|
A cyber incident occurring at a professional services firm (law office, accounting firm, medical practice) is an extinction level event.
To illustrate that point, I will use the following hypothetical: Firm X has 20 professionals: 5 senior staff oversee and are responsible for the work of 15 junior staff. The firm has 100 clients whose data is stored electronically. On July 1 of year 200X, a client informs the firm that confidential data held by the firm has been used in a compromising way. The hack could only be traced to the service firm. Here is the likely chain of events. 1.) The firm must notify customers of the data breach.[1] 2.) A percentage of clients will pull their business from the firm. 3.) Some of these clients will tell of their bad experiences to other clients. 4.) In the age of social media, the possibility of negative publicity multiplying the damage is high. This will suppress future business. The preceding events could probably be managed or at least mitigated via a disaster response program. However, that costs money. However, 1.) The firm should expect to be sued 2.) Several service professionals (lawyers and doctors) will be accused of violating oaths of confidentiality (which they have). 3.) The probability of a large number of plaintiffs joining in a single cause of action is high. 4.) Even if class action does not occur, multiple lawsuits are possible. 5.) A high number of lawsuits equals expensive litigation, and possibly more bad publicity. And that’s not all 1.) In some situations, managing members/partners/shareholders may be accused of violating a duty to the company to keep the data safe. 2.) This potentially triggers personal liability for these individuals. For a larger firm, survival is possible. But for a smaller firm – like the 20 member firm cited above – survival would be less than likely. Over the next few blog posts, I’ll be looking at this situation in more detail, using the ISO cyber policy as a template. [1] https://www.itgovernanceusa.com/data-breach-notification-laws#TX t. At 1PM On Thursday, May 14, I'll be giving a webinar discussing ways to lower your company's liability exposure in a COVID-19 world. You can sign-up by clicking on this link.
There has been – and will continue to be – a tsunami of legal issues and claims resulting from the COVID-19 pandemic. The lawsuits started almost immediately after insurers started denying business interruption claims. A growing number of state legislatures are proposing legislation to require insurers to cover interruption claims while members of the House of Representatives sent an open letter to the insurance industry, nudging the sector to cover interruption losses. The industry politely declined in its own open letter. This post will briefly explain the issues involved. What exactly is the issue? The legal controversy centers on a few key aspects of the commercial property coverage. The first is the definition of “property damage,” which the policy defines as, “direct physical loss or damage.”[1] Direct means, “Stemming immediately from a source,”[2] while physical means, “having material existence; perceptible through the senses.”[3] This definition is understandable in the case of a natural event like lightning, fire, or a tornado. But what about the pandemic? Here the issue is murkier. In the case of COVID contamination there is a legitimate question of whether or not “direct physical damage” of the type contemplated by the policy exists. Visually compare a fire with viral contamination. The former is clearly visible while also requiring a large amount of restoration. That latter can’t be seen and can be remediated for far less expense then with the case of a fire. The controversy doesn’t stop there. Some insureds are arguing that the inability to use their property as a result of the government shutdown qualifies as property damage. While this is clearly not typical “direct physical damage,” it is in line with some state law cases that ruled an event rendering property uninhabitable or unusable is a direct physical loss as required by the policy. Expect this argument to be fought tooth and nail to the highest legal in a jurisdiction. Some policies contain a virus exclusion that would place the insured at a tremendous disadvantage when filing a claim. But the plaintiff is not without recourse, as he could simply say, “prove it.” Without actual proof, the insured would have a good argument at trial argument, as he could simply say, “the insurer said there was contamination, but they never inspected the property.” And then we get to the issue of business income, which is defined as “net income” which is, ”net profit or loss before income taxes” and, “continuing, normal operating expenses incurred, including payroll.” If ever there was an area ripe for a battle of the experts, this is it. Expect the insured to argue for maximum net income while the insurer will claim a lower amount. This is just a brief overview of the issues. Please contact me if you'd like to discuss this in more detail. [1] ISO CP 00 99 10 12 [2] Online Merriam-Webster Dictionary, last visited on April 28, 2020 (https://www.merriam-webster.com/dictionary/direct.) [3] Online Merriam-Webster Dictionary last visited on April 28, 2020 (“https://www.merriam-webster.com/dictionary/physical”) The Texas ISO Commercial Cyber Insurance Policy (CY 00 01 01 18) covers six risks. The first is for a “security breach,” which occurs when:
