In the face of continued data breaches and an ever-increasing pile of identity thefts, the IRS has released a new piece of guidance that says companies are able to deduct the cost of identity theft protection, even without it being connected to a specific breach.
The new guidance, released Monday, comes as consumers are beset on all sides by identity theft threats stemming from a long list of data breaches at retailers, health-care companies, financial-services firms, and many other organizations. Scammers and crooks–organized and otherwise–use the mountain of available personally identifiable information belonging to consumers as the basis for their schemes. The problem has gotten to the point that the person who doesn’t receive at least one breach notification letter every year can count himself lucky indeed.
Offering free identity theft protection and credit-monitoring services is a standard part of breach responses from compromised organizations, but some organizations have been providing such benefits on their own. The IRS now says the cost of those services is a deductible one for these companies.
“The announcement provides that the IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach,” the new guidance from the IRS says.
The agency had released a statement on the topic in August and requested comments on it. There were only four comments, but those who did comment said information security is one of their bigger concerns, resulting from the growing number of data breaches. The new guidance also says that individual employees don’t have to include the value of any identity theft protection services their employers provide in their income.
“Accordingly, the IRS will not assert that an individual must include in gross income the value of identity protection services provided by the individual’s employer or by another organization to which the individual provided personal information (for example, name, social security number, or banking or credit account numbers). Additionally, the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection services in the employees’ gross income and wages,” the IRS guidance says.
Already this year there have been a number of breaches, including one at Time Warner that exposed data belonging to 320,000 people.
Image from Flickr stream of 401(k).