As companies and governmental entities increasingly do business and store sensitive information in online or cloud-based environments, the risk of improper disclosure continues to grow. The unprecedented breach of the United States Office of Personnel Management’s (OPM) system, in which the personal data of more than 22 million individuals was stolen, was a topic of national discussion and debate throughout the summer and culminated in the resignation of OPM’s director on July 10, 2015. For financial services companies, protecting customer and employee nonpublic personal information (NPPI) is a critical function involving ever-increasing complex and costly security measures. Where NPPI is disclosed, whether inadvertently or by criminal third-party conduct, companies often respond by providing the affected customer or employee with credit reporting and monitoring services. On August 13, 2015, the United States Internal Revenue Service (IRS) published Announcement 2015-22, which included helpful guidance on the taxability of costs related to various credit protection services.
Announcement 2015-22 begins with a general discussion of the sobering scope of the identity theft problem that merits repeating: “Identity theft, also known as identity fraud, occurs when a person wrongfully obtains and uses another person’s personal information (for example, name, social security number, or banking or credit account numbers) in a way that involves fraud or deception, typically for economic gain. Identity theft is a growing problem in the United States. Identity theft has been the number one consumer complaint to the Federal Trade Commission for 15 consecutive years. The Bureau of Justice Statistics estimates that 16.6 million people were victims of identity theft in 2012, the latest year for which data is available. In addition, recent high-profile data breaches at various organizations have exposed many more millions of persons to the risk of identity theft.”
The IRS then offers a definition of “identity protection services” that flows through the entirety of the guidance: “credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services.” Most financial service companies offer one or more of these to customers or employees potentially affected by an NPPI breach. As the IRS notes, “[t]hese identity protection services are intended to prevent and mitigate losses due to identity theft resulting from the data breach.”
The critical question for the IRS is “the taxability of identity protection services provided at no cost to customers, employees, or other individuals whose personal information may have been compromised in a data breach.” This is an area, the IRS concedes, where “[e]xisting guidance does not specifically address these questions.”
In terms of substantive guidance, the IRS provides the following in Announcement 2015-22:
- “The IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach.”
- “[T]he IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages.”
- “The IRS will also not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.”
- The “announcement does not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package.”
- The “announcement . . . does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.”
Finally, it should be noted that the IRS requested comments from interested parties on “whether organizations commonly provide identity protection services in situations other than as a result of a data breach, and whether additional guidance would be helpful in clarifying the tax treatment of the services provided in those situations.” Those comments are due October 13, 2015.
For financial services institutions offering identity protection services to affected customers or employees in connection with NPPI disclosures, Announcement 2015-22 provides helpful clarity to all parties involved in handling the consequences of the disclosure. As long as the institution stays within the confines of the Announcement 2015-22, they will have a level of comfort that they are not compounding an NPPI disclosure issue by creating an additional tax problem for the already aggrieved customer or employee.