Key to both definitions is the word, “authorize,” which means, “to grant authority,”[1] or, “to give official permission for or approval to.”[2] The policy’s definition uses the past tense (-ed) meaning permission was granted before the triggering event. To illustrate this concept, I’ll use two fictional characters: John Smith and Main Street Bank or “MSB.” As part of a standard loan application, Mr. Smith granted MSB the right to perform a credit check. In doing so, Mr. Smith signs a document allowing MSB to use Mr. Smith’s social security number. The bank performs the check but keeps Mr. Smith’s number on electronic file. Two years later, the bank is hacked by a third party. The hack is performed from foreign soil where MBS has no employees nor any subcontractor relationship. This clearly triggers coverage number one. Two years later, the loan officer who performed the due diligence for the loan has his laptop stolen. Mr. Smith’s social security number is still on the computer. The person who stole the laptop successfully hacks the computer and sells Mr. Smith’s data. This triggers coverage number two. Security Breach coverage specifically applies to “personal information,” which has two factors
Available means, “able to be obtained,”[3] or something which is, “at hand.”[4] “Not” is “used to express negation,”[5] which means the information isn’t easily obtained. Public is “open knowledge to all,”[6] while general means, “whole or every member of a category.”[7] A "reason" is a “justification”[8] while “any” means, “one or some regardless of kind or quantity.”[9] Combining all these definitions, we get information that any person not personally close to the insured would have any knowledge of regardless of the justification they offered. Here, a good argument can be made that the public would include all people not specifically authorized to have the data. The key word in the next sentence is, “identified” which means, “the collective aspects of the set of characteristics by which an individual is recognizable.”[10] The policy then specifically names certain common identifying data such as a driver’s license numbers, social security numbers, HIPPA protected information, financial account numbers, and the like. The point is that there is key data which can be used to specifically identify an individual. Loss specifically includes the cost of forensics to “establish whether a “security breach” has occurred or is occurring, the cost to notify parties “affected by the security breach,” overtime salaries paid to employees “to handle inquiries from the parties affected,” costs to run a call center to handle inquiries, post-event monitoring, and “any other reasonable expense, incurred by the insured with the written consent of the insurer. [1] The American Heritage Dictionary, Second College Edition, © 1985, pg. 142 [2] The Concise Oxford English Dictionary, © 2004, pg. 88 [3] Oxford, pg. 90 [4] American Heritage, pg. 144 [5] American Heritage, pg. 849 [6] Oxford at 1160 [7] American Heritage, pg. 552 [8] Oxford, pg. 1198 [9] American Heritage, pg. 117 [10] American Heritage, pg. 639  Compare the following two sentences:
Number 1 – the actual text of §163(a) – suffers from the same awkward and convoluted wording of many tax code sentences. The second sentence employs a clear, “subject, verb, predicate” structure that a reader can quickly grasp. While the second sentence is editorially preferable, we’re stuck with the first sentence. The statute’s first four words follow a pattern similar to §162 – a dummy subject followed by a verb phrase where “shall” is substituted for “will,” to indicate future tense. The verb “allow” means, “to let someone … do something.”[1] The complete impact of the first four words is that the government is granting taxpayers permission to do something. Ideally, the next five words would clearly tell the taxpayer what that is. Instead, the next five words (“as a deduction all interest”) are awkward. The drafters want to say, “all interest is allowed as a deduction.” Unfortunately, the prepositional phrase which tells is in what capacity we can treat interest[2] comes before the noun, creating an awkward phrasing that requires several readings to fully understand. “As a deduction” tells how we can treat “all interest.” The statute allows the taxpayer to deduct two types of interest: paid and accrued. Pay means, “to give (money) in exchange for goods or services.”