  The comments asked the IRS to clarify if these services would also be non-taxable, even if they were provided before an actual data breach occurred.  In response, the Treasury Department and the IRS have said yes, stating that:   

“The IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages. The IRS also will not assert that these amounts must be reported on an information return (such as Form W- 2 or Form 1099-MISC) filed with respect to such individuals.”

This is a win-win; employers can provide these services without increasing federal payroll taxes, and the employees receive a much needed service with no added federal tax liability falling on them.  Nonetheless, the IRS clarified that this treatment does not apply to cash received in lieu of identity protection services, or to proceeds received under an identity theft insurance policy.  Employers and employees will also have to consider state and local tax implications. 

For assistance incorporating this type of service into your overall benefit offerings for your employees, or for more information on protecting your customers’ personal information, please contact the author, a member of Polsinelli's Privacy and Data Security practice or your Polsinelli attorney.