Category Archives: Accounting Firm

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Practical Steps for Advising on BOIR Compliance

When advising clients on filing FinCEN’s Beneficial Ownership Information (BOI) reporting obligations, professionals should offer clear, practical guidance to ensure compliance and mitigate potential risks. 

It is obviously helpful to start out by educating small business clients on the fundamentals of BOIR filing:

   – Who needs to file: Explain that most small corporations, LLCs, and similar entities must comply unless specifically exempt.

   – What needs to be reported: Discuss the required information, such as names, dates of birth, addresses, and ID numbers of beneficial owners (anyone with 25% or more ownership or substantial control).

   – Filing deadlines: Highlight the deadlines—new businesses must file upon formation, and existing businesses have until the start of 2025.

Small business ownership structures can be complex.   Professionals should emphasize that beneficial ownership extends to anyone with substantial control, even if their equity stake is less than 25%.  For example, CPAs should direct their clients to experts who can help them identify all individuals who qualify as beneficial owners, ensuring no key person is missed.  Discuss how trusts are to be handled.

The importance of accurate and up-to-date documentation should be stressed:

   – Maintain records: Recommend that clients keep detailed records of beneficial owners and any changes over time. Establishing a system for periodic updates will help ensure compliance in the future.

   – Secure documentation: Encourage clients to securely store identifying information, such as government-issued ID numbers, to ensure data privacy and protection.

Professionals should inform clients of the risks of non-compliance:

   – Fines and penalties: Non-compliance can result in daily fines of $591 per day, potentially leading to substantial financial liability.

   – Business risks: Emphasize that failing to comply could lead to regulatory investigations or civil penalties, which can be costly and damaging to the business’s reputation.

For businesses that may find the filing process challenging, you should either:

   – Assist with filing: Offer to help prepare and file the BOIR on behalf of the client or coordinate with professionals focused on such filings.

   – Refer to a Compliance specialist: CPAs can also recommend working with a compliance expert or other professional specializing in corporate governance and regulatory filings.

Clients should be told to approach BOI filings proactively:

   – Plan for future updates: Encourage clients to set up procedures for regularly reviewing and updating beneficial ownership information to avoid missing future reporting obligations.

   – Consult early: Suggest addressing BOIR filing well in advance of deadlines to prevent rushed submissions that could lead to errors. Professionals who are diligent and invest the time can easily help their clients navigate FinCEN’s BOI reporting obligations effectively, minimizing risk and ensuring ongoing compliance.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Risks of Non-Compliance with FinCEN’s BOI Reporting Rule

Non-compliance with FinCEN’s Beneficial Ownership Information (BOI) reporting requirement could expose your business to significant financial and legal risks. Here’s what you need to know about the potential consequences of failing to comply with this critical regulation.

FinCEN has the authority to impose hefty fines on businesses failing to meet the BOI reporting requirement. Penalties for non-compliance is $591 per day, with no maximum cap. This means even small delays in filing could result in substantial financial costs if FinCEN targets your company.

Non-compliance with BOIR can be seen as an attempt to obscure ownership information, which could trigger further investigation into potential financial crimes.

Businesses found to be in non-compliance with the BOI reporting requirements may also suffer reputational damage. Investors, clients, and partners expect transparency in ownership structures, and failure to comply could result in a loss of trust and business opportunities.

Non-compliant businesses may find it harder to secure loans, attract investors, or engage in mergers and acquisitions. Transparency in beneficial ownership is becoming a key factor in financial and business transactions, and non-compliance could hinder growth opportunities.

As of today, there are no reported instances of fines being assessed against a company for violation of the BOI reporting rule.  Nevertheless, the risks of non-compliance with FinCEN’s BOIR requirement far outweigh the effort of filing. Businesses that take proactive steps to meet the reporting deadlines and maintain accurate information will avoid fines, legal action, and reputational harm. Make compliance a priority to safeguard your business.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Five Common Mistakes to Avoid Before Filing Your BOI Report

Business owners preparing to file their Beneficial Ownership Information (BOI) reports should be aware of common pitfalls that might lead to civil penalties or worse.

