This GMS Flash Alert reports that on August 13, 2015, the U.S. Internal Revenue Service released an advanced copy of Announcement 2015-22. The Announcement clarified the tax treatment of identity protection services provided at no cost to individuals whose personal information may have been compromised in a data breach.
The U.S. Internal Revenue Service (IRS) recently announced that victims of identifiable data breaches who receive identity protection services at no cost do not need to include the value of these services in their gross income. In addition, an organization that is itself a victim of a data breach does not need to include the value of identity protection services that it provides its employees in the gross income and wages of its employees.1
An estimated 16.6 million people were victims of identity theft in 2012 (the latest year for which data is available), and this number is likely to rise, as tens of millions of people have had their personal information compromised in a recent string of well-publicized data breaches.2
A common response by organizations that experience a breach of customer or employee data is to provide identity protection services, such as credit reporting and monitoring, at no cost to those individuals whose personal information may have been compromised as a result of the breach. This IRS guidance makes it clear that the value of such identity protection services is not taxable income to the individual, and employers are not required to include the value of such services in their employees’ wages.
On August 13, 2015, the IRS released an advanced copy of Announcement 2015-22. The Announcement clarified the tax treatment of identity protection services provided at no cost to individuals whose personal information may have been compromised in a data breach. Prior to this IRS Announcement, there were questions as to whether the value of these services should be included in the gross income of the recipient, and whether an employer needed to include the value of these services provided to employees affected by a breach of the employer’s records in the gross income and wages of its employees. The IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Nor will the IRS assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages. Additionally, the IRS will not assert that these amounts must be reported on an information return filed with respect to these individuals.
The Announcement does not apply to proceeds received under an identity theft insurance policy, nor does it apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach.
1 See Announcement 2015-22 at http://www.irs.gov/pub/irs-drop/a-15-22.pdf (PDF 31.3 KB). Announcement 2015-22 will be in IRB 2015-35, dated August 31, 2015.
2 Since 2012, several large U.S. retailers, the federal government, and a number of American universities have all been victims of large scale data breaches. The data breach of one large retailer in particular compromised the personal information of over 70 million people. See, for example: B. Hardekopf, “The Big Data Breaches of 2014,” Forbes (online), January 13, 2015; “Millions of US Government Workers Hit by Data Breach,” BBC (online) at www.bbc.com, June 5, 2015.
The following information is not intended to be "written advice concerning one or more Federal tax matters" subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230 as the content of this document is issued for general informational purposes only.
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to specific situations should be determined through consultation with your tax adviser.
© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Flash Alert is an Global Mobility Services publication of KPMG LLPs Washington National Tax practice. The KPMG logo and name are trademarks of KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent member firms. KPMG International provides no audit or other client services. Such services are provided solely by member firms in their respective geographic areas. KPMG International and its member firms are legally distinct and separate entities. They are not and nothing contained herein shall be construed to place these entities in the relationship of parents, subsidiaries, agents, partners, or joint venturers. No member firm has any authority (actual, apparent, implied or otherwise) to obligate or bind KPMG International or any member firm in any manner whatsoever. The information contained in herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.