|
In the previous post, I observed that a cyber-breach will probably cause litigation. There are three other potential costs. As noted by the FTC on its website, most states now require companies to inform parties impacted by a data breach: Most states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. Here’s a good resource for the state-level statutory requirements. We can add data restoration costs as the possibility exists that data will be lost or corrupted. Then there’s reputational loss. To demonstrate this, ask yourself this hypothetical question: your business has two choices for a law firm. One law firm was recently the victim of a widely publicized data hack; the second one was not. Who would you do business with? So, what's the typical cost of a data breach? A recent report from IBM contains several info-graphics. Let's start with this one:  The cost of a breach is high, involves a large number of records, and is difficult to discover. And, the cost is high regardless of the size of the business that's a victim:  If you have a small to medium sized service-firm, your company is looking at a multi-million dollar loss.
If you have a question about this post that you'd like to discuss, please make an appointment with this link. The tax computation is really a simple word problem. It begins with gross income, which includes anything that could be considered income.[1] Next, we exclude certain items.[2] Planners then subtract deductions[3] to arrive at taxable income.[4] This is multiplied by a tax rate to arrive at taxes due, which can be reduced by credits against tax. So where do planners learn about what items to deduct, exclude, and credit? That’s where the tax code comes in. I use an abridged version of the tax code edited by Danial Lathrope. The book includes the actual code (26 U.S.C.) and accompanying Treasury Regulations. The code provides general guidance. For example, section 162 states a taxpayer can deduct “all the ordinary and necessary expenses paid or incurred during the taxable year.”[5] The accompanying treasury regulations add further detail and clarification. In the case of section 162, the regulations specifically explain a number of deductions. This isn’t the end of source documents. Planners also use Private Letter Rulings, Revenue Rulings, and case law, which provide in-depth analysis and explanations of the above items. For example, section 163 allows taxpayers to deduct interest. But what is interest, really? That’s where case law comes is, as judges have written numerous decisions that contain all the elements that are necessary for a court to recognize an interest-bearing transaction. So, when planners come up with a way to change a client’s tax position, what they’re really doing is taking a fact pattern, converting it to numbers, and aligning the data with various code provisions to manipulate the basic tax equation. [1] 26 U.S.C. §61 [2] 26 U.S.C. Subchapter B, Part III is titled, “Items specifically excluded[2] from gross income and includes such items as certain death benefits[2] [3] A “deduction” is subtracted from gross income (“all income from whatever source derived”)[3] to arrive at “taxable income.”[3] [4] 26 U.S.C. §63 (“taxable income” gross income minus the deductions allowed by this chapter.”) If you'd like to discuss risk mitigation for your company, please use this link to make an appointment.
Throughout this series, I have argued that a cyber-breach is an "extinction-level" event, meaning its occurrence will ultimately lead to bankruptcy. This post will explain why. Two service professions -- doctors and lawyers -- have a duty of confidentiality. It's breach has severe consequences. For a lawyer, it can cause disbarment; for a doctor, it can lead to a malpractice claim. The absence of a professional duty of confidentiality does not immunize a profession from liability in the event of an unauthorized disclosure. Many service relationships involve a non-disclosure agreement (if an agreement is not in place, it should be). There are also several torts available in the event of a data breach, including negligence (the firm had a duty to safeguard confidential data and did not do so), public disclosure of private facts, or breach of contract. Imagine a data breach occurs at a service firm that holds the confidential data of 100 clients. 50 client records are released in the breach. The firm may now face 50 lawsuits involving some of the above mentioned causes of action. While the firm would be able to survive one, the more people who sue, the greater the possibility of a bankruptcy. If you'd like to discuss risk mitigation for your company, please use this link to make an appointment.
