By Monica Wahba
Recent highly publicized incidents of "hacking" of sensitive customer information should cause accountants and other financial professionals to re-evaluate the risks to their own electronically stored client information. That confidential client information includes not only personal identifiers (social security numbers, address, birth date, mobile phone numbers) and other personal information (marital status, names, birthdates and social security numbers of spouse and children, and employment information), but personal financial information (salary and benefits data, bank and brokerage accounts and account numbers, PINs, and mortgage loan indebtedness). Today much of this information is in electronic form and much of it is now stored outside of the control of the accounting firm or financial provider itself but, instead, in multiple remote servers (in "the cloud"). Compounding the risks, a number of professionals and support staff at your firm will typically have rights to access this confidential data, and their access, increasingly, may be through remote computers or mobile devices.
While all of this increases the risks of unauthorized access by sophisticated "hackers," the more likely cause of loss of confidential data will be your own employees or inadequate security procedures. According to the 2013 Verizon Data Breach Investigations Report (DBIR), 76 percent of network intrusions involved access through weak or stolen credentials. Many of these intrusions occur through relatively simple methods: loss or theft of a device, failure to use passwords or secure passwords to protect information on the device or computer, failure to logout at the end of a work-day, or inadvertent disclosure of confidential information through social media sites. Where firm "insiders" were responsible for the data breach, half of those incidents involved former employees taking advantage of old accounts or backdoor access routes that had not been disabled. Thus, one of the easiest ways to reduce the risks to your confidential client data may be to tighten up and enforce the use of security controls (for example, requiring strong password protections and encrypting personal data, periodic changes to passwords, and disabling access to data networks once an employee is terminated). So, even if a laptop or mobile phone is lost, stolen or misplaced, the data on it will not be easily available to an unauthorized person. While these suggestions may seem obvious, a recent study found that 87 percent of small and medium-sized businesses do not have a formal Internet security policy for employees.
A data breach may occur but go undiscovered for significant periods of time. The 2013 Verizon DBIR reports that 66 percent of the breaches took months or even years to discover and 69 percent of data breaches were discovered by external parties, including (embarrassingly enough) the firm’s clients or customers. Regular monitoring of the firm’s network and usage, either by in-house IT personnel or an outside IT security vendor, will reduce the time between a breach and discovery. Once a professional firm becomes aware that a data breach has occurred, it is important to establish how it happened, when it happened, and what information may have been compromised. Generally, this requires a costly and resource intensive effort that may disrupt or even interrupt altogether a firm’s normal business operations. According to insurance industry studies, in 2013 half of all data breaches involved the loss of 1,000 records or less but the average cost of even small breaches approached $250,000.
A significant cost item will involve notification of the clients affected by a data breach. Forty-seven states now have statutes requiring a business to disclose a data breach to its customers in that state and promptly report it to regulators. For example, the New Jersey Identity Theft Prevention Act, N.J.S.A. 56:8-163 requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if "personal information was, or is reasonably believed to have been, accessed by an unauthorized person." A "breach of security" is defined as the "unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information" when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. N.J.S.A. 56:8-161. New York and Pennsylvania likewise require any business that deals with computerized data that includes private information to disclose to customers in that state any breach of security upon discovery of the breach. Other states, like Arizona, require disclosure only if there is both unauthorized access and misuse of the information.
But the law may not mandate notification in all cases. New Jersey law does not require disclosure to a customer "if the business or public entity establishes that misuse of the information is not reasonably possible. N.J.S.A. 56:8-163(a). Thus, to the extent the unauthorized access is to encrypted data, customer notification may not be required, and even where the data is not encrypted, customer notification may not be required if the firm or business can say misuse of that data is "not reasonably possible." That could well be the case when a stolen laptop computer or smart phone is encrypted, requires a log in code or unique password to access the server or firm database, or when the firm has the ability to remotely disable or "wipe" the data from the stolen device. Best practice would require the Chief Information Officer or an outside IT professional to document the conclusion that misuse is "not reasonably possible," and the New Jersey statute requires that documentation to be retained for five years. The firm should also implement and document appropriate remedial measures designed to prevent a recurrence of the incident. The New Jersey Division of Consumer Affairs has adopted regulations implementing the statutory reporting and recordkeeping provisions. See N.J.A.C. 13:45F.