The most common mistake is identifying one owner but not identifying every individual qualifying as a beneficial owner. Even if someone owns less than 25% of the business, that person may still be considered a beneficial owner if they hold significant decision-making authority evidencing “substantial control” over the reporting company.

For example, an indirect way to exercise substantial control over a reporting company is by controlling one or more intermediary entities that separately or collectively exercises substantial control over a reporting company. The best way to avoid this mistake is to review your company’s structure carefully and consult an expert if you’re unsure about who is a potential beneficial owner.

Another likely common mistake is submitting incorrect or incomplete details for beneficial owners. Mistakes in names, dates of birth, or identification numbers can lead to rejected filings or regulatory scrutiny – and possibly even fines and jail time if done deliberately. This mistake can easily be avoided by double-checking all information before submission and ensuring you’ve provided accurate and up-to-date details.

A third common mistake is failing to timely file. Businesses underestimate how long the process can take, leading to missed deadlines. For new businesses, filing is required 90 days after formation or registration, while companies formed or registered prior to 2024 have until January 2025 to comply. Companies can avoid this potential problem by marking important dates on your calendar and preparing your filing early to avoid a last-minute rush and a possible $591 a day fine for an untimely filing.

A fourth mistake would be the failure to update information as it changes. As set forth in the applicable regulations, the failure to update beneficial ownership information as changes occur can result in non-compliance. Any changes in ownership or control must be reported within thirty days of the change. This can be avoided by Implementing an internal system to track changes in ownership and file updated reports with FinCEN when necessary.

The fifth common mistake is simply assuming the existence of an exemption without really confirming it applies. Certain businesses, like larger companies already subject to similar rules, are exempt from the BOI reporting requirement. Assuming you are covered by an exemption without having proper confirmation could lead to fines. This can be avoided by double checking your exemption status by consulting the list of exempt entities or seeking expert advice. For example, even if your company has filed for dissolution, that would not automatically exempt you as an inactive company if that dissolution took place in 2024.

Avoiding these five common mistakes will help ensure a smooth BOI reporting process. By simply taking the time to understand key requirements and double-checking your information, you can protect your business from most of these unnecessary risks.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Preparing Your Business for FinCEN’s BOI Reporting Rule

With the Beneficial Ownership Information (BOI) reporting requirement now in effect, many businesses are wondering how to comply with this new rule issued by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). Preparing early will help you avoid fines and penalties, ensuring a smooth filing process.

The first step is determining who qualifies as a beneficial owner. This includes anyone who exerts substantial control or has ownership of 25% or more in your business. It’s crucial to assess both direct and indirect control, so be sure to evaluate individuals who might have critical influence over decision-making even if they don’t own a large percentage of equity.

You will need the following details for each beneficial owner:

  • Full name
  • Date of birth
  • Residential or business address
  • A government-issued identification number (such as from a driver’s license or passport)

Having this information on hand before filing will streamline the process and ensure accuracy.

If filing for an entity formed in 2024, you will also need to provide similar details for “applicants”, namely those persons who filed formation or registration documents with the state of formation or registration.

New businesses must file their BOI reporting information upon formation. For existing businesses, FinCEN has provided a one-year grace period to comply, meaning the deadline for companies formed or registered prior to 2024 is January 1, 2025. Don’t wait until the last minute — start preparing now.

Develop internal procedures to ensure ongoing compliance. This could involve creating a system for regularly updating beneficial ownership information when ownership or critical management changes over time.