I’m not entirely comfortable with lumping “tax planning” in with risk mitigation strategies for two reasons. First, pure risk is random whereas taxes have a clearly defined timetable. Second, poorly conceived and marketed tax marketing literature is a sign the plan runs afoul of anti-avoidance law, five judicial doctrines that allow courts to undo a transaction’s benefits if its substance differs from its form. For now, suffice it to say that poorly marketed tax reduction ideas place the seller into the tax scammers group. This does not mean that tax planning is not allowed. In fact, a very strong argument could be made that an executive who didn’t consider the tax implications of a company’s business activities violated his fiduciary duty. So – where is the line between proper planning and tax evasion? I’ll answer that question in two parts. The first is to categorize the specific actions that are endemic to planning. The second is to provide a brief explanation of specific anti-avoidance law doctrines that create the legal boundaries between proper and improper planning. Let’s begin with the specific things that are possible under the tax code. There are contained in the code. There are three “gross”[1] numbers that are key to tax planning: Gross income is “All income from whatever source derived.”[2] Adjusted gross income gross income less specifically enumerated deductions.[3] Taxable income is “gross income minus the deductions allowed by [the tax code].”[4] The above numbers can be thought of as simple mathematical totals. The code specifically defines and allows three actions related to the above numbers. Deductions: these are specifically enumerated in the code[5] and are subtracted from gross income.[6] Exemptions: these items are clear “accessions to wealth” but are excluded from computing gross income, usually for public policy reasons. Credits: there are a dollar for dollar reduction in tax.[7] They are therefore preferred. There are four additional strategies that require transactional planning: Deferral: moving a taxable event to a future tax year. Conversion: changing the amount of tax from a higher to lower amount (usually this means changing ordinary income into capital gain). Extraction: moving a taxable event from the tax base (this usually involved moving money offshore). Compression: lowering the total value of an asset. In other words, despite all the bells and whistles of tax planning sales literature, there are only seven tools in the planner's tool belt. Next, I'll take a look at some specific techniques used by planners. [1] Here, the noun gross is used as a noun and means “overall, total” or “aggregate.” (https://www.merriam-webster.com/dictionary/gross) [2] 26 U.S.C. §61 [3] See generally §62 [4] §63(a) [5] See generally §151-§250 [6] 26 USC §161 [7] See generally §21-§54AA Why a Cyber Breach as a Small or Medium-Sized Service Firm is an Extinction-Level Event, Pt III5/19/2020
If you'd like to discuss this or other risk issues, please set up an appointment with my Calendly link.
In the first post in this series, I argued that a cyber incident was an extinction level event for a small to medium sized professional service firm. The second post explained why: professional service firms utilize confidential client information, stored in electronic format. The unauthorized release of this information harms clients, who then sue the service providers. The ISO cyber policy defines the primary way for the data to be released as a “security breach” which is: “… the acquisition of “personal information” held within a “computer system” or in non-electronic format while in the care, custody or control of the “insured” or “authorized third party” by a person: a. Not authorized to have access to such information, or b. Authorized to have access to such information but whose access results in the unauthorized disclose of such information. Please see the previous post for a discussion of personal information. “Care, custody, or control” is a legal term of art referencing bailment, which occurs when one person or entity entrusts their property to another. The law imposes a duty of care on the property-holding party while the property is in their “care, custody, or control.” This duty of care applies to professional service firms who hold client data. The ISO policy defines a “third party” as “any entity that you engage under the terms of a written contract to perform services for you.” This definition encompasses cloud computing companies and contracts, which is another potential area of vulnerability. According to the ISO definition, covered property can be held in electronic or non-electronic format. This data is then wrongfully acquired in one of two ways.
The method of unauthorized access is unimportant. The definition’s breadth allows it to apply to new and as of yet unknown threats. Key to this situation is that confidential information leaves the service firms’ “care, custody, or control.” It then goes to a third-party who is not authorized to access it. This transfer will cause irreparable harm to the service firm’s client, who will then sue for damages. I previously argued that a cyber breach is an “extinction-level event” for small and medium-sized professional service firms. That post contained a sequence of events concluding with litigation that, due to its potential size, would lead to bankruptcy. This post starts an in-depth look at that sequence, beginning with an analysis of the stolen data and why its theft leads to a lawsuit. Professional service firms utilize expertise gained from a four-year college education and in some cases post-graduate work. Most of these professions require an initial licensing test; some mandate continuing education. The core business of these firms is to utilize intellectual capital to manipulate and interpret client-provided data. The ISO cyber polity defines this data “personal information:” … any information not available to the general public for any reason through which an individual may be identified including, but not limited to…
While points a, b, and d mostly apply to individuals, the definition is “not limited to” these items. Non-specifically enumerated items are “not available to the public” – in other words, “confidential.” This immediately brings to mind the legal and medical duty of confidentiality; financial information disclosed to accountants is not far behind. Engineering, architects and actuarial firms also utilize proprietary data for their respective job functions. These examples illustrate that it is almost impossible for any service company to argue it doesn’t utilize “personal information” as defined by the cyber policy. This explains why litigation is likely to result from a data breach; aggrieved clients will argue the unauthorized release has harmed their company, perhaps fatally. They will allege that their data was protected by statute, provides their competitors with an edge in the marketplace, or is simply information that a reasonable person wouldn’t want in the public domain. Clients will seek large damages and will be aggressive in litigation. This is what will lead cause the firm’s “extinction” or, in the language of business, its bankruptcy. A cyber incident occurring at a professional services firm (law office, accounting firm, medical practice) is an extinction level event.