Even if notification is not required by law, there may be sound business reasons to alert clients and customers in an industry where reputation is critically important. A professional firm will face the threat of major reputational damage from the negative publicity surrounding a significant data breach, and direct client notification will allow the firm to control the communication of such incidents. Apart from damaging publicity, other potential adverse consequences are just as real, including the potential of claims and lawsuits from its clients for the breach, which would only be compounded by a failure to provide notification. The firm should also consider how to address other less direct or immediate consequences, including the potential that the firm would have to disclose the breach in responding to requests for proposals or when competing for engagements; the firm could even be suspended or disqualified from future public sector or government work; that the firm could have difficulty obtaining liability insurance to cover future breaches without high premiums; and that it could face "whistleblower" lawsuits from employees with knowledge of lax or inadequate data security practices or breaches in data security.
Given this parade of horribles, even small professional firms have strong incentives to implement sound risk management practices to control against potential data breaches. Firms should also review their insurance policies carefully to ensure that insurance coverage is available and, if not, consider purchasing "cyber breach" coverage to protect against liabilities in the event of a data breach.
Accountants or other financial professionals who provide expert testimony should keep in mind a few key considerations when preparing for any adversary deposition or cross examination at trial. Many experts do not adequately prepare for questioning on some of these very fundamental areas and, as a result, are unprepared when the questions are asked. Worse, the expert may give ill-considered, incomplete or incorrect responses, which can provide a basis for a jury or judge to discount their testimony. It is always tempting in the press of other business, to defer preparation until the last minute or to assume the deposition or trial date will be changed at the last minute. However, there are many advantages to be gained from thinking about each of these areas well in advance of the examination, reviewing them with the attorney who will be defending the deposition, and developing responses that will protect against impeachment by the opposing attorney. With sufficient preparation, the expert will be able to parry many of these points of potential impeachment, turning them instead into positive statements that bolster the expert’s background and experience.
Generally, attorneys will not expect to score points in this area against a seasoned expert. Moreover, a suggestion of bias or interest is much more likely to be effective on a jury than on a judge at a bench trial. Nevertheless, it is best to anticipate questioning in this vein, which seeks to suggest the expert’s testimony has been shaded to favor the side that has retained her or him. Consideration of these potential problem areas will allow the expert to formulate responses that can blunt any negative inferences.
Is the expert in the business of giving expert testimony? In other words, does the expert "practice" or only "preach?"
Does the expert routinely testify more for the plaintiff or the defense?
Has the expert worked with the party’s attorney on other matters?
Does the expert have, or has the expert had, a business or other relationship with the party? Is the expert the brother-in-law, golfing partner, fraternity brother, neighbor of the party? Does the expert’s firm provide other services to the party or
Has the expert been paid for his or her services to date or is there a substantial unbilled or unpaid amount?
The last item may be a problem for plaintiff-side experts because the fees in advance of deposition or trial may be substantial. Moot any potential issue by dealing with it well in advance of the testimony.
This topic is one that many experts take for granted and do not adequately think about before testifying. The expert should bring a copy of his or her current resume to the deposition. Good practice is to provide a copy to the questioning attorney in advance of the deposition to streamline the examination and allow easy reference to dates, employment history and publications. Before questioning the expert under oath, an experienced attorney may have spent many hours investigating the expert’s background and qualifications. Deposition questioning will focus on uncovering something that can later be exploited at trial.
As to each of the expert’s certifications, what does it mean and what are the requirements? This is an area where the expert can score a number of points and bolster his or her qualifications—that is, provided the expert can state how few others hold the certification, how difficult the credential is to attain, or can show involvement as a member of the certifying organization’s board or other committees. If the identity of the opposing expert is known, the expert may be able to note that the opposing expert lacks the same certification.
Have there been any licensing issues? Opposing counsel will check to confirm that the expert is currently licensed and has not had any disciplinary issues. If there are (or have been) any such issues, the expert must bring them to the attention of the attorney defending his or her deposition.
What articles/publications/presentations has the expert given in the subject area? The expert should review these and make the attorney who will be defending his or her deposition aware of any publications or presentations that may contain statements inconsistent with the expert’s current opinions. Given enough thought, it is usually possible to explain the seeming inconsistency. The expert may even recall that the opposing expert has attended a presentation or cited one of the expert’s articles, thus impliedly "endorsing" his or her credentials.