Consider seeking advice from compliance experts to ensure whether you meet all the requirements. While the BOIR filing might seem straightforward, nuances in ownership or control structures could complicate the process. Ensuring your business is prepared for BOI reporting compliance long before the applicable deadline is the exact sort of proactive approach that will save you time, reduce stress, and help avoid costly penalties.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

What Every Business Owner Needs to Know About FinCEN’s BOIR Requirement

The Beneficial Ownership Information (BOI) reporting requirement, introduced by FinCEN (the Treasury Department’s Financial Crimes Enforcement Network) increases transparency in business ownership with the stated goal of reducing financial crimes such as money laundering and tax evasion. As a business owner, it’s essential to understand what this regulation means for you and your company.

The BOIR rule mandates that certain companies report information about their beneficial owners to FinCEN. A “beneficial owner” is any individual who directly or indirectly exercises substantial control over the company or owns 25% or more of its equity

Corporations, limited liability companies (LLCs), and similar entities created or registered by a state to do business in the United States are required to file their BOI Report. Larger companies, regulated financial institutions, and inactive companies, are exempt because they largely already have to conduct this disclosure.

Businesses must report identifying information about each beneficial owner, including:

  • Full legal name
  • Date of birth
  • Current residential or business address
  • A unique identification number from a government-issued document (such as a driver’s license or passport)

The BOIR requirement officially went into effect in January 2024, and new companies must file within 90 days after their formation. Existing companies have until the end of 2024 to comply, so it’s essential to immediately start gathering the necessary information. Compliance with FinCEN’s BOIR requirement is a crucial regulatory obligation so take the time to understand these requirements and prepare your business for the upcoming changes.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Law Firm, Middle Market Business, Risk Management, Small Business

Constitutionality of FinCEN’s BOIR Requirement

Found in the nearly 1,500-page National Defense Authorization Act of 2021, is the 21-page Corporate Transparency Act (“CTA”), 31 U.S.C. § 5336.  The CTA currently requires most entities incorporated or doing business under State law to disclose personal stakeholder information to the Treasury Department’s criminal enforcement arm, Financial Crimes Enforcement Network (“FinCEN”), including Tax ID numbers, date of birth, government identification number and copies of government identification documents of all beneficial owners and company state formation applicants (collectively a Beneficial Ownership Information Report or “BOI Report”).

According to Congress, this law is intended to prevent financial crimes such as money laundering and tax evasion committed using shell corporations.  The relevant Constitutional question recently put before an Alabama federal court was whether Congress’ broad powers to regulate commerce, oversee foreign affairs and national security, and impose taxes and related regulations were enough to power such a massive information grab. 

In a 53-page opinion, Judge Liles C. Burke of the Northern District of Alabama answered this question in the negative and struck down the CTA as unconstitutional.  See Mem. Op. at 3 (“Because the CTA exceeds the Constitution’s limits on the legislative branch and lacks a sufficient nexus to any enumerated power to be a necessary or proper means of achieving Congress’ policy goals, the Plaintiffs are entitled to judgment as a matter of law.”).   As recognized by Judge Burke, there was no comparable State or federal law to the CTA.  Mem. Op. at 35.

As a result of Judge Burke’s March 1, 2024 ruling – which began its appellate journey on March 11, 2024, all the plaintiffs in that case are for the time being exempt from filing a BOI Report – including the over 65,000 businesses and entrepreneurs located in all 50 states who are members of Plaintiff National Small Business Association (“NSBA”).  As for everyone else who may be a Reporting Company, the CTA very much still applies.

By way of background, FinCEN issued a final rule implementing the CTA on September 29, 2022 and made that rule effective as of January 1, 2024.  87 Fed. Reg. 59498.  Because only the plaintiffs in the Alabama action are safe from the CTA’s reporting reach all other businesses operating in the United States who are considered Reporting Companies will have to comply with the Rule. 

More specifically, the CTA requires disclosures from “reporting company[ies],” defined as “corporation[s], limited liability company[ies], or other similar entit[ies]” that are either “(i) created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe, or (ii) formed under the law of a foreign country and registered to do business in the United States.” 31 U.S.C. § 5336(a)(11)(A). The CTA exempts twenty-three kinds of entities from its reporting requirements, including banks, insurance companies, and entities with more than twenty employees, five million dollars in gross revenue, and a physical office in the United States. 31 U.S.C. § 5336(a)(11)(B).  In other words, this statute not only targets shell companies involved in criminal conduct or fraud, it expressly hits most small business owners in the country as well.