To illustrate that point, I will use the following hypothetical: Firm X has 20 professionals: 5 senior staff oversee and are responsible for the work of 15 junior staff. The firm has 100 clients whose data is stored electronically. On July 1 of year 200X, a client informs the firm that confidential data held by the firm has been used in a compromising way. The hack could only be traced to the service firm. Here is the likely chain of events. 1.) The firm must notify customers of the data breach.[1] 2.) A percentage of clients will pull their business from the firm. 3.) Some of these clients will tell of their bad experiences to other clients. 4.) In the age of social media, the possibility of negative publicity multiplying the damage is high. This will suppress future business. The preceding events could probably be managed or at least mitigated via a disaster response program. However, that costs money. However, 1.) The firm should expect to be sued 2.) Several service professionals (lawyers and doctors) will be accused of violating oaths of confidentiality (which they have). 3.) The probability of a large number of plaintiffs joining in a single cause of action is high. 4.) Even if class action does not occur, multiple lawsuits are possible. 5.) A high number of lawsuits equals expensive litigation, and possibly more bad publicity. And that’s not all 1.) In some situations, managing members/partners/shareholders may be accused of violating a duty to the company to keep the data safe. 2.) This potentially triggers personal liability for these individuals. For a larger firm, survival is possible. But for a smaller firm – like the 20 member firm cited above – survival would be less than likely. Over the next few blog posts, I’ll be looking at this situation in more detail, using the ISO cyber policy as a template. [1] https://www.itgovernanceusa.com/data-breach-notification-laws#TX t. At 1PM On Thursday, May 14, I'll be giving a webinar discussing ways to lower your company's liability exposure in a COVID-19 world. You can sign-up by clicking on this link.
There has been – and will continue to be – a tsunami of legal issues and claims resulting from the COVID-19 pandemic. The lawsuits started almost immediately after insurers started denying business interruption claims. A growing number of state legislatures are proposing legislation to require insurers to cover interruption claims while members of the House of Representatives sent an open letter to the insurance industry, nudging the sector to cover interruption losses. The industry politely declined in its own open letter. This post will briefly explain the issues involved. What exactly is the issue? The legal controversy centers on a few key aspects of the commercial property coverage. The first is the definition of “property damage,” which the policy defines as, “direct physical loss or damage.”[1] Direct means, “Stemming immediately from a source,”[2] while physical means, “having material existence; perceptible through the senses.”[3] This definition is understandable in the case of a natural event like lightning, fire, or a tornado. But what about the pandemic? Here the issue is murkier. In the case of COVID contamination there is a legitimate question of whether or not “direct physical damage” of the type contemplated by the policy exists. Visually compare a fire with viral contamination. The former is clearly visible while also requiring a large amount of restoration. That latter can’t be seen and can be remediated for far less expense then with the case of a fire. The controversy doesn’t stop there. Some insureds are arguing that the inability to use their property as a result of the government shutdown qualifies as property damage. While this is clearly not typical “direct physical damage,” it is in line with some state law cases that ruled an event rendering property uninhabitable or unusable is a direct physical loss as required by the policy. Expect this argument to be fought tooth and nail to the highest legal in a jurisdiction. Some policies contain a virus exclusion that would place the insured at a tremendous disadvantage when filing a claim. But the plaintiff is not without recourse, as he could simply say, “prove it.” Without actual proof, the insured would have a good argument at trial argument, as he could simply say, “the insurer said there was contamination, but they never inspected the property.” And then we get to the issue of business income, which is defined as “net income” which is, ”net profit or loss before income taxes” and, “continuing, normal operating expenses incurred, including payroll.” If ever there was an area ripe for a battle of the experts, this is it. Expect the insured to argue for maximum net income while the insurer will claim a lower amount. This is just a brief overview of the issues. Please contact me if you'd like to discuss this in more detail. [1] ISO CP 00 99 10 12 [2] Online Merriam-Webster Dictionary, last visited on April 28, 2020 (https://www.merriam-webster.com/dictionary/direct.) [3] Online Merriam-Webster Dictionary last visited on April 28, 2020 (“https://www.merriam-webster.com/dictionary/physical”) The Texas ISO Commercial Cyber Insurance Policy (CY 00 01 01 18) covers six risks. The first is for a “security breach,” which occurs when:
