—by Adam Koulish
H.R. 6032, 114th Cong. (2016) (as referred to H.R. Comm. on Ways and Means, Sept. 14, 2016).
Cybersecurity Framework FAQs Framework Basics, Nat’l Inst. of Standards and Tech. (last visited Sept. 25, 2016), https://www.nist.gov/cyberframework/cybersecurity-framework-faqs-framework-basics.
William H. Latham, Does Your Company’s Data Breach Insurance Coverage Measure Up?, Lexology (Jan. 21, 2016), http://www.lexology.com/library/detail.aspx?g=13ae8c51-5eb8-42f6-8f1c-7e04fa346463.
Abstract: A bill, H.R. 6032, the Data Breach Insurance Act, has recently been introduced to the House Ways and Means Committee. If passed, the bill would allow businesses to claim a tax credit for the purchase of qualified data breach insurance.
As data breaches or “hacks” of businesses happen at an increasing rate, the purchase of data breach insurance has become a necessity for businesses of all sizes. In an effort to lessen the burden and incentivize such a purchase, a bill was assigned to the House Committee on Ways and Means on September 14, 2016 that would amend the Internal Revenue Code of 1986 to provide a tax credit to businesses that purchase data breach insurance. H.R. 6032, the Data Breach Insurance Act, would provide a credit amount equal to 15 percent of a business’ aggregate premiums paid or incurred during the taxable year for qualified data breach insurance. Being a recently introduced bill, there is a high likelihood of it being amended before it even reaches the House floor. There is also a distinct possibility that the bill will not be passed.
For the purposes of this bill, qualified data breach insurance is “coverage provided by an insurance company for expenses or losses in connection with the theft, loss, disclosure, inaccessibility, or manipulation of data.” Typically, there are two main types of claims associated with data breach insurance coverage. There are third-party claims such as legal defense if sued by a customer whose data was exposed, and there are first-party claims such as the various IT and public relations responses needed to mitigate the damage of a breach. Ideally, a data breach insurance policy would cover both types.
A business wishing to receive this credit must have adopted the Framework for Improving Critical Infrastructure Cybersecurity (FICIC) as set forth by the National Institute of Standards and Technology or any similar standard prescribed by the Secretary of Homeland Security and the Secretary of Commerce. Simply put, the FICIC is voluntary guidance that helps businesses manage and reduce their cybersecurity risk. It also establishes common terms used in cybersecurity risk management to facilitate easier communication between entities inside and outside the business.
In claiming a credit for qualified data breach insurance, the charge for such insurance should be separately stated from other types of insurance in the contract or specified on a separate statement. Also, the charge for qualified data breach insurance should not be unreasonably large in comparison to the rest of the insurance contract. The premiums paid for this insurance will only qualify for the tax credit “if such premiums are paid or incurred in the ordinary course of the taxpayer’s trade or business.” Although since data breaches can happen to almost any business, this should be an easy requirement to satisfy. Lastly, in its current form, the bill provides for credits claimed in the five years after its passage.