“FinCEN estimates that there will be approximately 32.6 million reporting companies in Year 1, and 5 million additional reporting companies each year in Years 2–10.”   87 Fed. Reg. at 59549. The CTA requires these millions of entities to disclose the identity and information of any “beneficial owner.” 31 U.S.C. § 5336(b)(1)(A). A beneficial owner is defined as “an individual who . . . (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity,” with some exceptions for children, creditors, and a few others. 31 U.S.C. § 5336(a)(3).

For new entities formed or operating in the United States after January 1, 2024, the CTA requires them to disclose the identity and information of both Beneficial Owners and “Applicants,” defined as “any individual who files an application to form a corporation, LLC, or other similar entity under the laws of a State or Indian Tribe; or registers [a foreign entity] to do business in the United States.” 31 U.S.C. § 5336(a)(2).  Such filings must be made within 90 days of the relevant state filings and those companies formed or operating in the United States prior to January 1, 2024 have until year end.

Reporting entities must give FinCEN a Beneficial Owner or Applicant’s full legal name, date of birth, current address, and identification number from a driver’s license, ID card, or passport. 31 U.S.C. § 5336(a)(1), (b)(2)(A).   Under the final rule, reporting entities are also required to submit an image of the identifying document. 31 C.F.R. § 1010.380(b)(1)(ii)(E). If any of that information changes, the reporting company must update FinCEN, 31 U.S.C. § 5336(b)(1)(D), and FinCEN retains Applicant and Beneficial Owner information on an ongoing basis for at least five years after the reporting company terminates. 31 U.S.C. § 5336(c)(1).  Determining whether someone is a Beneficial Owner can be somewhat difficult given it requires a determination of who “has substantial influence over important decisions made by the reporting company” among other potentially vague criteria.  31 C.F.R. § 1010.38 (d)(1)(i)(C).

A willful provision of false or fraudulent beneficial ownership information or failure to report “complete or updated beneficial ownership information to FinCEN” by “any person” is punishable by a $500 per day civil penalty and up to $10,000 in fines and 2 years in federal prison, 31 U.S.C. § 5336(h)(1), (3)(A); a knowing and unauthorized disclosure or use of beneficial ownership information by “any person” is punishable by a $500 per day civil penalty, along with a $250,000 fine and 5 years in federal prison, 31 U.S.C. § 5336(h)(2), (3)(B); and a knowing and unauthorized use or disclosure while violating another federal law “or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period” by “any person” is punishable with a $500,000 fine and 10 years in federal prison, 31 U.S.C. § 5336(h)(3)(B)(ii)(II). Over time, this daily penalty increased to $591 per day.

As recognized by Judge Burke, “[t]he ultimate result of this statutory scheme is that tens of millions of Americans must either disclose their personal information to FinCEN through State-registered entities, or risk years of prison time and thousands of dollars in civil and criminal fines.”  Mem. Op. at 8.  Given the importance of this information, FinCEN already compels banks and other financial institutions to obtain nearly identical information from State entity customers and provide it to FinCEN.  

More specifically, FinCEN’s 2016 Customer Due Diligence rule requires “covered financial institutions” to “identify and verify beneficial owners of legal entity customers.” 31 C.F.R. § 1010.230(a).   As with the CTA, this rule defines a “legal entity customer” as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account,” unless the entity fits into one of sixteen exemptions – seven less than the CTA exemptions. 31 C.F.R. § 1010.230(e)(1)-(2).

