IRS sounds off on data breaches

The IRS recently released guidance (Announcement 2015-22) relating to its position on tax-free fringe benefits payable to employees whose personal information may have been disclosed in a data breach. In the guidance, the IRS notes that it is common for an employer, in response to a data breach, to provide credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services to the employees whose personal information may have been compromised as a result of a data breach. These identity protection services are typically intended to prevent and mitigate losses due to identity theft resulting from the data breach.

In the Announcement, the IRS confirmed that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach will not be required to include the value of the identity protection services in employees’ gross income. In other words, an employer that has experienced a data breach may provide identity protection services as a non-taxable fringe benefit to its employees. The guidance, however, clarifies that cash payments and insurance proceeds will still be treated as taxable benefits. In this regard, cash received in lieu of identity protection services, or identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package, will need to be included in an employee’s gross income.

The Announcement illustrates the need for employers to review their data privacy policies and protocols and the importance of developing and implementing an incident response plan, as even the IRS has taken note of the significant issues arising in connection with a data breach.