Has the expert ever been qualified to give an opinion on the proffered subject? The opposing expert will want to know whether those prior opinions involved the same kind of business as the case at hand. Again, with enough foresight, the expert will be able to think about ways in which the issues or facts in those prior cases were similar or related to those in the present case.
Has the expert ever been precluded from offering any expert opinion? Most experienced experts have faced Daubert challenges or motions in limine intended to preclude or limit their testimony. The expert should be candid in identifying any rulings in which his or her opinions were excluded or stricken. Feigning lack of recollection will not help—a judge or jury will likely think those incidents should be rare enough to be memorable. Do not assume that no one will ever find out about such incidents: a diligent attorney will be able to uncover such rulings either through internet research, access to various expert witness databases, or simply calling other attorneys who have represented the adversary parties in those cases. It will extremely unpleasant to be cross-examined at trial with quotes from another judge who has impugned the expert’s prior opinions. If the expert’s opinions have been excluded or limited by a court, the expert should re-familiarize himself or herself with those rulings in order to explain the context in which the ruling was made. Perhaps, the expert was allowed to give other opinions similar to those he or she is proffering in the case at hand, or the decision was overturned on appeal.
This area will be the principal focus of the expert’s examination. The opposing attorney will want to explore both the expert’s general experience and the specific tasks the expert performed in arriving at his or her opinions in the case.
Has the expert ever personally done the thing he or she is opining on? For instance, if the opinion concerns the performance of a financial statement audit has the expert actually conducted an audit? If so, adversary counsel will want to know how many audits, how long ago they were performed, and what kinds of businesses? Generally, the more time the expert spends reflecting on these experiences, the more accurate and thorough the expert’s testimonial response will be and smaller the chance for impeachment. Again, there is no substitute for thinking carefully in advance about how to respond.
Has the expert actually performed the work underlying the proffered opinion? An expert may have relied on a team of subordinates to do research, review documents, and perform calculations. The questioning attorney will probe the specific tasks the expert has personally performed, including which portions of the report were actually written by the expert. Often the expert’s billing records will have been produced in advance to the adversary counsel; these may show substantial hours performed by other people at the expert’s firm The expert should be prepared to defend the use of subordinates on efficiency grounds and as "standard practice" among others in the field. In addition, the expert should confirm his or her thorough involvement in reviewing and signing off on the various steps performed by subordinate personnel.
What information has the expert considered or failed to consider? The adversary attorney will try to "box in" the expert by identifying all materials that were considered or reviewed. The converse of this inquiry is to establish which materials were not reviewed or considered by the expert. To prepare for this line of inquiry, the expert should make sure to understand the source of the documents he or she has relied on in forming the opinions. If the documents are incomplete, or have been generated by the party the expert is supporting, the expert must consider whether opposing counsel could attack the integrity of those documents. If so, the expert should consider how to rebut that suggestion. Often, opposing counsel will question the expert about his or her lack of familiarity with historic information or non-financial information that may relate to customers, key employees, prior or contemplated transactions, and so forth. While such information may be known to the adversary party, it may not easily be available to the expert. The expert should incorporate in his or her responses the obvious reasons why he or she would not have been able to consider such information. The expert should also discuss with defending counsel any relevant materials that were not available or not provided to the expert. If relevant information was not furnished in discovery by the opposing party, the expert should say that in his or her deposition testimony. The adversary party will then have to think about whether to produce the material or face the risk that its failure to produce the material will be an issue at trial.
Has the expert followed the procedures and requirements of his or her profession in rendering the opinion or report? For example, if the expert opinion involves a property or business valuation, opposing counsel will want to establish that the expert has followed the relevant requirements in the Uniform Standards of Professional Appraisal Practice (USPAP).
Has the expert made any mathematical or computational errors? Often such mistakes will resound with a jury, particularly if there are more than a few in the expert’s calculations. However, if the opposing counsel points out such mistakes at a deposition, the expert should take the time to correct them in advance of trial, thus defusing their impact or making them moot.