[3] Its past tense is “paid.” This verb invokes the cash method of accounting, which allows a taxpayer to deduct an item, “for the taxable year in which actually made.”[4] Accrued is the past tense of accrue; it is an accounting term of art, which the Treasury Regulations define as, Generally, under an accrual method, income is to be included for the taxable year when all the events have occurred that fix the right to receive the income and the amount of the income can be determined with reasonable accuracy.[5] The payment (whether paid of accrued) must occur “within the taxable year.” "Within" is a preposition which means, “Inside the range of.”[6] The code defines a “taxable year,” as “… the calendar year, or the fiscal year ending during such calendar year, upon the basis of which the taxable income is computed under subtitle A.”[7] The preposition “on” has numerous meanings. It’s use in the phrase “on indebtedness” connotes, “used to indicates a source or basis.”[8] There are several ways to defines indebtedness. I like the definition contained in UCC §3-104(a): “an unconditional promise or order to pay fixed amount of money, with or without interest or other charges described in the promise or order.” While this is the definition of a check, it has the same elements as a debt and is a well-written sentence. [1] Concise Oxford English Dictionary, © 2004, p. 36 [2] Merriam-Webster Online Dictionary (https://www.merriam-webster.com/dictionary/as), last visited on February 13 (as means, “in the capacity, character, condition, or role of.”) [3] The American Heritage Dictionary, Second College Edition © 1985, p. 911 [4] Treas. Reg. 1.446-1(c)(ii) [5] Id; see also 1.446-2 Method of Accounting for Interest [6] Oxford at 1657 [7] 26 U.S.C. §7701(a)(23) [8] American Heritage at 867  In my last post on business deductions, I argued that the statutory language of §162 allows taxpayers to deduct a wide range of business expenditures. The Treasury Regulations support that analysis, largely due to a verb and preposition contained in the opening paragraph of the accompanying regulations.
“Include,” is a transitive verb that means, “to … comprise as a part of a whole or group.”[1] The verb’s object is a member of a larger category of items. For example, “The complete list of Hall of Fame Baseball players incudes Joe DiMaggio.” The verb’s object (Joe DiMaggio) is a member of a larger group (all the members of the Baseball Hall of Fame). The opening paragraph of the §162 Treasury Regulations states, “Business expenses deductible from gross income include the ordinary and necessary expenditures directly connected with or pertaining to the taxpayer's trade or business…”[2] This sentence is clear: the large number of deductions allowed thanks to the adjectives, “ordinary” and “necessary” are part of an even larger group of allowed expenses. The preposition “among” means, “Being a member of members of a larger set.”[3] The preposition’s object (which is usually the word, clause of phrase immediately after the preposition) is part of larger group. The opening paragraph of the accompanying regulations contain the following sentence: Among the items included in business expenses are management expenses, commissions), … labor, supplies, incidental repairs, operating expenses of automobiles used in the trade or business, traveling expenses while away from home solely in the pursuit of a trade or business (see § 1.162-2), advertising and other selling expenses, together with insurance premiums against fire, storm, theft, accident, or other similar losses in the case of a business, and rental for the use of business property. This is a fairly broad list of potential deductions, covering most of the major expenses taken by a business. The preposition “among” means that this list is non-exhaustive – it is part of a larger number of potential deductions. Finally, the Treasury Regulations contain 35 specific entries that explain a number of specific deductions. This is the final piece of evidence supporting the contention that the tax laws grant the taxpayer broad discretion to deduction expenses incurred in the production of income. [1] Merriam-Webster online dictionary, https://www.merriam-webster.com/dictionary/include, last visited on February 11, 2019. [2] Treas. Reg. 1.162-1(a) [3] The Concise Oxford English Dictionary, © 2004, p. 43  §162 grants taxpayers the right to deduct ordinary and necessary business expenses. 162’s text, however, requires us to open a few reference books to completely understand its statutory intent. Here’s the section’s opening sentence:
