|
This is the last post in my cyber series. Here, I’ll be offering my suggestions about the content of an ideal cyber policy.
Don’t purchase a policy that covers a specific method or type of breach. The policy should cover the unauthorized release of “personal information” – data that specifically identifies an individual or company – and “ransomware.” Why? Because the nature of hacking is ever-changing. It’s possible that a new method will emerge between the date of policy issuance and the cyber event. Second, make sure the policy covers the very broad range of potential damages, which include:
That's it for this series. In my previous tax planning blog post, I explained the three methods (deduction, exclusion, and credit) that are derived from the tax code. This post will briefly explain four methods that focus on planning. Method 1: Extraction What is it? Extraction occurs when the taxpayer removes (or “extracts”) an item of income from the tax base. This most commonly involves moving an item from the US economy and placing it into a tax haven and then structuring the transaction to somehow escape inclusion in the US taxpayer’s US tax base. Method 2: Deferral What is it? Here, the planner simply moves the realization event (which triggers inclusion into the taxpayer’s gross income for a specific year) to a future date. The farther into the future the planner can place the event, the better. Method 3: Compression What is it? Here the planner makes a total amount of assets appear smaller, reducing the tax burden. The most common example is a family limited partnership where the planner will make the children limited partners and then mechanically encumber each limited partnership interest to lower its fair market value. Method 4: Conversion What is it? The most common example is changing an item that would be taxed at higher ordinary rates and converting it to a lower-level capital gains tax rate. The most common way to accomplish this is with a qualified retirement plan like a 401(k) or IRA. And there you have it: all the basic tools that a tax planner can use to change or alter your taxes due. In the previous post, I observed that a cyber-breach will probably cause litigation. There are three other potential costs. As noted by the FTC on its website, most states now require companies to inform parties impacted by a data breach: Most states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. Here’s a good resource for the state-level statutory requirements. We can add data restoration costs as the possibility exists that data will be lost or corrupted. Then there’s reputational loss. To demonstrate this, ask yourself this hypothetical question: your business has two choices for a law firm. One law firm was recently the victim of a widely publicized data hack; the second one was not. Who would you do business with? So, what's the typical cost of a data breach? A recent report from IBM contains several info-graphics. Let's start with this one:  The cost of a breach is high, involves a large number of records, and is difficult to discover. And, the cost is high regardless of the size of the business that's a victim:  If you have a small to medium sized service-firm, your company is looking at a multi-million dollar loss.
If you have a question about this post that you'd like to discuss, please make an appointment with this link. The tax computation is really a simple word problem. It begins with gross income, which includes anything that could be considered income.[1] Next, we exclude certain items.[2] Planners then subtract deductions[3] to arrive at taxable income.[4] This is multiplied by a tax rate to arrive at taxes due, which can be reduced by credits against tax. So where do planners learn about what items to deduct, exclude, and credit? That’s where the tax code comes in. I use an abridged version of the tax code edited by Danial Lathrope. The book includes the actual code (26 U.S.C.) and accompanying Treasury Regulations. The code provides general guidance. For example, section 162 states a taxpayer can deduct “all the ordinary and necessary expenses paid or incurred during the taxable year.”[5] The accompanying treasury regulations add further detail and clarification. In the case of section 162, the regulations specifically explain a number of deductions. This isn’t the end of source documents. Planners also use Private Letter Rulings, Revenue Rulings, and case law, which provide in-depth analysis and explanations of the above items. For example, section 163 allows taxpayers to deduct interest. But what is interest, really? That’s where case law comes is, as judges have written numerous decisions that contain all the elements that are necessary for a court to recognize an interest-bearing transaction. So, when planners come up with a way to change a client’s tax position, what they’re really doing is taking a fact pattern, converting it to numbers, and aligning the data with various code provisions to manipulate the basic tax equation. [1] 26 U.S.C. §61 [2] 26 U.S.C. Subchapter B, Part III is titled, “Items specifically excluded[2] from gross income and includes such items as certain death benefits[2] [3] A “deduction” is subtracted from gross income (“all income from whatever source derived”)[3] to arrive at “taxable income.”[3] [4] 26 U.S.C. §63 (“taxable income” gross income minus the deductions allowed by this chapter.”) If you'd like to discuss risk mitigation for your company, please use this link to make an appointment.
Throughout this series, I have argued that a cyber-breach is an "extinction-level" event, meaning its occurrence will ultimately lead to bankruptcy. This post will explain why. Two service professions -- doctors and lawyers -- have a duty of confidentiality. It's breach has severe consequences. For a lawyer, it can cause disbarment; for a doctor, it can lead to a malpractice claim. The absence of a professional duty of confidentiality does not immunize a profession from liability in the event of an unauthorized disclosure. Many service relationships involve a non-disclosure agreement (if an agreement is not in place, it should be). There are also several torts available in the event of a data breach, including negligence (the firm had a duty to safeguard confidential data and did not do so), public disclosure of private facts, or breach of contract. Imagine a data breach occurs at a service firm that holds the confidential data of 100 clients. 50 client records are released in the breach. The firm may now face 50 lawsuits involving some of the above mentioned causes of action. While the firm would be able to survive one, the more people who sue, the greater the possibility of a bankruptcy. If you'd like to discuss risk mitigation for your company, please use this link to make an appointment.
