When Can You Deduct Data Breach Costs?
- Contributor
- Eric Leib
Cybersecurity routinely tops the charts as one of business owners’ most pressing concerns. Data loss can obstruct day-to-day operations, put a stain on the company’s public standing, and be quite costly, but business owners should also be aware of how data loss and its prevention can impact their tax liability.
The cost of cybersecurity breaches varies based on the industry, the type of information that was stolen, how the threat actors obtained access to the data, how quickly the breach was discovered, how the data was used, and how easily the breach was contained. Because the costs can accumulate months or years after the breach occurred, cybersecurity breaches are often more costly than one might think. The average cost of a data breach in the United States is $8.64 million, more than double the global average of $3.86 million. But even if a data breach only costs your business a fraction of this statistic, it can have a big impact on your operations.
The best way to manage cybersecurity breaches is to prevent them from happening in the first place. No data loss prevention policy is perfect, but a good one will almost always be worth the cost. And fortunately, most of these expenses are tax deductible.
Data loss prevention methods — like using data theft detection software, regularly reviewing data for inaccuracies, auditing the data environment for risks, purchasing encryption technology, installing more robust hardware, implementing better networks, etc. — are ordinary and necessary business expenses. This means they are deductible for both federal and state income tax purposes for businesses filing as C corporations, S corporations, or partnerships, and to self-employed persons reporting their business activity on Schedule C.
Individuals can only deduct costs to mitigate cybersecurity attacks if those attacks are associated with one of their businesses, since the Tax Cuts and Jobs Act (TCJA) removed the ability for individuals to deduct certain fees as miscellaneous itemized deductions until the year 2026. This precludes individuals that do not own a business from deducting any of these mitigation costs until 2026 at the earliest.
Just as data loss prevention measures are deductible, so are the costs of data breaches themselves. Virtually all measures taken to control a breach are ordinary and necessary expenses and should be fully deductible. Thisincludes ransom payments.
Losses arising from theft are deductible under Internal Revenue Code (IRC) Section 165. Ransomware attacks — where a threat actor encrypts a victim’s files or data and only releases those assets once the business pays a ransom — are considered theft by extortion and are therefore deductible. The IRS makes this clear in Revenue Ruling 72-112, when they state that ransom payments qualify as a theft loss deduction as long as the extortion was illegal in the state where it occurred. Although the Revenue Ruling was in response to a ransom paid in a kidnapping, the ruling is often applied to ransoms paid to recover digital assets or data.
However, not all costs related to data breaches will be deductible. Any costs that are covered by insurance are not deductible. Because cybersecurity insurance is more common than ever, businesses should understand not only how their policy will reimburse them for losses, but also how to reliably tally those losses so they can max out their deduction.
The tax implications to individual taxpayers are quite different. Under IRC Section 165(c), individual taxpayers cannot deduct the cost of non-business-related data breaches unless the loss arose from a fire, storm, shipwreck, theft, or some other casualty. When Congress passed the TCJA, they stated that casualty or theft losses arising in tax years 2018 through 2025 are only considered deductible casualty losses if they are attributable to a federally declared disaster. It is unlikely that a data breach would qualify under these stringent guidelines.
If, for some reason, a data breach was attributed to a federally declared disaster, it would only be deductible for an individual taxpayer to the extent the costs exceeded 10% of their adjusted gross income.
Although no business owner wants to be the victim of a data breach, we are all at risk, even with good preventive measures in place. Fortunately, tax law looks kindly upon businesses that suffer cybersecurity-related losses. If you have questions about losses resulting from data breaches, reach out to our CRI tax and cybersecurity professionals today.
Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.