The word “there” has several grammatical functions; here, it’s used as a pronoun to, “introduce a clause or a sentence.”[1] A more precise definition is to describe it as a, “dummy subject” used to, “assert existence” or “introduce a topic.”[2] The sentence contains the verbal phrase, “shall be allowed.” Shall is a used as a substitute for “will,” a common scheme used in legal writing.[3] “Will” is an auxiliary verb signifying the future tense while “allow” means, “To let do or happen.”[4] This phrase grants the taxpayer permission to deduct “ordinary and necessary expenses.” An “ordinary” expense is “common,”[5] “normal, or usual,”[6] while a “necessary” expense is, “required to be done”[7] or “needed.”[8]The former implies temporal regularity while the latter connotes an unavoidable disbursement. The combined effect of these two adjectives is to grant the taxpayer broad authority regarding deductions.There are few standard or extraordinary expenses a skillful lawyer couldn’t argue weren’t described by either adjective – an interpretation supported by the Treasury Regulations: Business expenses deductible from gross income include the ordinary and necessary expenditures directly connected with or pertaining to the taxpayer's trade or business, except items which are used as the basis for a deduction or a credit under provisions of law other than section 162. The cost of goods purchased for resale, with proper adjustment for opening and closing inventories, is deducted from gross sales in computing gross income. See paragraph (a) of § 1.161-3. Among the items included in business expenses are management expenses, commissions (but see section 263 and the regulations thereunder), labor, supplies, incidental repairs, operating expenses of automobiles used in the trade or business, traveling expenses while away from home solely in the pursuit of a trade or business (see § 1.162-2), advertising and other selling expenses, together with insurance premiums against fire, storm, theft, accident, or other similar losses in the case of a business, and rental for the use of business property.[9] [1] American Heritage Dictionary, 2nd College Edition, p. 1261, © 1985 [2] The Merriam Webster Dictionary of English Usage, p. 899, © 1989 [3] The Chicago Manual of Style, 16th Edition, p. 237, © 2010 [4] American Heritage at 96. [5] American Heritage, p. 875 [6] Concise Oxford English Dictionary 11th Edition, p. 1007, © 2004 [7] Oxford at 956 [8] American Heritage at 834 [9] Treas. Reg. 1.162-1(a) 26 U.S.C. §61 states: Except as otherwise provided in this subtitle, gross income means all income from whatever source derived, including (but not limited to) the following items: This is one of the worst sentences ever written. The definition of gross income – the sentence’s main idea -- is buried between two prepositional phrases. The second phrase’s word order is awkward. Worst of all, the definition contains the word it’s defining. The editorial issues could be forgiven if this were a minor code section. But, §61 is a bedrock concept of the tax code. It should be crystal clear. However, the horrible wording of §61 is what we have to deal with, so let’s return to it, starting with the primary clause: gross income means all income from whatever source derived. The subject phrase “gross income” is a term of art, used throughout the tax code and business. Income is, “the amount of money or its equivalent received during a period of time in exchange for labor or services.”[1] The phrase “or its equivalent” implies an exchange of anything of value, a fact specifically addressed in the Treasury Regulations.[2] The word “gross” means, “Exclusive of deductions.”[3] In the predicate, we’re stuck with the same word as in the subject. But this time it’s modified by the adjective “all” which means, “the entire or total number, amount, or quantity of.”[4] As if this weren’t a broad enough definition, the statute also contains this phrase: “from whatever source derived.” The preposition “from” means, “… to indicate a source.”[5] There, the word source is modified by the adjective, “whatever,” which means, “everything or anything.”[6] The purpose of the statute is to provide the broadest possible of income, forcing the taxpayer to include every item of income unless its specifically excluded by statute. This reading is supported by caselaw as well as the tax code’s outline:  Above is an outline of subchapter B of the code, which includes §61-§291. Part I defines the various types of income while Part III specifically excludes certain types of income. The implication of this outline is that the taxpayer includes every source of income into gross income and then items identified in Part III. If an item isn’t mentioned in that part, it must be gross income.
