Identity theft (also known as identity fraud) occurs when a person wrongfully obtains and uses another individual’s personal information—for example, his or her name, Social Security number, or banking or credit card numbers—in a way that involves fraud or deception. Identity theft is a growing problem in the United States. It has been the number one consumer complaint to the Federal Trade Commission (FTC) for the past fifteen years. In addition, recent high-profile breaches at various organizations have exposed millions of individuals to the risk of identity theft.
In response to these data breaches, organizations often provide credit reporting and monitoring services, identity theft insurance policies, identity restoration services or similar services (commonly known as “identity protection services”) to customers, employees or other individuals whose personal information may have been compromised in a data breach. But now, as a growing trend, organizations are providing identity protection services to employees or other individuals before a data breach occurs in order to allow earlier detection of data breaches and to minimize their impact.
Due to growing concerns about data breaches and identity theft, some employers have started offering identity protection services to their employees as a fringe benefit. The Internal Revenue Service (IRS) has issued two pieces of guidance that address the taxability of this benefit.
Announcement 2015-22 provides that the value of identity protection services provided by employers to employees in connection with a data breach is NOT taxable to the employees.
- In order to receive this favorable tax treatment, the employees’ personal information must have been compromised in a data breach of the employer’s (or of the employer’s agent or service provider’s) recordkeeping system.
Announcement 2016-02 significantly expands the favorable tax treatment for employer-provided identity protection services. Under this recent guidance, the value of identity protection services provided before a breach happens is also nontaxable. Announcement 2016-02 provides that:
- Individuals who receive identity protection services from their employer (or from another organization that the individuals provided personal information to) do not need to include the value of these services in their gross income;
- An employer providing identity protection services to its employees is not required to include the value of these services in the employees’ gross income and wages; and
- The value of identity protection services does not need to be reported on information returns such as Forms W-2 or 1099-MISC.
- Tax relief does not apply to cash that an individual may receive in lieu of identity protection services, or to proceeds received under an identity theft insurance policy.
Due to the expanded tax relief, employers can provide tax-free identity protection services to their employees before a breach occurs. Employers might provide services such as credit reporting and monitoring services, identity theft insurance policies, or identity restoration services to employees. However, since the IRS’ guidance only applies to federal tax rules, employers will want to evaluate any state or local tax consequences of providing identity protection services.
Also, if employers require employees to contribute to the cost of identity protection services, the contributions must be deducted on an after-tax basis. Because identity theft services are not a qualified benefit under Internal Revenue Code Section 125, employees cannot purchase the services on a pre-tax basis.