I’ve Been Hacked! Can I Deduct My Ransomware Payments?


DLA Piper is the latest law firm to be the victim of a ransomware attack. It has becoming increasingly common for companies to fall victim to this cyber blackmail. Typically, malware infects a computer system after a user opens an email or clicks on an item, and restricts users’ access to their files or threatens permanent destruction of information unless a ransom is paid, often through virtual currency such as Bitcoin.

Businesses will often pay the “ransom” because it is cheaper than paying experts to try and unlock the information, and avoids publicity about the attack.

In a recent article in the Bloomberg BNA Tax Management Memorandum, Ransomware: Tax Compliance Issues for a New Reality (June 12, 2017), Donald T. Williamson,  the American University Kogod Eminent Professor of Taxation, and A. Blair Staley, professor of accounting at Bloomsburg University of Pennsylvania, discuss the possible tax issues if a company decides to pay the ransom. For example, the company must face decisions regarding the proper treatment of the payment on its books and ultimately its tax return as a nondeductible illegal payment under §162(c)(2), a deductible theft loss under §165(c), or even an ordinary and necessary trade or business expense under §162(a).

Neither Treasury, the IRS, nor Congress has yet addressed the tax treatment of ransomware payments. The courts have not addressed this issue either, although arguments can be made comparing the payments to those made for bribery or kidnapping ransoms.

As these ransomware attacks become more common and public, the courts and agencies will have to catch up.

Get a free trial to Bloomberg BNA Tax & Accounting, a comprehensive tax research solution designed by tax practitioners for tax practitioners.