[1] The American Heritage Dictionary, Second Edition, page 651 © 1985 [2] See Treas. Reg. §1.61-2(d) [3] American Heritage, p. 578 [4] Id at 94 [5] Id 536 [6] Id at 1374 My colleague Jay Adkisson has written a summation of a new domestic asset protection trust case at Forbes. Another colleague, Steve Oshens, has weighed in as well. Mr. Adkisson argues this case is the final nail in the asset protection trust industry; Mr. Oshens argues for a less sweeping interpretation. I counsel against these structures for a number of reasons, which are listed below in no order of importance. 1.) We have yet to see a grantor of a foreign or domestic asset protection trust (APT) win a case. Planners who still like APTs correctly argue that these cases have a potent negative combination: blatant fraudulent transfers and unsavory characters — an admittedly very bad combination of facts. Regardless, there are now a number of decisions where the APT failed when challenged. Why? That leads to point number two: 2.) APTs are bad public policy. At the heart of any case involving an APT is a creditor enforcing a judgment. A court upholding an APT will be opening the door to the idea that a debtor can “have his cake and eat it too;” he can be adjudicated to owe somebody money, have the financial capability to satisfy the debt, yet not do so — and, in fact, have a court say they don’t have to. That’s a detrimental holding in a capitalist economy that depends on credit financing to fuel economic growth. So far, courts don’t want to play. 3.) Point number 2 is derived from the Uniform Trust Code’s commentary to §505 which “… follows sound doctrine in providing that a settlor who is also a beneficiary may not use the trust as a shield against the settlor’s creditors. The drafters of the UTC concluded that traditional doctrine reflects sound public policy.” Several courts that have ruled against APTs have referenced this section of the UTC. 4.) Are courts turning against asset protection planning? It depends on where you do it, but in California they are: As indicated by Defendant’s testimony that prior to filing his bankruptcy petition, he met with an asset protection firm, and one of his goals in doing so, was to potentially protect his assets from potential creditors . . . and while he changed his mind about using the asset protection firm, the evidence of his consideration, meeting and paying the asset protection firm supports a finding that Defendant intended to hinder or delay his nonpreferred creditors. One could argue that this decision should be taken with a grain of salt because it’s from California — a valid point. But, you can see the argument being effective regardless of the jurisdiction. Imagine this line of questioning in a deposition or at trial: Lawyer: And on this date, you saw John Smith, correct? Defendant: Yes. Lawyer: Doesn’t Mr. Smith hold himself out as an “asset protection lawyer?” Defendant: Yes Lawyer: why did you feel the need to consult with him? There’s no answer to this question that can’t be spun in a negative light. 5.) Creditors have a number of well-defined and clearly articulated methods of obtaining a judgment. Even Texas — my home and debtor’s haven — has a statutory path for creditors to obtain a judgment and satisfy it. What usually keeps creditors from pursuing a claim is time (litigation is an inherently long and drawn-out process), money (they will probably have to pay at least a portion of their ongoing legal bills), and effort (litigation takes an inordinate amount of time away from running a business). If a debt is small, it’s far easier to write it off as a business loss (see §165) and be done with it. But an aggressive creditor will eventually get his money. 6.) Every time I hear someone extol the virtues of a spendthrift trust, I’m reminded of the following line from the movie, A Princess Bride:“That word doesn’t mean what you think it means.” A spendthrift provision prevents the voluntary or involuntary alienation of the beneficiary’s interest (§502 of the Uniform Trust Code). So, let’s assume that beneficiary John Smith owes $10,000 to Mr. X. Mr. Smith cannot transfer his interest to Mr. X to satisfy the debt (For more, please see Nichols, Assignee v. Eaton Et Al, 91 U.S. 716, 23 L.Ed. 254 (1875) ). But a spendthrift provision only applies to the trust; once the money is distributed, it can be attached any number of ways. If it’s transferred to a pass-through entity such as a family limited partnership, a creditor can use a charging order to obtain his funds. If the money is transferred to a bank account, the creditor can simply levy the bank account. For a discussion of the procedures in my home state of Texas, please read “Post-Judgment Remedies: Garnishment, Execution, Turnover Proceedings, Receiverships Under the DTPA, and “Other Stuff” by Donna Brown. Ultimately, this gets back to point number 5: an aggressive creditor is going to get his money eventually. 