The average cost of data breaches globally in 2023 was $4.5 million, and increasing.* Identity theft generally goes hand in hand with breaches. What should you do if you’re hit by either? Take immediate action to close the breach and protect against future attacks. Then, consider how you might deduct your losses.
Under Sec. 165(a) of the tax code, any taxpayer may deduct losses that (1) are incurred in a trade or business (which would include breach and identity theft losses); (2) are incurred in a transaction entered into for profit, other than through a trade or business; or (3) arise from fire, storm, shipwreck, or other casualty, or from theft. Alternatively, businesses may opt to deduct losses under Sec. 162(a) as “ordinary and necessary” business expense. Individuals may deduct their losses only under Sec. 165(a).
A business may be able to claim a federal income tax deduction for a theft loss. But does embezzlement count as theft? In most cases it does but you’ll have to substantiate the loss. A recent U.S. Tax Court decision illustrates how that’s sometimes difficult to do.
Basic rules for theft losses
The tax code allows a deduction for losses sustained during the taxable year and not compensated by insurance or other means. The term “theft” is broadly defined to include larceny, embezzlement and robbery. In general, a loss is regarded as arising from theft only if there’s a criminal element to the appropriation of a taxpayer’s property.
In order to claim a theft loss deduction, a taxpayer must prove:
The amount of the loss,
The date the loss was discovered, and
That a theft occurred under the law of the jurisdiction where the alleged loss occurred.
Facts of the recent court case
Years ago, the taxpayer cofounded an S corporation with another shareholder. At the time of the alleged embezzlement, the other original shareholder was no longer a shareholder, and she wasn’t supposed to be compensated by the business. However, according to court records, she continued to manage the S corporation’s books and records.
The taxpayer suffered an illness that prevented him from working for most of the year in question. During this time, the former shareholder paid herself $166,494. Later, the taxpayer filed a civil suit in a California court alleging that the woman had misappropriated funds from the business.
On an amended tax return, the corporation reported a $166,494 theft loss due to the embezzlement. The IRS denied the deduction. After looking at the embezzlement definition under California state law, the Tax Court agreed with the IRS.
The Tax Court stated that the taxpayer didn’t offer evidence that the former shareholder “acted with the intent to defraud,” and the taxpayer didn’t show that the corporation “experienced a theft meeting the elements of embezzlement under California law.”
The IRS and the court also denied the taxpayer’s alternate argument that the corporation should be allowed to claim a compensation deduction for the amount of money the former shareholder paid herself. The court stated that the taxpayer didn’t provide evidence that the woman was entitled to be paid compensation from the corporation and therefore, the corporation wasn’t entitled to a compensation deduction. (TC Memo 2021-66)
How to proceed if you’re victimized
If your business is victimized by theft, embezzlement or internal fraud, you may be able to claim a tax deduction for the loss. Keep in mind that a deductible loss can only be claimed for the year in which the loss is discovered, and that you must meet other tax-law requirements. Keep records to substantiate the claimed theft loss, including when you discovered the loss. If you receive an insurance payment or other reimbursement for the loss, that amount must be subtracted when computing the deductible loss for tax purposes. Contact us with any questions you may have about theft and casualty loss deductions.
Industry studies show that data breaches cost small to medium businesses an average of $200,000.* These costs include customer notification, fines, investigation costs, defense attorney fees and the expense of providing affected individuals with a year of identity theft monitoring services after the breach.
Protect Your Business
Provide data security training to all employees;
Run automatic network virus scans and antivirus software updates;
Download the latest operating system and software updates and patches;
Purchase data breach insurance and consider cyber liability insurance and technology errors and omissions policies;
Purchase umbrella liability coverage as a backstop for data breach insurance and other insurance policies. Umbrella coverage kicks in when the claim is greater than your primary insurance coverage limits and is generally very affordable.