Is every opinion supported by facts or data so the expert cannot be said to be offering "net opinions?" The opposing attorney will look for ammunition for a potential motion in limine to exclude all or part of the expert’s opinions on the ground they are unsupported by any data or reasoning (but only by the fact that they are given by someone who calls himself/herself an expert). This is an area of potentially grave risk to an expert. If successful, such a motion will result in striking the expert’s opinion altogether or will severely truncate the opinion the expert can give at trial. The expert must be prepared at trial to elaborate on all of the underlying data that provide the basis for the opinions. This area should be the focus of extensive discussing with the attorney preparing the expert’s testimony.
Although opposition to the creation of a separate business court has apparently doomed that initiative, a New Jersey Supreme Court committee has proposed an alternative means of achieving much the same end. The Working Group on Business Litigation recommends expanding a pilot project throughout the state and designating an experienced judge in each vicinage to handle complex commercial cases.
The proposal has the support of the business community and commercial litigators who see it as a means of reducing the uncertainties and delays in complex commercial cases. It is not uncommon for commercial cases to languish for several years without a trial date. That is due to the protracted discovery in such cases, and partly because there are relatively few state court judges with experience in such matters who are available to manage and try such matters. New Jersey trial level judges are often drawn from practicing lawyers who have personal injury, municipal law, or criminal practices, or have mainly worked in the public sector. In addition, the judges are routinely rotated through the criminal, family and civil parts when they are first appointed, giving many newer judges no time to gain commercial case experience.
Legislation to create a separate business court has repeatedly been derailed by concerns that such legislation would violate the separation of powers under the state constitution, giving the legislature control over what has always been the prerogative of the court system. The new proposal would avoid these problems because it would not require legislation or any authorization of new funding. Instead, it would identify experienced judges with an expertise in handling complex commercial cases and designate them as responsible for handling any such cases. Rather than have the parties or their attorneys self-qualify their cases as "complex commercial," the proposal would set a threshold amount of $200,000, subject to the parties’ right to move to include other matters below that threshold. It is estimated that there are fewer than 500 cases per year that would meet the $200,000 threshold. Judges in the program would be required to write two commercial opinions each year. Cases that qualify as "complex commercial" would not be subject to presumptive mediation or arbitration (required for most other civil cases) but the case management judge would encourage the parties to mediate and to select their own mediator.
Assuming Chief Justice Rabner is willing to consider expansion of the current pilot program on a statewide basis, it may result in the de facto establishment of a separate business court within the New Jersey court system.
New Jersey‘s Appellate Division recently upheld the corporate form to shield shareholders from liability, even when the corporation was defunct. GS Partners, LLC v. Venuto, Docket A-4176-12T4 (App. Div. April 28, 2014) involved a claim by a franchisee of Hollywood Tanning Systems, Inc. (the "Company"). In April 2007, several months after the plaintiff acquired his franchise, Hollywood Tanning sold most of its assets, including the franchise business, for $40 million in cash plus some non-cash consideration, including some preferred stock in the acquiring company and contingent earn-out rights. Hollywood Tanning used some of the cash to pay off its creditors but the plaintiff was not a creditor at the time. In June 2007, the remaining cash was distributed to the five Hollywood Tanning shareholders. By September 2008 Hollywood Tanning was insolvent and had ceased doing business, but the Company was never formally dissolved.
The plaintiff filed suit against the Company and two shareholders that were alleged to have made misrepresentations about the franchise. The trial court dismissed the allegations against the individuals on the grounds that their actions were on behalf of the corporation. The plaintiff ultimately obtained a default judgment in the amount of $959,359 against Hollywood Tanning. After obtaining post-judgment discovery in another lawsuit against the Company, the plaintiff brought a new action against the five shareholders, claiming that the June 2007 distributions(i) violated the New Jersey Uniform Fraudulent Transfer Act (UFTA), N.J.S.A. 25:2-31, (ii) constituted an improper distribution of corporate assets under N.J.S.A. 14A:6-12(1)(c), and (iii) had unjustly enriched the shareholders at the expense of those who had valid claims against the Company. The trial court allowed the plaintiff to file an amended complaint in January 2012 but thereafter dismissed all of the claims.
On appeal, the Appellate Division reversed and remanded. The first part of its decision is of less concern for present purposes: the court ruled that the trial court erred in dismissing the fraudulent transfer claims under the four-year statute of limitations because the amended complaint related back to a date within the limitations period. More instructive were the appeals court’s reasons for dismissing the remaining claims against the shareholders.
