IRS Expands Identity Protection Income Exclusion to Cover Protection Received from Organizations Not Yet Known to Have a Data Breech

This blog has previously discussed an earlier IRS ruling that stated victims of identity theft will not be deemed to have taxable income from the receipt of such services.  At the time they warned that receipt of such services when no breech had yet occurred would generally be taxable under the standard rules related to items subject to tax.

The IRS did, however, request comments on other situations where entities may provide identity theft protection and whether additional guidance should be issued.  And at end of December 2015 the IRS expanded the relief in Announcement 2016-2.

The IRS will for now allow exclusion from income of such services if provided by an organization to which the taxpayer had provided personal information, even if there is no known unauthorized access to such data. 

As the Announcement states:

…[T]he IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers).  Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages.  The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.  Any further guidance on the taxability of these benefits will be applied prospectively.

The announcement does caution that this ruling does not apply to cash received by an individual in lieu of identity protection services, nor does it apply to proceeds received under an identity theft insurance policy.