Blog

What Risks Should a Cyber Policy Cover?

6/8/2020

This is the last post in my cyber series. Here, I’ll be offering my suggestions about the content of an ideal cyber policy.

Don’t purchase a policy that covers a specific method or type of breach. The policy should cover the unauthorized release of “personal information” – data that specifically identifies an individual or company – and “ransomware.”

Why? Because the nature of hacking is ever-changing. It’s possible that a new method will emerge between the date of policy issuance and the cyber event.

Second, make sure the policy covers the very broad range of potential damages, which include:

Notification costs: most states now require a hacked company to notify all impacted parties. It must make an attempt to notify everybody. If a company loses 100,000 records, the cost would be very expensive and time consuming, even requiring personnel to re-allocate company-time to data notification activities.
Data monitoring: This is now a standard offering in the wake of a release – free monitoring of personal information for a period of time (usually a year) after the information was released.
Data restoration: it’s possible that a virus will cause some type of harm to the insured. Repairing software and restoring data may be required.
Reputation protection and rebuilding: Suppose a law firm is the victim of a data hack and that this event becomes public knowledge. The firm’s reputation will likely take a hit. This requires hiring a public relations firm to rebuild trust in the brand.
Lost income: a severe data hack may cause an entire computer system to collapse, rendering the business unable to operate for at least a short time. This will cause a drop in income which will need to be replaced.
Legal representation: This is the most expensive cost of a data hack, as it’s possible that the number of plaintiffs could multiply. For example, suppose a law firm has 100 clients. 25 are victims of a data breach. How many will sue the firm arguing that the firm violated its duty of confidentiality?

That's it for this series.

More Basic Building Blocks of Tax Planning

6/4/2020

In my previous tax planning blog post, I explained the three methods (deduction, exclusion, and credit) that are derived from the tax code. This post will briefly explain four methods that focus on planning.

Method 1: Extraction

What is it? Extraction occurs when the taxpayer removes (or “extracts”) an item of income from the tax base. This most commonly involves moving an item from the US economy and placing it into a tax haven and then structuring the transaction to somehow escape inclusion in the US taxpayer’s US tax base.

Method 2: Deferral

What is it? Here, the planner simply moves the realization event (which triggers inclusion into the taxpayer’s gross income for a specific year) to a future date. The farther into the future the planner can place the event, the better.

Method 3: Compression

What is it? Here the planner makes a total amount of assets appear smaller, reducing the tax burden. The most common example is a family limited partnership where the planner will make the children limited partners and then mechanically encumber each limited partnership interest to lower its fair market value.

Method 4: Conversion

What is it? The most common example is changing an item that would be taxed at higher ordinary rates and converting it to a lower-level capital gains tax rate. The most common way to accomplish this is with a qualified retirement plan like a 401(k) or IRA.

And there you have it: all the basic tools that a tax planner can use to change or alter your taxes due.

Why a Cyber-Breach is an Extinction Level Event For a Small Firm, Part V

6/1/2020

In the previous post, I observed that a cyber-breach will probably cause litigation. There are three other potential costs.

As noted by the FTC on its website, most states now require companies to inform parties impacted by a data breach:

Most states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.

Here’s a good resource for the state-level statutory requirements.

We can add data restoration costs as the possibility exists that data will be lost or corrupted.

Then there’s reputational loss. To demonstrate this, ask yourself this hypothetical question: your business has two choices for a law firm. One law firm was recently the victim of a widely publicized data hack; the second one was not. Who would you do business with?

So, what's the typical cost of a data breach? A recent report from IBM contains several info-graphics. Let's start with this one:

The cost of a breach is high, involves a large number of records, and is difficult to discover.

And, the cost is high regardless of the size of the business that's a victim:

If you have a small to medium sized service-firm, your company is looking at a multi-million dollar loss.

Some Basic ABC's of Tax Planning

5/29/2020

If you have a question about this post that you'd like to discuss, please make an appointment with this link.

The tax computation is really a simple word problem. It begins with gross income, which includes anything that could be considered income.[1] Next, we exclude certain items.[2] Planners then subtract deductions[3] to arrive at taxable income.[4] This is multiplied by a tax rate to arrive at taxes due, which can be reduced by credits against tax.