First, the court noted that the asserted statutory basis for liability—N.J.S.A. 14A:6-12(1)(c)—did not apply. That statute pertained to the liability of corporate "directors who vote for, or concur in" certain corporate actions, including "the distribution of assets to shareholders during or after dissolution of the corporation without paying, or adequately providing for, all known debts, obligations and liabilities of the corporation" (emphasis in original). Slip op. at 12. Given that Hollywood Tanning had never formally dissolved and still existed, the court held that the statutory predicate for liability (a distribution during or after a dissolution) did not exist. The court rejected the plaintiff’s argument that the Company had been "constructively dissolved" when it became insolvent. The appeals court noted that after the distributions, the preferred stock and the contingent earn-out constituted valuable company assets, and Hollywood Tanning continued to collect receivables until August 2008. Indeed, the distributions occurred 15 months before the Company ceased operations and became insolvent.
Second, the court dismissed the claim of unjust enrichment against the shareholders, holding that "New Jersey does not recognize unjust enrichment as an independent cause of action in tort." Slip op. at 13. Even if there were a valid claim, it could not be asserted against the shareholders absent some allegation that would allow the court to "pierce the corporate veil" and disregard the corporate entity. The Appellate Division ruled that the plaintiff had produced no evidence that Hollywood Tanning was a sham corporation whose existence should be cast aside.
GS Partners shows that New Jersey courts will uphold the limited liability protections of the corporate form, even when the equities might militate in favor of imposing shareholder liability.
The United States Supreme Court recently held in Lawson v. FMR (March 4, 2014) that the Sarbanes-Oxley (SOX) whistleblower protections include employees of a public company’s private contractors and subcontractors. The Court’s 6-3 decision concluded that the express language of the statutory provision, 15 U.S.C. 1514A(a), was clear:
"No [public] company . . . , or any . . . contractor [or] subcontractor . . . of such company, may discharge, demote, suspend, threaten, harass, or . . .discriminate against an employee in the terms and conditions of employment because of
[whistleblowing or other protected activity]."
The Court’s construction also was consistent with the intent of the SOX whistleblower provision because outside professionals like accountants, auditors and attorneys bear significant responsibility for reporting fraud by public companies with whom they contract. Indeed, the Court noted that SOX was enacted in part because Congress was concerned that employees of Enron and its outside accounting firm, Arthur Andersen, had attempted to report corporate misconduct but were threatened with retaliation, including discharge. Unless private contractors and subcontractors were covered, "[l]egions of accountants and lawyers would be denied section 1514A’s protections."
What does Lawson mean for accountants and accounting firms?
First, for any accounting services rendered to a public company—whether audit or consulting services—the accounting firm can face new federal civil liabilities when their employees allege they suffered retaliation for reporting fraud or other wrongdoing relating to the public company client. The accounting firm would already have state law liability under the New Jersey Conscientious Employee Protection Act, N.J.S.A. 34:319-1.
Second, the precise scope of Lawson is unclear. The dissenters (Justices Sotomayor, Kennedy and Alito) suggested that the majority’s reading could lead to lawsuits by babysitters against parents who worked at Walmart. But less fanciful scenarios would present harder questions: for instance, would all of the employees of an accounting firm be protected simply because a single one of its professionals had worked on a matter for a public company?
Third, given that Lawson is likely to be expansively construed, employers should make sure their written policies include non-retaliation policies, not just anti-discrimination and harassment policies, and that those policies cover the new fraud-related reports under SOX.
Fourth, train supervisory personnel so they are familiar with the SOX-related whistleblower protections.
Fifth, implement internal complaint mechanisms that will allow the company to deal with any employee reports of fraudulent or illegal activity, and document the handling of such reports.
By Vik Jaitly
The current trend to "outsource" some jobs previously done by employees also carries a number of risks, one of which is that the new "independent contractor" may still be considered an employee. That may have serious implications for the company’s federal income tax, social security and Medicare taxes liabilities. Recently, the Department of Labor (DOL) has undertaken investigations regarding workers who were incorrectly treated as independent contractors, under a new program known as the "Misclassification Initiative." Several of these investigations have led to substantial liability for employers.
