Slashdot Mirror
IRS: Identity Theft Protection a Tax Deductible Benefit - Even Without a Breach (wordpress.com)
chicksdaddy writes: The U.S. Internal Revenue Service has announced that it will treat identity theft protection as a non-taxable, non-reportable benefit that companies can offer — even when the company in question hasn't experienced a data breach, and regardless of whether it is offered by an employer to employees, or by other businesses (such as online retailers) to its customers, the blog E for ERISA reports. In short: companies can now deduct the cost of offering identity theft protection as a benefit for employees or extending it to customers, even if their data hasn't been exposed to hackers.
The announcement comes only four months after an earlier announcement by the IRS that it would treat identity theft protection offered to employees or customers in the wake of a data breach as a non-taxable event. Comments to the IRS following the earlier decision suggested that many businesses view a data breach as "inevitable" rather than as a remote risk.
The truth of that statement was made clear to the IRS itself, which had to provide identity theft protection earlier this year in response to a hack of its online database of past-filed returns and other filed documents which ultimately affected over 300,000 taxpayers. The new IRS guidance could be a boon to providers of identity protection services such as Experian and Lifelock, though maybe not as much as one would expect. Data from Experian suggests that consumer adoption rates for identity theft protection services is low. Fewer than 10% of those potentially affected by a breach opt for free identity protection services when they are offered. For very large breaches that number is even lower — in the single digit percentages.
The announcement comes only four months after an earlier announcement by the IRS that it would treat identity theft protection offered to employees or customers in the wake of a data breach as a non-taxable event. Comments to the IRS following the earlier decision suggested that many businesses view a data breach as "inevitable" rather than as a remote risk.
The truth of that statement was made clear to the IRS itself, which had to provide identity theft protection earlier this year in response to a hack of its online database of past-filed returns and other filed documents which ultimately affected over 300,000 taxpayers. The new IRS guidance could be a boon to providers of identity protection services such as Experian and Lifelock, though maybe not as much as one would expect. Data from Experian suggests that consumer adoption rates for identity theft protection services is low. Fewer than 10% of those potentially affected by a breach opt for free identity protection services when they are offered. For very large breaches that number is even lower — in the single digit percentages.
Somebody has to cover the cost of fraud protection when it's the IRS doing the identity theft.
another free break for corps and the rich. Thanks. Anyone else notice how everytime you go through a checkout they hit you up for some charity or another? Charities are all well and good but having my donation be some company's tax dodge really pisses me off...
Not exactly.... This isn't a "tax doge", it's just making providing credit monitoring to employees and customers a non-taxable event for the receiver but retains the expense as a tax write off for the company.
So if Target chooses to provide credit monitoring services to their employees and customers, Target gets to write it off as an expense (like they can now) and the employees and customers don't have to claim it as income (like they used to). Seems this benefits the customer and employees.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
One problem with the AC is a misunderstanding on how tax deductions work. It's by actual expense - not per person.
IE I'm not claiming that I 'protected' 300M Americans. I'm claiming that I spent $3M on identity protection services for my clients and employees. Which would be rather expensive if I only have 3k of them, but rather cheap if I serve all 300M Americans.
I don't read AC A human right
Securing data against intrusion and theft is really hard. If your data is an attractive target, you're basically putting yourself in a perpetual arms race which you can win only by continually investing a lot of money into it, and only by hiring really good people and listening to them. Some organizations don't want to spend money. Many don't want to listen to their security people when the security advice gets in the way of business goals.
But that's the easy problem.
The hard problem is securing data against your own employees. It begins with treating them so well that they have no incentive to screw you. Few companies want to do what that costs. But no matter how well you do that, you still have to defend against clever, malicious insiders who are disgruntled (in spite of treating them well). This is really hard because many of the people you're defending against actually need access to the data and/or the systems on which it resides. To secure it against them you need layered defenses, separated networks and audited access control points in all of the above -- which also requires very careful ACL management (much, much harder than it appears). Oh, and you really have to audit the accesses, which is neither easy nor cheap. Of course you also need all the typical IT security stuff; control the hardware on your networks, the software on your hardware, etc. Keeping malware out is extremely hard, but at least you can buy products which help (somewhat) with that. Most of the rest of the stuff just requires good staff and lots of resources. It's much more expensive than products.
But that's still the easy part of the hard problem. The hard part of the hard problem is securing your data against honest, well-intentioned employees. People make mistakes. People get social-engineered. Good people intentionally subvert security controls because they know they're not doing anything malicious (and they're not!) but just finding ways to be more efficient. To deal with this, you need lots of things. Start with regular employee security training, repeated fairly frequently, and carefully customized to be relevant for each group of employees. Next you also need oversight from security in all areas of your systems design and deployment, with regular audits. The goal of the security oversight is to ensure that separation of authority and prevention of leakage is built into every part of your systems, from the ground up (note that this will hugely complicate (read $$$) the integration of software you purchase to run your operations). Next, you need to regularly attack your own systems. You should have internal teams who are focused on finding ways to defeat your own security countermeasures. These teams should have full access to all system information, and a very broad permission to use whatever means will work. It's a good idea to rotate the people who design your security systems through your attack teams. Oh, and you need oversight and auditing for the attack teams. Finally, you need executive commitment to do all of the above even though it's expensive, complicated and occasionally embarrassing. Part of that commitment must include not coming down hard on people who have been found to make honest mistakes or overlook things. You must foster a culture of finding and fixing problems, rather than seeking scapegoats. That's perhaps the hardest part of all.
Now... who thinks their company is capable of doing that? In my career (some 20 years in the business, 15 of them as an expensive consultant) I've found none who could do it all, and perhaps three who could do enough of it to really give me confidence in their security posture. Two of the three were military.
BUT! There's a really simple, (technically) very easy solution. Here it is, for free: Don't store sensitive data. If you must touch it, keep it isolated and ephemeral. If you don't have to touch it, don't!
It's super easy to secure data you don't have. If you think you do have to store sensitive
It's outrageous that anyone should have to pay to prevent having false information added to their credit record. Financial institutions control what measures they use to authenticate who they give money to, so when those measures fail, financial institutions should take responsibility for their failures. Instead, financial institutions cooked-up the concept of 'identity theft' to shift responsibility for their authentication failures on to their own customers. If governments legislated consumer protection which penalized financial institutions that add false information to people's credit record (because the financial institution's measures failed to screen out an impersonator) financial institutions would clean up their act. Instead, financial institutions reap more and more profits by avoiding spending on effective authentication measures and by getting their customers to pay for the financial institutions mistakes. It's financial institutions that are in control of consumers' identities. It's not the criminals who impersonate the financial institution's customers and it's certainly not the innocent customer (whom the financial industry has convinced they are at fault because they didn't shred their garbage) that are in control of a consumer's financial "identity".