So where do planners learn about what items to deduct, exclude, and credit? That’s where the tax code comes in. I use an abridged version of the tax code edited by Danial Lathrope. The book includes the actual code (26 U.S.C.) and accompanying Treasury Regulations.   The code provides general guidance. For example, section 162 states a taxpayer can deduct “all the ordinary and necessary expenses paid or incurred during the taxable year.”[5] The accompanying treasury regulations add further detail and clarification. In the case of section 162, the regulations specifically explain a number of deductions.

This isn’t the end of source documents. Planners also use Private Letter Rulings, Revenue Rulings, and case law, which provide in-depth analysis and explanations of the above items. For example, section 163 allows taxpayers to deduct interest. But what is interest, really? That’s where case law comes is, as judges have written numerous decisions that contain all the elements that are necessary for a court to recognize an interest-bearing transaction.

So, when planners come up with a way to change a client’s tax position, what they’re really doing is taking a fact pattern, converting it to numbers, and aligning the data with various code provisions to manipulate the basic tax equation.

[1] 26 U.S.C. §61

[2] 26 U.S.C. Subchapter B, Part III is titled, “Items specifically excluded[2] from gross income and includes such items as certain death benefits[2]

[3] A “deduction” is subtracted from gross income (“all income from whatever source derived”)[3] to arrive at “taxable income.”[3]

[4] 26 U.S.C. §63 (“taxable income” gross income minus the deductions allowed by this chapter.”)

Why a Cyber-Breach is An Extinction Level Event, Part IV

5/27/2020

If you'd like to discuss risk mitigation for your company, please use this link to make an appointment.

Throughout this series, I have argued that a cyber-breach is an "extinction-level" event, meaning its occurrence will ultimately lead to bankruptcy. This post will explain why.

Two service professions -- doctors and lawyers -- have a duty of confidentiality. It's breach has severe consequences. For a lawyer, it can cause disbarment; for a doctor, it can lead to a malpractice claim.

The absence of a professional duty of confidentiality does not immunize a profession from liability in the event of an unauthorized disclosure. Many service relationships involve a non-disclosure agreement (if an agreement is not in place, it should be). There are also several torts available in the event of a data breach, including negligence (the firm had a duty to safeguard confidential data and did not do so), public disclosure of private facts, or breach of contract.

Imagine a data breach occurs at a service firm that holds the confidential data of 100 clients. 50 client records are released in the breach. The firm may now face 50 lawsuits involving some of the above mentioned causes of action. While the firm would be able to survive one, the more people who sue, the greater the possibility of a bankruptcy.

Is Tax Planning Risk Mitigation?

5/21/2020

If you'd like to discuss risk mitigation for your company, please use this link to make an appointment.

I’m not entirely comfortable with lumping “tax planning” in with risk mitigation strategies for two reasons. First, pure risk is random whereas taxes have a clearly defined timetable. Second, poorly conceived and marketed tax marketing literature is a sign the plan runs afoul of anti-avoidance law, five judicial doctrines that allow courts to undo a transaction’s benefits if its substance differs from its form. For now, suffice it to say that poorly marketed tax reduction ideas place the seller into the tax scammers group.

This does not mean that tax planning is not allowed. In fact, a very strong argument could be made that an executive who didn’t consider the tax implications of a company’s business activities violated his fiduciary duty. So – where is the line between proper planning and tax evasion?

I’ll answer that question in two parts. The first is to categorize the specific actions that are endemic to planning. The second is to provide a brief explanation of specific anti-avoidance law doctrines that create the legal boundaries between proper and improper planning.

Let’s begin with the specific things that are possible under the tax code. There are contained in the code. There are three “gross”[1] numbers that are key to tax planning:

Gross income is “All income from whatever source derived.”[2]

Adjusted gross income gross income less specifically enumerated deductions.[3]

Taxable income is “gross income minus the deductions allowed by [the tax code].”[4]

The above numbers can be thought of as simple mathematical totals.

The code specifically defines and allows three actions related to the above numbers.

Deductions: these are specifically enumerated in the code[5] and are subtracted from gross income.[6]

Exemptions: these items are clear “accessions to wealth” but are excluded from computing gross income, usually for public policy reasons.

Credits: there are a dollar for dollar reduction in tax.[7] They are therefore preferred.

There are four additional strategies that require transactional planning:

Deferral: moving a taxable event to a future tax year.

Conversion: changing the amount of tax from a higher to lower amount (usually this means changing ordinary income into capital gain).

Extraction: moving a taxable event from the tax base (this usually involved moving money offshore).

Compression: lowering the total value of an asset.