The CDD rule also defines beneficial owners in the same manner: “Each individual . . . who owns, directly or indirectly, 25 percent or more” of the entity; has “significant responsibility to control, manage, or direct a legal entity,” including “a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer)” and “[a]ny  other  individual  who  regularly  performs  similar  functions.”  31 C.F.R. § 1010.230(d)(1)-(2).

In other words, FinCEN’s CDD rule and the CTA provide FinCEN with nearly identical information.  The CTA itself acknowledges the similarity. See 31 U.S.C. § 5336(b)(1)(F) (requiring the Secretary of the Treasury to promulgate regulations that “collect [beneficial owner and applicant] information . . . in a form and manner that ensures the information is highly useful in . . . confirming beneficial ownership information provided to financial institutions.” (emphasis added).  See also Pub. L. 116-283 § 6402 (6)(B) (134 STAT. at 4604 – 4605) (“It is the sense of Congress that . . . [collection of] beneficial ownership information . . . [will] confirm beneficial ownership information [already] provided to financial institutions.”).

According to FinCEN’s compliance with the Paperwork Reduction Act of 1995: “The estimated average burden associated with this collection of information from Reporting Companies is 90 to 650 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively. The estimated average burden associated with Reporting Companies updating information previously provided is 40 to 170 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively.”

Given the appellate route will likely take well over a year to resolve and the NSBA plaintiffs no longer have any injury to adjudicate – which might have expedited an appeal if they had, it is incumbent on business owners to take the CTA at its face value and comply with the implemented regulations of FinCEN.

Accounting Firm, Blockchain, Digital Assets, DLT, Financial Reporting, NFTs, Risk Management

The NFT Growth Tax

Between Amazon launching next month its NFT Marketplace – tentatively called the “Amazon Digital Marketplace”, Sotheby’s already launched high-end secondary marketplace for “digital artwork”, and Christie’s launching last year its Christie’s 3.0 – a platform allowing for fully on-chain sales that demonstrates “the auction house’s commitment to both artists and collectors in the Web3 space”, programmable digital assets/NFTs are simultaneously entering both ends of the mainstream market.     

Probably the most important takeaway from such broad initiatives turns on the fact foundational brands have decided to supplant the prior NFT free-for-all initiated by PFP projects, artists and collectors.  Despite potentially risking the same fate of Dapper Labs, Amazon will rely on a private blockchain that takes credit cards while Sotheby’s eliminates “NFTs” from the equation altogether to focus on what it calls “digital artwork” even though digital art has already been around for decades.  What is clear is that Amazon’s use of its own “brand worthy” naming convention – “Amazon Digital”, elevates rather than hinders this new ecosystem. 

Being swept aside by this establishment wave is OpenSea – the newly-displaced old guard and wild-west pioneer who likely never contemplated insider trading as a risk until a former OpenSea Manager was recently convicted of it.  Not surprisingly, OpenSea offloads tax obligations and refers its users to CoinTracker for tax calculations.  OpenSea even explicitly points out to users of the marketplace that “[y[ou are responsible for determining what, if any, taxes apply to your purchases, sales, and transfers of NFTs. If you have specific questions regarding taxes, please consult with a professional tax advisor.”  OpenSea’s sole Help Center entry regarding taxes further drives home the point:  “Users are responsible for determining what, if any, taxes apply to their purchases, sales, and transfers of NFTs. If you have questions about taxes, please consult with a professional tax advisor.”

In sharp contrast, the government is certainly rooting for reliable tax collectors such as Amazon, Christie’s and Sotheby’s to enter the NFT sandbox.  Since 2018 – when the Supreme Court overruled decades of precedent, taxation of online sales no longer depends on physical presence within a particular state.  The new guard will create the proper recipe for mass profitable usage, namely removing tech geek elements, improving user interfaces, adding brand allure, and ensuring government is happy and remaining on the right side of the regulatory fence. 

