The IRS noted Announcement 2015-22 today, that states:
[T]he IRS will not assert that an individual whose personal information may have been compromised in a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. Additionally, the IRS will not assert that an employer providing identity protection services to employees whose personal information may have been compromised in a data breach of the employer’s (or employer’s agent or service provider’s) recordkeeping system must include the value of the identity protection services in the employees’ gross income and wages.
Generally, any accession to wealth is includable in income, and there’s a value for the data protection services. Of course, one of the largest data breaches this year was at the hands of…the IRS. While this is a clearly common sense approach, still one must wonder if the IRS would have released this announcement if one of the biggest entities to cause a data breach wasn’t the IRS.