The IRS released a bulletin on December 30, 2015, (Announcement 2016-02) announcing that it would extend the tax exemption issued in August to organizations who provide credit monitoring to its employees following a data breach, to receive a similar exemption for pre-breach identity protection services. This means that the value of the services, both pre-breach and post-breach should not be included in an individual’s or employer’s gross income for tax purposes.

The bulletin stated “…the IRS will not assert that an employer providing identity protection services to its employees must include the value of the identity protection in the employees’ gross income and wages…and will not assert that these amounts must be reported on an information return filed with respect to such individuals.”

The exemption does not apply to cash, services offered as part of a benefit package or insurance proceeds.