Click here to view the pdf version of the March 2012 California Business Law Confidential
Cyber Liability—A Real Threat to Your Business
Michaela L. Sozio
The increased involvement of companies and businesses in the on-line world generates increased risk of a business becoming the victim of a cyber attack. In 2011, there was a record number of cyber attacks and security breaches against companies such as Citigroup, Sony, Google, Lockheed Martin and NASDAQ, just to name a few. These security breaches can result in significant costs and liability exposure to a company. For example, the April 19, 2011, hacking at Sony led to the theft of information for 77 million accounts, including credit card numbers. A separate hacking at Sony in early May 2011 resulted in an additional 25 million accounts being accessed. Some reports have indicated that Sony estimates it will lose approximately $171 million in costs as a result of this hacking. There have already been several lawsuits filed against Sony. One suit alleges that just weeks prior to the hacking, Sony was warned of the weaknesses in its security system.
While the Sony hacking and the others identified above were very public, there are a large number of cyber attacks that remain hidden from the public. Indeed, one study found that almost 40 percent of Fortune 500 companies fail to disclose cyber attacks or other security breaches in their public filings. This, coupled by the fact that a cyber attack can be extremely costly for a company, has prompted the Securities and Exchange Commission (“SEC”) to enact new disclosure requirements, which require companies to disclose cyber risks, cyber incidents and/or cyber attacks in securities filings and risk disclosure statements if the information would be important to an investor’s decision about the company. Accordingly, investors will now be able to scrutinize what information is disclosed, the quality of the information disclosed, as well as critique the company’s efforts to safeguard its information.
While companies are aware that they should have an overall cyber risk management policy and procedure in place in order to protect themselves against a cyber attack, a company’s efforts in this regard have become even more important in light of the new SEC disclosure requirements. Businesses need to take affirmative steps to guard against unauthorized data access. If a company’s security measures are obsolete or ineffective, this will certainly become a basis for liability exposure.
As noted, in at least one of the lawsuits against Sony for the 2011 hackings, there are allegations that Sony had been warned of weaknesses in its cyber security just weeks before the cyber attacks occurred, yet Sony allegedly failed to take affirmative steps to correct those weaknesses. The new SEC disclosure requirements will force network security and risk to go beyond the purview of the IT departments and be communicated to the executives. This needs to be done before a security breach occurs. Further, executives of publicly traded companies need to be actively involved in assessing the cyber risks and preventive cyber security measures taken so as to avoid potential cyber-related lawsuits for lack of disclosure.
Some companies are in a quandary as to the nature and extent of what information needs to be disclosed. As a practical matter, a company doesn’t want to disclose too much information regarding their susceptibility to a cyber attack in the event it will invite a hacker to make a cyber attack on its system and/or result in a dip in its stock. On the other hand, companies could be sued by shareholders for not disclosing enough information, particularly if a company later suffers large losses due to a cyber attack.
The SEC also issued a Disclosure Guidance in October 2011 that outlines its views regarding disclosure obligations relating to cyber security risks and incidents. This Guidance says, in part, that a company needs to provide details as to whether a cyber attack resulted in lawsuits being filed against the company, resulted in loss of intellectual property or technology, harmed its customers, and/or resulted in lost sales.
A company that uses a cloud computing firm will not be insulated from a potential shareholder lawsuit or other liability. This fact warrants additional consideration. First, the business should undertake due diligence measures regarding what security measures the cloud computing company has in place, and such steps should be well documented by the business. A business facing potential liability for a cyber attack that occurs when utilizing a cloud computing firm should be able to demonstrate that it used good judgment and actively assessed the security measures utilized by the outside vendor. Further, while not required, it may be wise for the business to disclose to customers, suppliers and any other party with which it may transmit and/or share data, that it uses an outside vendor for cloud computing. Additionally, when using a cloud computing company, the business should ensure that the contract with the outside vendor contains express indemnity and hold harmless provisions.
With this new potential exposure for shareholder lawsuits arising out of cyber-related issues, it is important that a company ensures that it has the appropriate directors and officers insurance available in the event such a lawsuit occurs. The company needs to be mindful of what exclusions exist and understand the scope of its insurance coverage for a cyber-related claim. If you would like any assistance regarding cyber-related issues, Tressler is here to assist.
The Balancing Act of Employment Eligibility Verification: Employer Obligations v. Anti-Discrimination
Eduardo A.G. Bolt and Agnna Varinia Guzman
The Immigration Reform & Control Act of 1986 (IRCA) requires U.S. employers to verify the identity and employment eligibility of all employees hired after November 6, 1986, and to complete and retain a Form I-9 for each employee (known as employment eligibility verification).