As Grace Kyne of EY informed attendees at the April 13, 2023 NFT.NYC session “NFTs and Marketplaces: Opening Pandora’s Box”, there are state-specific marketplace facilitator rules that make most marketplaces subject to state tax.  Not surprisingly, Amazon is front and center in pointing that hard fact out to its market participants: “Marketplace Facilitator legislation is a set of laws that shifts the sales tax collection and remittance obligations from a third party seller to the marketplace facilitator. As the marketplace facilitator, Amazon will now be responsible to calculate, collect, remit, and refund state sales tax on sales sold by third party sellers for transactions destined to states where Marketplace Facilitator and/or Marketplace collection legislation is enacted.”

In other words, pushing digital asset sales to Amazon is really every state treasurer’s dream.

This should not come as any surprise.  Ever since the 2019 tax year, IRS Form 1040 has included a question regarding a taxpayer’s cryptocurrency activity. In 2021, the IRS slightly broadened the scope of its inquiry:  “At any time during 2021, did you receive, sell, exchange, or otherwise dispose of any financial interest in any virtual currency?”  In 2022, the scope of the latest IRS Form 1040 broadened yet again: “At any time during 2022, did you: (a) receive (as a reward, award, or payment for property or services); or (b) sell, exchange, gift, or otherwise dispose of a digital asset (or a financial interest in a digital asset)?

In other words, the IRS expressly seeks disclosure of all digital asset transactions and not merely those involving cryptocurrencies.  The IRS now wants to know about a taxpayer’s NFT sales and any income generating activities where digital assets are received as payment.  On April 5, 2023, the IRS released its IRS Tax Tip 2023-45 which elaborated on this new position regarding a taxpayer’s obligation to report digital asset transactions – including citation to applicable supplemental forms.  By informing taxpayers of their new obligations – by way of tax forms and “tax tips”, it becomes increasingly difficult for them to argue any lack of knowledge on the topic.   The easiest approach will always be one which just assumes all realized digital asset gains are taxable.   

And, to the extent there was any ambiguity regarding more specific tax treatment of NFTs, that might soon evaporate given the IRS – in its March 13, 2023 Notice 2023-27, seeks to classify most NFTs as “collectibles” – a lesser form of asset for purposes of capital gains and other tax purposes.

Specifically, Notice 2023-27 – which seeks comments before June 19, 2023, announces the IRS’s and Treasury’s intention to issue guidance as to whether certain NFTs are “collectibles” under IRS Section 408(m).  Currently, the only available categories of “collectibles” under this section are:  “(A) any work of art, (B) any rug or antique, (C) any metal or gem, (D) any stamp or coin, (E) any alcoholic beverage, or (F) any other tangible personal property specified by the Secretary for purposes of this subsection.”  See 26 USC § 408(m)(2).  The IRS recognizes that NFTs do not presently constitute any of the above – including “art” given an NFT is not the art itself, it is a digital file pointing to the actual digital art typically found using an IPFS gateway such as Pinata.  Moreover, Section (F) expressly references “tangible personal property” so that catchall also does not squarely fit. 

While waiting for comments, the IRS will deploy a “look-through” analysis:  “Under the look-through analysis, an NFT constitutes a section 408(m) collectible if the NFT’s associated right or asset is a section 408(m) collectible. For example, a gem is a section 408(m) collectible under section 408(m)(2)(C), and therefore an NFT that certifies ownership of a gem constitutes a section 408(m) collectible. Similarly, an NFT does not constitute a section 408(m) collectible if the NFT’s associated right or asset is not a section 408(m) collectible. For example, a right to use or develop a “plot of land” in a virtual environment generally is not a section 408(m) collectible, and therefore, an NFT that provides a right to use or develop the “plot of land” in the virtual environment generally does not constitute a section 408(m) collectible.”  See IRS Notice 2023-27.

It is not clear whether the “look-through” approach would be limited to an underlying physical asset tied to the NFT or whether it might include potential money-generating components of an NFT.  More than likely, however, the relevant IRS section could not be broadly interpreted to include future gains unrelated to specific associated assets.  Moreover, earning rewards by way of an NFT should not be taxable given rewards are generally treated as a rebate or discount on purchases – that should be treated no differently than frequent flyer miles.