The driving force behind this initiative is that misclassified employees are often improperly denied access to critical benefits and protections, including family and medical leave, overtime, minimum wage and unemployment insurance. Employee misclassification also generates substantial losses to the Treasury and the Social Security and Medicare funds, as well as to state unemployment insurance and workers compensation funds.
Beyond the tax consequences, the employee/independent contractor distinction also makes a profound difference in terms of the employer’s liability for civil damages. As a general rule, an employer is vicariously responsible for the wrongs committed by its employees in the scope of their duties. That legal doctrine (respondeat superior) generally does not apply to pin liability on the employer for the wrongs of an independent contractor.
The employee/independent contractor distinction also makes a difference in terms of employment discrimination liability. For example, under New Jersey’s Law Against Discrimination, N.J.S.A. 10:5-1 to -49 (LAD), employment discrimination is prohibited by an "employer." However, the LAD’s definition of "employee" is not very helpful because it provides only that an employee "does not include any individual employed in the domestic service of any person." The relatively undefined term creates substantial uncertainty about who is an "employee" and thus covered under the LAD.
New Jersey courts have consistently found that independent contractors are not deemed employees under the LAD, and are therefore not entitled to its protections. When courts must determine whether a claimant is an employee or an independent contractor, they generally consider factors set forth under New Jersey case law (Pukowsky v. Caruso, 312 N.J. Super. 171 (App. Div. 1998)), which closely parallel those established by the IRS. Pukowsky identifies the following 12 factors relevant to determine whether a worker is an employee or an independent contractor.
(1) The employer’s right to control the means and manner of the worker’s performance;
(2) The kind of occupation—supervised or unsupervised performed by the worker;
(3) The level of skill needed by the worker for the task;
(4) Who furnishes the equipment and workplace;
(5) The length of time the individual has worked for the employer;
(6) The method of payment;
(7) The manner in which the work relationship can be terminated;
(8) Whether annual leave is provided to the worker;
(9) Whether the work is an integral part of the employer’s business;
(10) Whether the worker accrues retirement benefits;
(11) Whether the employer pays social security taxes; and
(12) The intention of the parties concerning the relationship.
Although the employer’s right to control the means and manner of the worker’s performance is usually given greatest weight, the circumstances of each case require a principled application of all of the factors.
In general, the Pukowsky test allows for examination of the extent to which the worker has been functionally integrated into the employer’s business. Several questions elicit the type of facts that would demonstrate a functional integration: Has the worker become one of the "cogs" in the employer’s enterprise? Is the work continuously and directly required for the employer’s business to be carried out, or is it merely intermittent and peripheral? Is the professional routinely or regularly at the disposal of the employer to perform a portion of the employer’s work, as opposed to being available to the public for professional services on his or her own terms? If the answers to these questions are "yes," an employer-employee relationship is more likely to exist.
This analysis echoes the IRS criteria laid out in Publication 1779 (March 2012), which broadly identifies three general categories: 1) behavior control, 2) financial control, and 3) relationship of parties.
The behavior control factor looks to whether the business has a right to direct or control how the worker does the work. A worker is considered an employee when the business has the right to direct and control the worker’s performance. For example, if you receive detailed instructions on how your work is to be done, then you will be deemed to be an employee. If you receive instructions about what should be done, but not details as to how it should be done, you may be classified as an independent contractor.
Financial control is another determining factor of the employee and independent contractor classification. Generally, the test is whether the employer has a right to direct or control the business part of the work. For example, if you have significant investment in your work, you may be classified as an independent contractor.
Further, the ability to realize a profit or incur a loss in performing the work would suggest that you are in business for yourself and, thus, an independent contractor.
Finally, the third IRS category is designed to evaluate the relationship of the parties and, specifically, to see how the business and the worker each perceive that relationship. Among the elements to be considered is whether the worker receives benefits, such as insurance, pension, or paid leave, which would indicate "employee" status. The existence of a written contract, which defines and describes the relationship, is a weighty indicator of the parties’ intent on the issue.
While the issue is not "black and white" in all circumstances, businesses should make sure they classify their workers correctly as either employees or independent contractors, not only for tax purposes but also to understand their obligations—and to limit future potential liabilities—whether under the LAD or under common law tort theories.