Congress passed IRCA to ensure that employers only hire individuals legally authorized to work in the United States. Since IRCA’s inception, employers have had to balance two competing interests: I-9 obligations versus preventing discrimination in the workplace.
The Form I-9 is divided into three main sections. The first section is completed on the first day of employment by the employee, or by a preparer and/or translator on behalf of the employee. Section two requires that on or before the employee’s third day of employment, the employer must review and record the documents presented by the employee in order to establish identity and employment eligibility on Form I-9.
An employer cannot indicate which documents the employee may provide for I-9 purposes. Rather, the employee chooses the documents to present to an employer in accordance with the List of Acceptable Documents attached to the Form I-9. Only one document from List A is necessary to establish both identity and employment eligibility. Employees who do not provide a document from List A, will need to produce one document from List B (identity) and one document from List C (employment authorization).
Section three of the Form I-9 requires reverification of an employee’s employment eligibility. Once an employee’s identity is established, it cannot be reverified. Reverification of employment eligibility is mandated when an employee is rehired by the same employer, has a new name, or prior to the temporary employment authorization expiring. Employers must perform reverification of an employee’s temporary employment authorization no later than the expiration date of the work permit.
Reverification also applies when the employee presents a receipt for the application of an acceptable document (e.g., receipt for a social security card), or the employer has been informed by a federal agency that an employee may not be authorized to work. The following documents do not require reverification: (i) U.S. passport or passport card; (ii) Permanent Resident Card (all versions); and (iii) List B document on the List of Acceptable Documents.
Section three of an employee’s original Form I-9 may be used if the hire date on that form is within three years of the employee’s date of rehire. Alternatively, you may complete a new Form I-9 by indicating the employee’s name in section one, completing section three and retaining the new Form I-9 with the original Form I-9.
B. Documentation & Maintenance
Employers are required to retain an employee’s Form I-9(s) for either three years after the employee’s date of hire or one year after the employee’s termination date, whichever is later. Forms I-9 may be maintained in original paper form and/or in electronic format. Employers should institute a uniform procedure to copy or scan the documents presented by the employees for retention with the Form I-9. All copies of documents should be legible and be stored with the Form I-9 in a secure location separate from the employee personnel files.
Any corrections made by the employer to a Form I-9 should have the incorrect information crossed-out with your initials and date to the side of the cross-out, and the correct information written in the appropriate space. Do not erase, use white-out or make any unnecessary markings (e.g., scribbles) to the incorrect information on the Form I-9. Employers should utilize the most current version of the Form I-9 at the time of the employee’s hire date. The current version, dated August 7, 2009, can be found at http://www.uscis.gov/portal/site/uscis under the link titled Forms. A Form I-9 showing a date of February 2, 2009, is also acceptable at this time.
While complying with their I-9 obligations, employers are prohibited under IRCA from engaging in citizenship/immigration status discrimination, document abuse or national origin discrimination. Employers must refrain from committing discrimination in the hiring, firing and recruitment or referral for a fee. Only employers with four or more employees are covered under these provisions.
A. Document Abuse
Document abuse occurs when an employer verifies an employee’s employment eligibility and, based on the employee’s national origin or citizenship status:
i.) refuses reasonably genuine-looking documents; or
ii.) requests more or different documents than required by IRCA; or
iii.) specifies certain documents over others with the intent to discriminate.
A common example of document abuse is when employers scrutinize and reject valid documents from immigrants. Employers also commit document abuse when applicants who appear “foreign” are required to show documents proving their legal status. The scope of document abuse is wide-ranging; hence, U.S. citizens, nationals and all legal workers (e.g., Green Card or work permit holders) are protected classes.
B. National Origin Discrimination
Discrimination based on national origin is related to a person’s place of birth, country of origin, ancestry, native language, accent and perceptions. It is the exclusion of workers who appear foreign due to their appearance or accent. Discriminatory practices consist of:
i.) copying identity documents for only certain employees;
ii.) scrutinizing documents more for workers who look foreign; and
iii.) utilizing the I-9 verification process to improperly screen out prospective employees.
Similar to document abuse, national origin discrimination is applicable to U.S. citizens and nationals, and all legal workers.
C. Citizenship/Immigration Status Discrimination
Citizenship and immigration status discrimination is the different treatment of individuals who are eligible to work because they are, or are not, U.S. citizens, or because of their immigration status. Protected persons include U.S. citizens and nationals, lawful permanent residents, asylees, refugees and temporary residents. This type of discrimination includes U.S. citizen-only hiring policies (unless required by law, regulation, executive order or government contract), different hiring procedures for U.S. citizens versus immigrants, or preferring unauthorized workers.