In other words, despite all the bells and whistles of tax planning sales literature, there are only seven tools in the planner's tool belt.

Next, I'll take a look at some specific techniques used by planners.

[1] Here, the noun gross is used as a noun and means “overall, total” or “aggregate.” (https://www.merriam-webster.com/dictionary/gross)

[2] 26 U.S.C. §61

[3] See generally §62

[4] §63(a)

[5] See generally §151-§250

[6] 26 USC §161

[7] See generally §21-§54AA

Why a Cyber Breach as a Small or Medium-Sized Service Firm is an Extinction-Level Event, Pt III

5/19/2020

If you'd like to discuss this or other risk issues, please set up an appointment with my Calendly link.

In the first post in this series, I argued that a cyber incident was an extinction level event for a small to medium sized professional service firm. The second post explained why: professional service firms utilize confidential client information, stored in electronic format. The unauthorized release of this information harms clients, who then sue the service providers.

The ISO cyber policy defines the primary way for the data to be released as a “security breach” which is:

“… the acquisition of “personal information” held within a “computer system” or in non-electronic format while in the care, custody or control of the “insured” or “authorized third party” by a person:

a. Not authorized to have access to such information, or
b. Authorized to have access to such information but whose access results in the unauthorized disclose of such information.

Please see the previous post for a discussion of personal information.

“Care, custody, or control” is a legal term of art referencing bailment, which occurs when one person or entity entrusts their property to another. The law imposes a duty of care on the property-holding party while the property is in their “care, custody, or control.” This duty of care applies to professional service firms who hold client data.

The ISO policy defines a “third party” as “any entity that you engage under the terms of a written contract to perform services for you.” This definition encompasses cloud computing companies and contracts, which is another potential area of vulnerability.

According to the ISO definition, covered property can be held in electronic or non-electronic format. This data is then wrongfully acquired in one of two ways.

An unauthorized third person gains access, almost always by hacking,
A person authorized to have access allows an unauthorized person to access the information.

The method of unauthorized access is unimportant. The definition’s breadth allows it to apply to new and as of yet unknown threats.
Key to this situation is that confidential information leaves the service firms’ “care, custody, or control.” It then goes to a third-party who is not authorized to access it. This transfer will cause irreparable harm to the service firm’s client, who will then sue for damages.

Why a Cyber Breach At a Small Service Firms is an Extinction-Level Event, Part II

5/15/2020

   I previously argued that a cyber breach is an “extinction-level event” for small and medium-sized professional service firms. That post contained a sequence of events concluding with litigation that, due to its potential size, would lead to bankruptcy. This post starts an in-depth look at that sequence, beginning with an analysis of the stolen data and why its theft leads to a lawsuit.

   Professional service firms utilize expertise gained from a four-year college education and in some cases post-graduate work. Most of these professions require an initial licensing test; some mandate continuing education. The core business of these firms is to utilize intellectual capital to manipulate and interpret client-provided data.

   The ISO cyber polity defines this data “personal information:”

… any information not available to the general public for any reason through which an individual may be identified including, but not limited to…

Social Security number, driver’s license number, or state identification number
Protected health information
Financial account numbers
Security codes, passwords, PINs associated with credit, debit, or charge card numbers which would permit access to financial accounts
Any other nonpublic information as defined in “privacy regulations.”

While points a, b, and d mostly apply to individuals, the definition is “not limited to” these items. Non-specifically enumerated items are “not available to the public” – in other words, “confidential.” This immediately brings to mind the legal and medical duty of confidentiality; financial information disclosed to accountants is not far behind. Engineering, architects and actuarial firms also utilize proprietary data for their respective job functions. These examples illustrate that it is almost impossible for any service company to argue it doesn’t utilize “personal information” as defined by the cyber policy.

This explains why litigation is likely to result from a data breach; aggrieved clients will argue the unauthorized release has harmed their company, perhaps fatally. They will allege that their data was protected by statute, provides their competitors with an edge in the marketplace, or is simply information that a reasonable person wouldn’t want in the public domain. Clients will seek large damages and will be aggressive in litigation. This is what will lead cause the firm’s “extinction” or, in the language of business, its bankruptcy.

Why A Cyber Incident Is An Extinction Level Event For Smaller Service Firms

5/11/2020

   A cyber incident occurring at a professional services firm (law office, accounting firm, medical practice) is an extinction level event.

