The Internal Revenue Service has announced that it will treat identity theft protection as a non-taxable, non-reportable benefit, even when offered proactively before any data breach, and whether offered by an employer to employees, or by other businesses (such as online retailers) to its customers.
The announcement comes only four months after an earlier earlier announcement by the Service that it would take the same approach with regard to identity theft protection offered to employees or customers in the wake of a data breach. In the earlier announcement, the Service requested public comments from providers of identity protection services on whether they provide such services other than as a result of a data breach, and received four comments collectively indicating that identity theft protection often is provided proactively, because many businesses view a data breach as “inevitable” rather than as a remote risk.
The announcements reflect the Service’s immediate view of identity theft protection as a non-taxable benefit that need not be reported on a Form W-2 (provided to a common-law employee) or Form 1099-MISC (provided to a customer or other non-employee). Other specifics are as follows:
- The Service defines “identity protection services” to include credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services, however proceeds received under an identity theft insurance policies will be treated under existing tax provisions applicable to insurance benefits and are not affected by the announcements.
- Tax-exempt treatment will not apply to cash provided to an employee or customer in lieu of identity protection services.
Notably, the Service itself had to provide identity theft protection earlier this year in response to a hack of its online database of past-filed returns and other filed documents which ultimately affected over 300,000 taxpayers.
Clearly these announcements are a boon to providers of identity protection services such as Experian and Lifelock, but due to the trending phenomenon of “identity theft fatigue” actual consumer enrollment in such services may remain low (under 10% of those potentially affected actually do so, according to Experian). This in turn may dictate the degree to which employers add identity protection services to their menu of tax-qualified employment benefits.
POST UPDATE: More precisely, the IRS is not saying that identity theft protection is non-taxable, but that the IRS will not assert violations of the Internal Revenue Code for failure to include the value of the protection in gross income, or report it as income. Where an employer (or retailer) provides the full cost of protection there is no dollar difference to an employee (or consumer), but were employees asked to contribute towards the cost of protection they would not be able to do so on a pre-tax basis through a Section 125 cafeteria plan.