I’m not entirely comfortable with lumping “tax planning” in with risk mitigation strategies for two reasons. First, pure risk is random whereas taxes have a clearly defined timetable. Second, poorly conceived and marketed tax marketing literature is a sign the plan runs afoul of anti-avoidance law, five judicial doctrines that allow courts to undo a transaction’s benefits if its substance differs from its form. For now, suffice it to say that poorly marketed tax reduction ideas place the seller into the tax scammers group. This does not mean that tax planning is not allowed. In fact, a very strong argument could be made that an executive who didn’t consider the tax implications of a company’s business activities violated his fiduciary duty. So – where is the line between proper planning and tax evasion? I’ll answer that question in two parts. The first is to categorize the specific actions that are endemic to planning. The second is to provide a brief explanation of specific anti-avoidance law doctrines that create the legal boundaries between proper and improper planning. Let’s begin with the specific things that are possible under the tax code. There are contained in the code. There are three “gross”[1] numbers that are key to tax planning: Gross income is “All income from whatever source derived.”[2] Adjusted gross income gross income less specifically enumerated deductions.[3] Taxable income is “gross income minus the deductions allowed by [the tax code].”[4] The above numbers can be thought of as simple mathematical totals. The code specifically defines and allows three actions related to the above numbers. Deductions: these are specifically enumerated in the code[5] and are subtracted from gross income.[6] Exemptions: these items are clear “accessions to wealth” but are excluded from computing gross income, usually for public policy reasons. Credits: there are a dollar for dollar reduction in tax.[7] They are therefore preferred. There are four additional strategies that require transactional planning: Deferral: moving a taxable event to a future tax year. Conversion: changing the amount of tax from a higher to lower amount (usually this means changing ordinary income into capital gain). Extraction: moving a taxable event from the tax base (this usually involved moving money offshore). Compression: lowering the total value of an asset. In other words, despite all the bells and whistles of tax planning sales literature, there are only seven tools in the planner's tool belt. Next, I'll take a look at some specific techniques used by planners. [1] Here, the noun gross is used as a noun and means “overall, total” or “aggregate.” (https://www.merriam-webster.com/dictionary/gross) [2] 26 U.S.C. §61 [3] See generally §62 [4] §63(a) [5] See generally §151-§250 [6] 26 USC §161 [7] See generally §21-§54AA Why a Cyber Breach as a Small or Medium-Sized Service Firm is an Extinction-Level Event, Pt III5/19/2020
If you'd like to discuss this or other risk issues, please set up an appointment with my Calendly link.
In the first post in this series, I argued that a cyber incident was an extinction level event for a small to medium sized professional service firm. The second post explained why: professional service firms utilize confidential client information, stored in electronic format. The unauthorized release of this information harms clients, who then sue the service providers. The ISO cyber policy defines the primary way for the data to be released as a “security breach” which is: “… the acquisition of “personal information” held within a “computer system” or in non-electronic format while in the care, custody or control of the “insured” or “authorized third party” by a person: a. Not authorized to have access to such information, or b. Authorized to have access to such information but whose access results in the unauthorized disclose of such information. Please see the previous post for a discussion of personal information. “Care, custody, or control” is a legal term of art referencing bailment, which occurs when one person or entity entrusts their property to another. The law imposes a duty of care on the property-holding party while the property is in their “care, custody, or control.” This duty of care applies to professional service firms who hold client data. The ISO policy defines a “third party” as “any entity that you engage under the terms of a written contract to perform services for you.” This definition encompasses cloud computing companies and contracts, which is another potential area of vulnerability. According to the ISO definition, covered property can be held in electronic or non-electronic format. This data is then wrongfully acquired in one of two ways.
The method of unauthorized access is unimportant. The definition’s breadth allows it to apply to new and as of yet unknown threats. Key to this situation is that confidential information leaves the service firms’ “care, custody, or control.” It then goes to a third-party who is not authorized to access it. This transfer will cause irreparable harm to the service firm’s client, who will then sue for damages. I previously argued that a cyber breach is an “extinction-level event” for small and medium-sized professional service firms. That post contained a sequence of events concluding with litigation that, due to its potential size, would lead to bankruptcy. This post starts an in-depth look at that sequence, beginning with an analysis of the stolen data and why its theft leads to a lawsuit. Professional service firms utilize expertise gained from a four-year college education and in some cases post-graduate work. Most of these professions require an initial licensing test; some mandate continuing education. The core business of these firms is to utilize intellectual capital to manipulate and interpret client-provided data. The ISO cyber polity defines this data “personal information:” … any information not available to the general public for any reason through which an individual may be identified including, but not limited to…
While points a, b, and d mostly apply to individuals, the definition is “not limited to” these items. Non-specifically enumerated items are “not available to the public” – in other words, “confidential.” This immediately brings to mind the legal and medical duty of confidentiality; financial information disclosed to accountants is not far behind. Engineering, architects and actuarial firms also utilize proprietary data for their respective job functions. These examples illustrate that it is almost impossible for any service company to argue it doesn’t utilize “personal information” as defined by the cyber policy. This explains why litigation is likely to result from a data breach; aggrieved clients will argue the unauthorized release has harmed their company, perhaps fatally. They will allege that their data was protected by statute, provides their competitors with an edge in the marketplace, or is simply information that a reasonable person wouldn’t want in the public domain. Clients will seek large damages and will be aggressive in litigation. This is what will lead cause the firm’s “extinction” or, in the language of business, its bankruptcy. |
Link From Our Previous Blog
Archives
June 2020
Categories |
RSS Feed