While the U.S. appears to be amping up efforts to counter cyberattacks, data breaches continue to wreak havoc on the public and private sector alike.
And while we wait for the Trump administration to take shape and unveil the president’s cybersecurity policies, there likely won’t be much recourse for businesses and consumers when it comes to identity theft. In fact, new proposals are certain to focus on protecting vital U.S. infrastructure and the large national departments they support, not the balance sheets of U.S. businesses and everyday Americans.
There is, however, an unlikely U.S. agency championing the fight against identity theft: The IRS.
And while the Internal Revenue Service may lack the resources to spearhead a national effort to push identity protection measures, it recognizes the damaging effects of identity theft and is resorting to one of the most effective tools at its disposal to address the issue – the pre-tax employee benefit.
In August 2015, the IRS released Announcement 2015-22 (Federal Tax Treatment of Identity Protection Services Provided to Data Breach Victims) [Note: link opens PDF in new window], stipulating the taxability of companies offering identity protection services to their employees, should their organization experience a data breach. This announcement allowed employees whose data was potentially compromised to exclude the value of identity protection services provided to them by the breached organization from their taxable gross income.
Within this same announcement, the IRS and the Treasury Department also requested comments from the public as they sought to further clarify the tax treatment of identity protection services. Specifically, the two agencies wanted to know whether identity protection was a common offering in situations other than after a data breach. Commenters responded, stating that data security has become a great concern for many organizations because of the surge in data breaches over the last few years.
The statistics are overwhelming:
The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to a report released by the Identity Theft Resource Center . This represents a 40 percent spike over the near record high of 780 reported in 2015.
Despite heightened efforts by organizations to prevent data breaches using standard security measures (i.e., firewalls and antivirus software), some organizations are making security decisions based on the belief that a data breach of some form is simply inevitable. Essentially, an increasing number of organizations are combating data breaches by providing identity protection services to employees before a data breach occurs in order to help detect such an incident, which would effectively minimize the impact of it.
As such, in Announcement 2016-02 (Federal Tax Treatment of Identity Protection Services) [Note: link opens PDF in new window], the IRS expanded on the earlier announcement stating that: “The Treasury Department and the IRS have determined that Announcement 2015-22 should be extended to include identity protection services provided to employees or other individuals before a data breach occurs.” Like the earlier announcement, the provisions were three-pronged:
• The IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers).
• The IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages.
• The IRS also will not assert that these amounts must be reported on an information return (such as Form W-2 or Form 1099-MISC) filed with respect to such individuals.
What all this means is that the IRS will now treat identity protection as a non-taxable, non-reportable benefit – even for those companies that have fortunately not felt the grief that comes with experiencing a breach within their information systems. This new legislation covers identity protection plans offered by an employer to employees, as well as when offered by businesses to their customers.
While the average American likely harbors some negativity toward the IRS for collecting their tax dollars, the agency should be commended for recognizing the devastating impact that identity theft can have on people’s lives and taking a leadership position on identity protection.
About Paige Schaffer
As President & COO of the Identity and Digital Protection Services Global Unit for Generali Global Assistance, Ms. Schaffer leads sales & marketing strategy and revenue growth initiatives, managing operations as well global expansion.