The IRS issued an announcement holding that the value of identity protection services provided by an employer to an employee whose information has been breached does do not have to be included in income.
Employers may provide identity theft protection services, such as credit reporting, credit monitoring and identity theft insurance, when it is believed that an employee’s personal information may have been compromised. Under HIPAA, employers are required to provide such services upon a breach of electronic protected health information. With more and more data breaches occurring in the workplace, the IRS found it necessary to issue guidance on the tax implication of identity protection services.
The IRS will not require individuals whose personal information may have been breached to include the value of identity protection services in their gross income. This is the case if the services are provided by an employer or if they are provided by a service provider of an employer. If an employer provides identity protection services as part of a general compensation package and not as a result of a possible data breach, the value of the services is included in compensation.