The lesson learned for businesses seeking to grow NFT adoption is that market validation and future growth opportunities are now inevitable given the tax hounds have gotten the scent.  To the extent there were any previous regulatory barriers to growth opportunities, those will be lifted so long as the government gets it take.

Accounting Firm, Electronic Health Records, Litigation Management, Network Security, Risk Management, Technology Law

B2 – B1 < (P x H)1 – (P x H)2

On February 16, 2021, The Sedona Conference (TSC) – a nonpartisan, nonprofit research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released its final “Commentary on a Reasonable Security Test“.  TSC is well known for previously helping Courts around the country determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology domains, TSC sought a reasonableness test that would help bridge that divide.  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.” The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 358 (forthcoming 2021).  To that end, this test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

The Sedona Conference Reasonable Security Test consists of “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  22 SEDONA CONF. J. at 360.  

TSC’s Commentary should be carefully studied for numerous reasons, including the fact TSC applies it to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than its highly cited e-discovery initiatives, this new TSC approach may very well be relied on by courts tackling the important question of what constitutes reasonable security in the context of a data breach litigation or enforcement action.

Accounting Firm, Financial Reporting, IT Consultants, Network Security, Risk Management

Ransomware Has Officially Become a D&O Problem

On April 30, 2020, ZDNet reported that there have been more than 1,000 SEC filings over the past 12 months listing ransomware as a risk factor – with more than 700 in 2020 alone.  These filings include annual reports (10K and 20F), quarterly reports (10Q), and registration forms (S1). 

Even the most sophisticated technology companies now insert the word “ransomware” into their Risk Factors section. See Alphabet, Inc., Form 10-Q, dated April 28, 2020, at 50  (“The availability of our products and services and fulfillment of our customer contracts depend on the continuing operation of our information technology and communications systems. Our systems are vulnerable to damage, interference, or interruption from terrorist attacks, natural disasters or pandemics (including COVID-19), the effects of climate change (such as sea level rise, drought, flooding, wildfires, and increased storm severity), power loss, telecommunications failures, computer viruses, ransomware attacks, computer denial of service attacks, phishing schemes, or other attempts to harm or access our systems.”).   

As reported by ZDNet, companies as varied as American Airlines, McDonald’s, Tupperware, and Pluralsight also list ransomware as a potential risk to their business. 

By inserting the word “ransomware” into a Risk Factors section, reporting companies may have elevated the relevant standard for companies who do not reference ransomware.  By way of background, in October 2011, the SEC began planting cyber risk disclosure seeds when it issued non-binding disclosure guidance regarding cybersecurity risks and incidents.  Back in 2011, the SEC wrote:  “Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” Seven years later, this non-binding guidance became binding.

On February 26, 2018, the SEC issued binding guidance that recognizes:  “Companies face an evolving landscape of cybersecurity threats in which hackers use a complex array of means to perpetrate cyber-attacks, including the use of stolen access credentials, malware, ransomware, phishing, structured query language injection attacks, and distributed denial-of-service attacks, among other means.”   By expressly listing ransomware two years ago in its Statement, the SEC was making it quite clear that the current threat landscape includes the risk of ransomware and that directors and officers have to address this likely risk.

More to the point, the Statement and Guidance on Public Company Cybersecurity Disclosures instructs “that the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.” 

Not surprisingly, the failure to disclose a prior ransomware attack would also be actionable.  See SEC Statement at 14 (“In meeting their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in the appropriate context.  For example, if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”).

If ransomware incidents were avoided altogether, however, there would be no liability attached to associated filings no matter what was communicated to the market. Moreover, even when attacks were not avoided, little disclosure risk would exist if the company applied best practices to avoid such an incident and provided an accurate accounting of what took place when an incident did take place. To that end, deploying proactive approaches considered state-of-the-art when dealing with ransomware risk will naturally mitigate against any potential SEC disclosure risk.

