Tax Implications of Free ID Theft Services
Print

8/28/2015

In the past few years there has been much news about massive data breaches at mega-corporations and government agencies. Whether it is wayward hackers, state-sponsored data thieves, or the 21st century equivalent of a pickpocket, these incidents are making consumers anxious about the possibility that their personal information may end up in the hands of unscrupulous individuals.

Their fears are not unfounded. In 2015, the Javelin Strategy & Research group released a report indicating that 12.7 million people in America were victims of identity theft in 2014. Identity theft has topped the list of consumer complaints to the Federal Trade Commission for 15 years in a row. The Internal Revenue Service’s Dirty Dozen list, an annual list of the top tax scams, has consistently seen identity theft in the top spot for the past few years. In July 2015, the Consumer Federation of America reported that identity theft is the top fastest-growing complaint for state and local consumer protection agencies across the country.

ID Theft Services are Big Business

Concern about identity theft has led many consumers to buy identity theft services (click here for information about these services and what to ask if you are considering purchasing one). Consumer Reports estimated that in 2010, 50 million Americans spent $3.5 billion on these services. This number has likely risen alongside the number of complaints and data breach incidents. And more and more people being offered identity theft services for free as a result of data breaches.

IRS Issues Guidance on Tax Implications

To address questions about how free services that are provided to data breach victims should be dealt with for tax purposes, the IRS recently announced that it:

“will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages.”

In layman’s terms, the IRS won’t count the value of those services as taxable income. However, this policy doesn’t apply to individuals who are paid in cash instead of services, or if identity theft services are provided outside of the context of a data breach (for instance, if they are provided as an employee benefit). This IRS announcement also doesn’t apply to identity theft insurance policy proceeds.

The IRS is asking for public comment on the announcement by October 13. Comments can be made by email to This e-mail address is being protected from spambots. You need JavaScript enabled to view it with “Announcement 2015-22” in the subject line or via snail mail to:

Internal Revenue ServiceCC:PA:LPD:PR (Announcement 2015-22)
P.O. Box 7604Ben Franklin Station
Washington, DC 20044


A personal information safety tip: Don’t include any personal details that you wouldn’t want shared in the body of your message or letter, as these comments can be made available to the public.