Key to both definitions is the word, “authorize,” which means, “to grant authority,”[1] or, “to give official permission for or approval to.”[2] The policy’s definition uses the past tense (-ed) meaning permission was granted before the triggering event. To illustrate this concept, I’ll use two fictional characters: John Smith and Main Street Bank or “MSB.” As part of a standard loan application, Mr. Smith granted MSB the right to perform a credit check. In doing so, Mr. Smith signs a document allowing MSB to use Mr. Smith’s social security number. The bank performs the check but keeps Mr. Smith’s number on electronic file. Two years later, the bank is hacked by a third party. The hack is performed from foreign soil where MBS has no employees nor any subcontractor relationship. This clearly triggers coverage number one. Two years later, the loan officer who performed the due diligence for the loan has his laptop stolen. Mr. Smith’s social security number is still on the computer. The person who stole the laptop successfully hacks the computer and sells Mr. Smith’s data. This triggers coverage number two. Security Breach coverage specifically applies to “personal information,” which has two factors
Available means, “able to be obtained,”[3] or something which is, “at hand.”[4] “Not” is “used to express negation,”[5] which means the information isn’t easily obtained. Public is “open knowledge to all,”[6] while general means, “whole or every member of a category.”[7] A "reason" is a “justification”[8] while “any” means, “one or some regardless of kind or quantity.”[9] Combining all these definitions, we get information that any person not personally close to the insured would have any knowledge of regardless of the justification they offered. Here, a good argument can be made that the public would include all people not specifically authorized to have the data. The key word in the next sentence is, “identified” which means, “the collective aspects of the set of characteristics by which an individual is recognizable.”[10] The policy then specifically names certain common identifying data such as a driver’s license numbers, social security numbers, HIPPA protected information, financial account numbers, and the like. The point is that there is key data which can be used to specifically identify an individual. Loss specifically includes the cost of forensics to “establish whether a “security breach” has occurred or is occurring, the cost to notify parties “affected by the security breach,” overtime salaries paid to employees “to handle inquiries from the parties affected,” costs to run a call center to handle inquiries, post-event monitoring, and “any other reasonable expense, incurred by the insured with the written consent of the insurer. [1] The American Heritage Dictionary, Second College Edition, © 1985, pg. 142 [2] The Concise Oxford English Dictionary, © 2004, pg. 88 [3] Oxford, pg. 90 [4] American Heritage, pg. 144 [5] American Heritage, pg. 849 [6] Oxford at 1160 [7] American Heritage, pg. 552 [8] Oxford, pg. 1198 [9] American Heritage, pg. 117 [10] American Heritage, pg. 639  Compare the following two sentences:
Number 1 – the actual text of §163(a) – suffers from the same awkward and convoluted wording of many tax code sentences. The second sentence employs a clear, “subject, verb, predicate” structure that a reader can quickly grasp. While the second sentence is editorially preferable, we’re stuck with the first sentence. The statute’s first four words follow a pattern similar to §162 – a dummy subject followed by a verb phrase where “shall” is substituted for “will,” to indicate future tense. The verb “allow” means, “to let someone … do something.”[1] The complete impact of the first four words is that the government is granting taxpayers permission to do something. Ideally, the next five words would clearly tell the taxpayer what that is. Instead, the next five words (“as a deduction all interest”) are awkward. The drafters want to say, “all interest is allowed as a deduction.” Unfortunately, the prepositional phrase which tells is in what capacity we can treat interest[2] comes before the noun, creating an awkward phrasing that requires several readings to fully understand. “As a deduction” tells how we can treat “all interest.” The statute allows the taxpayer to deduct two types of interest: paid and accrued. Pay means, “to give (money) in exchange for goods or services.”[3] Its past tense is “paid.” This verb invokes the cash method of accounting, which allows a taxpayer to deduct an item, “for the taxable year in which actually made.”[4] Accrued is the past tense of accrue; it is an accounting term of art, which the Treasury Regulations define as, Generally, under an accrual method, income is to be included for the taxable year when all the events have occurred that fix the right to receive the income and the amount of the income can be determined with reasonable accuracy.[5] The payment (whether paid of accrued) must occur “within the taxable year.” "Within" is a preposition which means, “Inside the range of.”[6] The code defines a “taxable year,” as “… the calendar year, or the fiscal year ending during such calendar year, upon the basis of which the taxable income is computed under subtitle A.”[7] The preposition “on” has numerous meanings. It’s use in the phrase “on indebtedness” connotes, “used to indicates a source or basis.”[8] There are several ways to defines indebtedness. I like the definition contained in UCC §3-104(a): “an unconditional promise or order to pay fixed amount of money, with or without interest or other charges described in the promise or order.” While this is the definition of a check, it has the same elements as a debt and is a well-written sentence. [1] Concise Oxford English Dictionary, © 2004, p. 36 [2] Merriam-Webster Online Dictionary (https://www.merriam-webster.com/dictionary/as), last visited on February 13 (as means, “in the capacity, character, condition, or role of.”) [3] The American Heritage Dictionary, Second College Edition © 1985, p. 911 [4] Treas. Reg. 1.446-1(c)(ii) [5] Id; see also 1.446-2 Method of Accounting for Interest [6] Oxford at 1657 [7] 26 U.S.C. §7701(a)(23) [8] American Heritage at 867 |
Link From Our Previous Blog
Archives
May 2020
Categories |
RSS Feed