Taxes: Another Consideration of Data Breaches Taxes: Another Consideration of Data Breaches

Taxes: Another Consideration of Data Breaches

With the ever increasing threat of data breaches, companies have been forced to adjust their cyber security policies to defend against potential costly intrusions.  Similarly, the Internal Revenue Service (the “IRS”) and tax practitioners have also been forced to address the appropriate tax treatment of certain costs/expenses related to the ever-increasing risk of data breach.  We present below a summary of recent announcements promulgated by the IRS to address these costs, as well as the tax treatment of ransom payments paid in the context of ransomware attacks.


On August 21, 2015, the IRS released IRS Announcement 2015-22, an announcement providing tax relief for the provision of identity theft protection services to those affected by a data breach.  IRS Announcement 2015-22 maintains that the value of identity theft protection services that an organization experiencing a data breach provides to data breach victims is not taxable and does not have to be reported.[1]  In the event of a data breach, the IRS will maintain the following positions:

  • The IRS will not require employer-provided identity theft protection services, provided to employees whose personal data may have been affected by employer’s data breach to be included in employees’ gross income and wages;
  • The IRS will not require an individual, whose personal information may have been affected by a data breach, to include the value of identity protection services provided at no cost by the breached organization in his/her gross income; and
  • The IRS will not require the value of identity protection services provided by the data-breached entity to be reported on information returns when an individual’s personal information may have been affected by such data breach.
In addition to the foregoing, on January 19, 2016, the IRS released IRS Announcement 2016-02, which extends similar tax relief for the provision of identity theft protection services before a data breach has occurred.  While such guidance does provide relief to taxpayers potentially or actually affected by data breaches, these announcements do not apply to cash received in lieu of identity theft protection, nor do they apply to data protection services in connection with an employee’s compensation package.  As a result, traditional tax principles apply to such circumstances, which may result in income recognition to taxpayers.


Moreover, there have recently been a number of relatively high profile ransomware attacks (access-denial types of attack that prevents legitimate users from accessing files until a ransom payment has been made).  Questions have arisen as to the deductibility of such ransom payments.  Although the IRS has not provided guidance related to this specific question, prior law strongly suggests that such ransom payments should be tax deductible under Section 165 of the Internal Revenue Code of 1986, as amended (the “Code”).

Code Section 165 provides that there shall be a deduction for any loss arising from theft not compensated for by insurance or otherwise.[2]  The IRS has historically maintained that “theft” covers any theft, or felonious taking of money or property by which a taxpayer sustains a loss, whether defined and punishable under the penal codes of the states as larceny, robbery, burglary, embezzlement, extortion, kidnapping for ransom, threats, or blackmail.[3]  Specifically, in Revenue Ruling 72-112 the IRS provided that ransom payments related to a kidnapping were deductible under Code Section 165.  While the circumstances of this ruling are not exactly on point, this guidance is illustrative when it comes to ransoms paid due to breaches in cyber security.  In Rev. Rul. 72-112, the IRS maintained that ransom payments qualify as a theft loss deduction if the taking of the money was illegal under the law of the State where it occurred and the taking was done with criminal intent.[4]  Because a ransom payment is deemed to be extortion, which is illegal in every state in the United States, such payments should be deductible under IRC Section 165 as a theft loss.[5]

While tax consequences of a data breach can understandably be overlooked when such a situation arises, appropriate attention should be made to these issues to help ensure additional issues do not arise from these incidents.

For more information on these issues, please contact Stephen Reynolds at (317) 236-2391, Matt Ehinger at (317) 236-2183, Jaren Hagler at (317) 236-246, or a member of the Ice Miller Tax group or Data Security and Privacy group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

[1] IRS Announcement 2015-22, 2015-35 I.R.B. 288 (8/31/2015) 
[2] I.R.C. § 165(a); I.R.C. § 165(e).
[3] Rev. Rul. 72-112, 1972-1 C.B. 60.
[4] Rev. Rul. 72-112, 1972-1 C.B. 60.
[5] Even though the Internal Revenue Service, in Notice 2014-21, 2014-16 I.R.B. 938 (4/14/2014), confirmed Bitcoin’s status as property and not currency, ransom payments in Bitcoins should still be deductible under Code Section 165 because payments would be made due to extortion (i.e. cyber attackers force a business to pay them in Bitcoins in order to prevent public dissemination of private information).

View Full Site View Mobile Optimized