For example, there is at least one novel solution that can reduce ransomware attacks by anticipating when a compromised system’s ransomware package will be released and then neutralizing the ransomware threat before any ransomware release actually takes place.  By evaluating and deploying such cutting-edge solutions, companies will be well positioned to neutralize any potential shareholder claims – as well as satisfying the much more important task of protecting corporate data and other digital assets.  Thankfully, “it is never too late to begin importing a more robust security and privacy profile into an organization – which is the only real way to diminish the risk of a ransomware attack.”  As with most successful corporate endeavors, management buy-in will typically be the necessary first step.

Accounting Firm, Electronic Health Records, Network Security, Privacy, Risk Management

WannaCry provides a wakeup call for more training on email exploits

On May 12, 2017, WannaCry ransomware infections reportedly took hold of 200,000 computer systems in 150 countries.  The rise of ransomware has been a function of how cheap financial data has become to obtain on the dark web and the desire of criminals to branch out with other sources of income.

Ransomware is quite effective given it purposefully seeks to panic victims into clicking additional links thereby causing a user’s system to become infected with more pernicious malware.  For example, after seeing a screen blink on and off several times ransomware victims may next see the following message on their screen:  “Your computer has been infected with a virus. Click here to resolve the issue.”  Clicking on that link, however, will download additional malware to the system – thereby precluding possible quick fixes to the initial exploit.  It is such additional malware – coupled with very vulnerable legacy systems and procedures, that likely helped WannaCry promulgate so quickly.

Given slow patching and continued widespread use of legacy Windows products, Microsoft sought to slow the spread of WannaCry by offering free patches for its older Windows systems such as Windows XP.  Although helpful in curtailing replication, timely patching will not completely stem this threat.   Newer exploits such as WannaCry likely exist – and will continue to exist for some time, given the underlying code was reportedly created by the National Security Agency and is only a small sample of the “treasure trove” of spying tools released by WikiLeaks in March.  In fact, the WikiLeaks released material includes the source code used to evade anti-virus detection so entry-level hackers apparently now have the ability to immediately up their game.

Given that healthcare data is now considered the most valuable data by thieves, it is no surprise that the healthcare industry was especially hit hard by the WannaCry ransomware exploit.  Succumbing to WannaCry, Britain’s hospital network canceled or delayed treatments for thousands of patients.   In an effort to stem the tide in the US, HHS quickly offered covered entities access to loss prevention resources – including a link to its ransomware fact sheet and a link to the US-CERT response to WannaCry.  US-CERT offered last year helpful tips regarding ransomware loss mitigation techniques.

It is suggested that covered entities take to heart HHS’s desire to warn regarding ransomware exploits.  Given that OCR recently fined a covered entity $2.4 million simply for placing the name of a patient on a press release, ignoring HHS warnings regarding ransomware will likely result in significant penalties to HIPAA covered entities should they fall prey to such an exploit.

In addition to security procedures and implementations – such as whitelisting acceptable programs, aggresive email settings, and limiting user permissions, proper training remains the best antidote to both an exploit as well as an OCR or some other regulatory fine if an exploit ultimately succeeds.  And, the best training remains having users react to a continuous barrage of decoy exploits aimed at sharpening their skills.

Today’s phishing exploits that are being used to transmit ransomware often rely on some other person’s scraped contact information so that they can appear to come from known associates of the user.  These exploits may also use content that appear relevant to the user – such as a bar association communication.    And, finally the links themselves are masked so that it is not even possible to accurately determine where a link takes the user.   Given these indicia of authenticity, users often click on the embedded link rather than hit the delete button.  After exposure to numerous training exploits users are in a much better position to make sound decisions on how to treat actual exploits.  During the course of security training, it is suggested that some form of reward be given to those users who score the highest on the phishing training exercises – any money spent today to build an effective training program will pay significant dividends down the road.