In Announcement 2015-22 the IRS stated that it will not tax data breach victims on the value of the identity theft protection services provided by the organizations whose systems were compromised.
There have been a number of high data breech cases in the past few years, affecting major retailers like Target, insurers such as Anthem, and even the federal government’s own Office of Personnel Management. Generally these entities and organizations have responded to the incident by offering those whose information was or may be been disclosed various identity theft protection services.
In this Announcement 2015-22, the IRS announced it will be assert that the receipt of such benefits received by data breach victims represents taxable income.
There are limits to the relief, as the IRS notes:
This announcement does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee's compensation benefit package. This announcement also does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.
The IRS did, however, request comments on other situations where entities may provide identity theft protection and whether additional guidance should be issued.