An anti-discriminatory practice that employers are urged to undertake entails asking all applicants, either in written form or orally, if the applicant is legally authorized to work in the United States. By doing so, an employer minimizes its liability of committing citizenship or immigration status discrimination.
Employer sanctions become critical when an employer is balancing its I-9 obligations against IRCA’s anti-discrimination provisions. Since employment eligibility verification is aggressively enforced by the federal government, an employer must be mindful of the competing interests of two major federal agencies. First, I-9 paperwork violations and employer sanctions related to knowingly hiring or continuing to employ unauthorized workers are under the purview of the U.S. Immigration and Customs Enforcement (ICE). Second, violations of IRCA’s anti-discrimination provisions will be investigated and prosecuted by the Office of Special Counsel of the U.S. Department of Justice (DOJ). ICE and the DOJ work independently of each other to audit and penalize companies, which results in a “tightrope” for employers between I-9 compliance and workplace discrimination.
A. Civil Penalties
IRCA imposes civil penalties on employers ranging from $375 to $16,000. These penalties apply to:
i.) violations of knowingly hiring and continuing to employ (for each unauthorized worker); and
ii.) citizenship, immigration status and national origin discrimination (for each individual discriminated against by the employer).
Form I-9 paperwork and document abuse violations both incur civil penalties from $110 to $1,100. Cease and desist orders can also be issued to prohibit the employer’s unlawful behavior. Other penalties associated with violations of IRCA’s anti-discrimination provisions are hire, rehire or back pay to an employee, employer training and monitoring, and attorney fees.
B. Criminal Penalties
Criminal penalties may also be imposed on individuals and employers who have engaged in a pattern or practice of knowingly hiring or continuing to employ unauthorized workers. The criminal penalties imposed are no more than $3,000 per unauthorized worker and/or not more than six months imprisonment. If an employer knowingly hires 10 or more unauthorized workers during a 12-month period, in addition to fines, an employer may be subject up to three years of imprisonment.
The balancing act between an employer’s I-9 obligations and IRCA’s anti-discrimination provisions requires employers to be diligent and conscientious of their employment practices in the area of immigration law. A thorough understanding and proper application of employment eligibility verification is the best preventative measure for minimizing an employer’s liability and avoiding employer sanctions.
Tressler can assist with any questions you may have regarding IRCA.
The “Tax Gap” and Small Businesses
Kristin G. Bagull
The “tax gap” is the difference between taxes owed and taxes actually paid in any given year. The tax gap includes three main components: (1) nonfiling (failure to file a return); (2) underreporting (understating income, overstating deductions); and (3) underpaying (failure to fully pay reported taxes owed). The Internal Revenue Service (“IRS”) periodically conducts research with regard to the tax gap.
Most recently, in 2006, the IRS issued estimates of the tax gap for 2001. The IRS estimated the 2001 tax-year gross tax gap at $345 billion; after enforced and other late payments, the IRS estimated the net tax gap to be $290 billion. This compares to an estimated $1.767 trillion in federal tax paid voluntarily and on time. The gross tax gap estimates translate to a voluntary compliance rate of around 84 percent. According to the IRS, the voluntary compliance rate has remained constant since 1985.
The IRS has focused most of its tax gap studies on the individual income tax return; specifically, on the portions of the return that are not subject to withholding or third-party information reporting. Individual income taxes and employment taxes are the largest component of federal tax revenues. Because many small businesses report their income and expenses on their personal income tax return, the IRS has been particularly focused on scrutinizing the returns associated with small business owners.
Small businesses frequently organize as sole proprietorships, partnerships and S corporations. The income of these types of business entities are all reported on the business owner’s personal income tax return. The IRS estimates that $83-99 billion of the $150-187 billion individual income tax gap for 2001 was attributable to business income reported on the individual income tax return.
In September 2006, following the release of their revised tax gap estimates, the Treasury Department Office of Tax Policy released a comprehensive strategy to reduce the tax gap. In this report, the Treasury Department notes that the IRS estimates identified that more than 80 percent of the gross tax gap relates to underreporting of tax with approximately half of this amount attributable to the underreporting of business income on individual income tax returns. Noncompliance is highest among taxpayers whose income is not subject to third-party information reporting or withholding requirements.
The tax gap estimates have serious consequences for small businesses. Specifically, the tax gap estimates have increased focus on improving third-party information reporting requirements, which have a disproportionate effect on small businesses.
For example, a new law requires payment-settlement entities—banks, PayPal, etc.—to report transactions directly to the IRS. PayPal and similar third-party networks need only to do this for merchants who bring in $20,000 and conduct 200 transactions a year.
These payments are supposed to be reported on a 1099-K to both the IRS and the merchants. Payment processors contested this requirement so much that the IRS announced it would not penalize any entity who failed to comply. Nevertheless, the 1099-Ks are still supposed to go out.