7.) Why would you choose to be shielded behind an APT’s spendthrift provision — which is a new legal concept (in legal years) — when you can use a pass-through entity like an LLC whose liability shield is very well-developed? Brief history: the corporate limited liability shield came about sometime in the mid-1800s. I believe New York was the first state to adopt the concept. It caught on like wildfire and has now been praised as a key concept of a capitalist society (For an in-depth discussion, please see Stephen Presser’s book, Piercing the Corporate Veil). Corporate limited liability is now a very well-developed legal concept developed over hundreds of cases. This is great news for planners because we have exacting detail about what works and what doesn’t. Why not use this area of law — that also has a number of favorable decisions — instead of APT law which so far has issued a large number of anti-APT decisions? Again, these are presented in no order of importance. But with yet another asset protection trust failing when challenged, I believe these points have a great deal of merit. In 2009, F. Hale Stewart, JD. LL.M. graduated magna cum laude from Thomas Jefferson School of Law’s LLM Program. He is the author of three books: U.S. Captive Insurance Law, Captive Insurance in Plain English and The Lifetime Income Security Solution. He also provides commentary to the Tax Analysts News Service, as well as economic analysis to TLRAnalytics and the Bonddad Blog. He is also an investment adviser with Thompson Creek Wealth Advisors. I often refer to reading the tax code as "hop, skip and jump" reading because one paragraph or section of the code will require the reader to reference several other sections in order to comprehend the meaning behind the first code section. §402, which explains the taxation of deferred compensation, is a prime example of this approach. Section (a) states: Except as otherwise provided in this section, any amount actually distributed to any distributee by any employees’ trust described in section 401(a) which is exempt from tax under section 501(a) shall be taxable to the distributee, in the taxable year of the distributee in which distributed, under section 72 (relating to annuities) Section 401(a) provides the relevant rules for a trust to obtain tax-exempt status. By way of quick review, these include certain vesting timelines, minimum participation standards, and non-alienability requirements. Section 501(a) is the tax code section that grants tax-exempt status to certain organizations as well as trusts specifically mentioned in §401(a). And §72 contains the rules for annuities, which provide rules allowing the recipient to not be taxed on his return of principal. In 2009, F. Hale Stewart, JD. LL.M. graduated magna cum laude from Thomas Jefferson School of Law’s LLM Program. He is the author of three books: U.S. Captive Insurance Law, Captive Insurance in Plain English and The Lifetime Income Security Solution. He also provides commentary to the Tax Analysts News Service, as well as economic analysis to TLRAnalytics and the Bonddad Blog. He is also an investment adviser with Thompson Creek Wealth Advisors. The online Merriam-Webster dictionary defines "vesting" as "the conveying to an employee of inalienable rights to money contributed by an employer to a pension fund or retirement plan especially in the event of termination of employment prior to the normal retirement age" The purpose of the vesting rules is to make sure that the money the employee contributes to the plan is his, and can never be taken away. Here, there are actually two rules -- one for contributions made by the employee. These rights are "nonforfeitable" -- they cannot be taken away. The second rules apply to the employer's contributions. The statute contains two approved vesting schedules. The first is the "3-year rule." If an employee has at least three years of service, he has a nonforfeitable right to 100% of the employer's contributions. The second is a schedule based on the years of service:  Due to its somewhat stricter nature, most this schedule is more attractive from the employer's perspective.
|
Link From Our Previous Blog
Archives
June 2020
Categories |
RSS Feed