The IRS will not assert that an individual, whose personal information may have been compromised in a data breach, must include in gross income the value of identity protection services provided by the entity that experienced the data breach. In addition, the IRS will not assert that an employer, whose employees’ data may have been compromised in a data breach of the employer, must include the value of identity protection services in the employees’ gross income.
The announcement does not apply to cash received in lieu of identity protection services, or to identity protection services received for other reasons that a data breach, such as identity protection services received in connection with an employee’s compensation benefit package. The announcement also does not apply to proceeds received under an identity theft insurance policy.
Comments are requested on whether organizations commonly provide identity protection services in situations other than as a result of a data breach, and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations. Comments should be submitted in writing on or before October 13, 2015, to: Internal Revenue Service CC:PA:LPD:PR (Announcement 2015-22) P.O. Box 7604 Ben Franklin Station Washington, D.C. 20044. Comments also may be sent electronically to firstname.lastname@example.org. “Announcement 2015-22” should be included in the subject line. All comments will be available for public inspection.