Small businesses might have an obligation under this new law as well. If a small business issues a 1099-Misc to a vendor or subcontractor, it is supposed to exclude any amounts paid by debit, gift or credit card, or PayPal. This could complicate bookkeeping for coffee shops, restaurants and contractors.
Another issue facing small business is the Section 179 deduction. Generally speaking, businesses can choose to treat the cost of certain property as an expense and deduct it in the year the property is placed in service instead of depreciating it over several years. This property is frequently referred to as section 179 property, after the relevant section in the Internal Revenue Code.
Section 179 property is property acquired by purchase for use in the active conduct of trade or business. In 2011, small businesses could expense up to $500,000 in capital expenditures instead of depreciating them over time. This Section 179 expensing limit fell to $125,000 (subject to an adjustment for inflation) this year, and will drop to $25,000 in 2013, unless Congress takes action. While the Small Business Jobs Act of 2010 increased the section 179 limitations on the expensing of depreciable business assets from $25,000 to $125,000, it is still considerably less than in prior years, and it is scheduled to drop even further unless Congress takes action.
As a result of the findings of the tax gap, it appears that the IRS will continue to target small business as it looks for ways to increase tax revenues. Unfortunately, a lot of small businesses do not have the types of resources and technical expertise available to them in order to handle this increase in the reporting requirements. Moreover, as the IRS increases the number of small business owner returns it selects for audit, the problem will worsen as small businesses look to hire competent professionals to assist in such an audit. Small businesses most definitely have increased hurdles they need to overcome as they struggle to remain profitable despite the large increase in administrative expenses they are facing.
If you would like any assistance in business tax planning, please do not hesitate to contact Tressler.
Kenneth J. Zielinski
Simply, the New iPad
At a major event on March 7, 2012, Apple unveiled the new iPad. It’s not the iPad 2 and it’s not quite the iPad 3. Rather, it’s simply “the new iPad” according to Apple. The new iPad looks much like the iPad 2, but is slightly thicker and heavier. As far as technological improvements over the iPad 2 are concerned, the new iPad boasts an ultrafast 4G LTE, a stunning Retina display, and a 5MP iSight camera. According to Apple, the Retina display has a million more pixels than an HDTV and the iSight camera allows you to shoot 1080p HD video. If that’s not enough to garner your attention, for the first time the iPad can act as a personal hotspot for connecting up to five different devices over Wi-Fi, Bluetooth, or USB. Did I mention that it also supports voice dictation? All of that plus much more and it looks like Apple has done it again.
Living Life in the “Cloud”
For all the dreamers out there . . . unfortunately I am not referring to Peter Pan and pixie dust or Mary Poppins’ plush cloud sofa. For all others, here the “Cloud” refers to cloud computing. Although the technology has been around for years, the colloquial term, the “Cloud,” has only recently gained momentum—think Apple’s iCloud. So what exactly is the Cloud? In essence, the Cloud is simply the Internet. Cloud computing refers to the applications and services hosted and run on servers that are connected to the Internet, which are then available to end users who are connected to the Internet. According to Oracle’s Mark Dixon, “cloud computing provides application, database, platform, storage, and computing services in a virtualized utility to enable agile business.” Cloud computing speaks to the ability to access resources and services needed to perform functions. The computing is processed in the “Cloud” via a network of servers and applications across the Internet rather than from a localized endpoint (e.g. the server used for your business). One of the many benefits of cloud computing is that an end user does not have to maintain and support those servers and applications. For example, web-based email is cloud computing. All of your email is stored on servers throughout the world and you can access it from any device connected to the Internet wherever you are. Another example is Apple’s iCloud, which stores your photos, music, documents, and much more in the Cloud and wirelessly sends the information back to your devices. Whether you realize it or not, you are probably already living in the Cloud. There, so the next time you are at a cocktail party and someone mentions the “Cloud” . . . there’s no need to panic—they are likely referring to cloud computing.
This newsletter is for general information only and is not intended to provide and should not be relied upon for legal advice in any particular circumstance or fact situation. The reader is advised to consult with an attorney to address any particular circumstance or fact situation. The opinions expressed in this newsletter are those of the authors and not necessarily those of Tressler LLP or its clients. This bulletin or some of its content may be considered advertising under the applicable rules of the Supreme Court of Illinois, the courts in New York and those in certain other states. For purposes of compliance with New York State Bar rules, our headquarters are Tressler LLP, 233 S Wacker Drive, 22nd Floor, Chicago, IL 60606, 312.627.4000. Prior results described herein do not guarantee a similar outcome. The information contained in this newsletter may or may not reflect the most current legal developments. The articles are not updated subsequent to their inclusion in the newsletter when published.