   To illustrate that point, I will use the following hypothetical:

   Firm X has 20 professionals: 5 senior staff oversee and are responsible for the work of 15 junior staff. The firm has 100 clients whose data is stored electronically. On July 1 of year 200X, a client informs the firm that confidential data held by the firm has been used in a compromising way. The hack could only be traced to the service firm.

    Here is the likely chain of events.

   1.)   The firm must notify customers of the data breach.[1]

   2.)   A percentage of clients will pull their business from the firm.

    3.)   Some of these clients will tell of their bad experiences to other clients.

    4.)   In the age of social media, the possibility of negative publicity multiplying the damage is high. This will suppress future business.

   The preceding events could probably be managed or at least mitigated via a disaster response program. However, that costs money.

   However,

     1.)   The firm should expect to be sued

    2.)   Several service professionals (lawyers and doctors) will be accused of violating oaths of confidentiality (which they have).

    3.)   The probability of a large number of plaintiffs joining in a single cause of action is high.

   4.)   Even if class action does not occur, multiple lawsuits are possible.

   5.) A high number of lawsuits equals expensive litigation, and possibly more bad publicity.

And that’s not all

   1.)   In some situations, managing members/partners/shareholders may be accused of violating a duty to the company to keep the data safe.

    2.)   This potentially triggers personal liability for these individuals.

   For a larger firm, survival is possible. But for a smaller firm – like the 20 member firm cited above – survival would be less than likely.

   Over the next few blog posts, I’ll be looking at this situation in more detail, using the ISO cyber policy as a template.



[1] https://www.itgovernanceusa.com/data-breach-notification-laws#TX

t.

A (Very Brief) Explanation of the Current COVID/Business Interruption Litigation

5/9/2020

   At 1PM On Thursday, May 14, I'll be giving a webinar discussing ways to lower your company's liability exposure in a COVID-19 world. You can sign-up by z clicking on this link.

    There has been – and will continue to be – a tsunami of legal issues and claims resulting from the COVID-19 pandemic. The lawsuits started almost immediately after insurers started denying business interruption claims. A growing number of state legislatures are proposing legislation to require insurers to cover interruption claims while members of the House of Representatives sent an open letter to the insurance industry, nudging the sector to cover interruption losses. The industry politely declined in its own open letter.

     This post will briefly explain the issues involved.

What exactly is the issue?

     The legal controversy centers on a few key aspects of the commercial property coverage. The first is the definition of “property damage,” which the policy defines as, “direct physical loss or damage.”[1] Direct means, “Stemming immediately from a source,”[2] while physical means, “having material existence; perceptible through the senses.”[3] This definition is understandable in the case of a natural event like lightning, fire, or a tornado.

     But what about the pandemic? Here the issue is murkier. In the case of COVID contamination there is a legitimate question of whether or not “direct physical damage” of the type contemplated by the policy exists. Visually compare a fire with viral contamination. The former is clearly visible while also requiring a large amount of restoration. That latter can’t be seen and can be remediated for far less expense then with the case of a fire.

     The controversy doesn’t stop there. Some insureds are arguing that the inability to use their property as a result of the government shutdown qualifies as property damage. While this is clearly not typical “direct physical damage,” it is in line with some state law cases that ruled an event rendering property uninhabitable or unusable is a direct physical loss as required by the policy. Expect this argument to be fought tooth and nail to the highest legal in a jurisdiction.

     Some policies contain a virus exclusion that would place the insured at a tremendous disadvantage when filing a claim. But the plaintiff is not without recourse, as he could simply say, “prove it.” Without actual proof, the insured would have a good argument at trial argument, as he could simply say, “the insurer said there was contamination, but they never inspected the property.”

     And then we get to the issue of business income, which is defined as “net income” which is, ”net profit or loss before income taxes” and, “continuing, normal operating expenses incurred, including payroll.” If ever there was an area ripe for a battle of the experts, this is it. Expect the insured to argue for maximum net income while the insurer will claim a lower amount.

   This is just a brief overview of the issues. Please contact me if you'd like to discuss this in more detail.


[1] ISO CP 00 99 10 12

[2] Online Merriam-Webster Dictionary, last visited on April 28, 2020 (https://www.merriam-webster.com/dictionary/direct.)

[3] Online Merriam-Webster Dictionary last visited on April 28, 2020 (“https://www.merriam-webster.com/dictionary/physical”)

<<Previous

Hale Stewart's Law Blog