Because of the ubiquity of data breaches today, it seems that only major large-scale breaches seem to get the attention of news stations anymore. The rapidly evolving data breach landscape means the associated legislation is also transforming. In August 2015, the IRS released Announcement 2015-22 (Federal Tax Treatment of Identity Protection Services Provided to Data Breach Victims), stipulating the taxability of companies offering identity protection services to their employees, should their organization experience a data breach. This announcement allowed employees whose data was potentially compromised to exclude the value of identity protection services provided to them by the breached organization from their taxable gross income.
Within this same announcement, the IRS and the Treasury Department also requested comments from the public as they sought to further clarify the tax treatment of identity protection services. Specifically, the two agencies wanted to know whether identity protection was a common offering in situations other than after a data breach. Commenters responded, stating that data security has become a great concern for many organizations because of the surge in data breaches over the last few years. The statistics are overwhelming 2017 alone is on track to have over 1,000 reported data breaches. A Ponemon study recently reported that a full 60% of respondents reported that their companies have experienced more than one data breach in the past two years.
Despite heightened efforts by organizations to prevent data breaches using standard security measures (i.e., firewalls and antivirus software), some organizations are making security decisions based on the belief that a data breach of some form is simply inevitable. Essentially, an increasing number of organizations are combatting data breaches by providing identity protection services to employees before a data breach occurs in order to help detect such an incident, which would effectively minimize the impact of it.
Non-Taxable Identity Protection for More than Just Data Breach Victims
As such, in Announcement 2016-02 (Federal Tax Treatment of Identity Protection Services), the IRS expanded on the earlier announcement stating that: “The Treasury Department and the IRS have determined that Announcement 2015-22 should be extended to include identity protection services provided to employees or other individuals before a data breach occurs.” Like the earlier announcement, the provisions were three-pronged:
- The IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers).
- The IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages.
- The IRS also will not assert that these amounts must be reported on an information return (such as Form W- 2 or Form 1099-MISC) filed with respect to such individuals.
Does this Mean it Can be Included in Pre Tax Benefits?
While the IRS stipulated that it will now treat identity protection as a non-taxable, non-reportable benefit – even for those companies that have fortunately not felt the grief that comes with experiencing a breach within their information systems, this does not mean identity protection can be offered by employers as one of employees’ pre tax benefits. This new legislation covers identity protection plans offered by an employer to employees, as well as when offered by businesses to their customers. However, under current guidance, it appears that employers may not permit employees to pay for identity protection as one of employees’ salary reduction, pre tax benefits under a section 125 cafeteria plan, the contributions must be deducted on an after tax basis. Also, since the IRS’ guidance only applies to federal tax rules, employers will want to evaluate any state or local tax consequences of providing identity protection services. Additionally, organizations should always consult with their tax preparation and employee benefits team members when reviewing the taxable status of any benefits and services they offer to employees.
With the reach of data breaches touching businesses large and small, it’s comforting to know that all organizations now have one more piece of motivation to offer such a valuable benefit to protect their most valuable asset – their employees.
For more identity protection insights, sign up for email updates.