The National Association of Minority & Women Owned Law Firms (NAMWOLF), founded in 2001, is a nonprofit trade association comprised of minority and women-owned law firms and other interested parties throughout the United States. Join them for their 2017 Business Meeting in Fort Lauderdale, February 12-14.
The NAMWOLF Business Meeting is a great opportunity to increase your participation and relationships with NAMWOLF Law Firm Members. All attendees further benefit by attending CLE sessions specific to NAMWOLF Member Law Firms’ practice areas, which provides greater insight into each Member Law Firm’s experience and capability to handle complex legal matters. The Business Meeting also provides the opportunity to network with NAMWOLF Leadership, such as the Advisory Council and NAMWOLF Board of Directors. If you have never been to a NAMWOLF event, the Business Meeting is the place to start!
Where: Marriott Harbor Beach, Fort Lauderdale, FL
When: February 12-14, 2017
Certainly by now we can all agree that the Internet has transformed the legal industry, from how you market your law firm to how legal services are delivered. Still, for many lawyers, the Internet is a confusing place with so many options that can either make you or break you. So let me help simplify things for you. Here are five online marketing strategies that are gold when it comes to delivering leads and boosting your brand:
Narrow your choices. Unless you have an unlimited marketing budget, you can’t do it all — SEO, social media, pay-per-click, content marketing, email marketing, etc. If you throw a little bit at everything — the shotgun approach — you are wasting your money. Instead, focus on two things: (1) where your potential clients are, and (2) what you can measure. You have to be able to measure your success (or failure) to discover what works for your area of practice and to be able to build on the successes.
Use Facebook ads. There are 1.4 billion monthly Facebook users and half of those log in every day. One of the most powerful features of Facebook is ad targeting, the ability to layer targeting options on top of one another to create a highly specific audience. This enables you to target locally and get your ads in front of people who need your services now. Facebook ads are low-cost, so you can experiment to see what resonates with your potential clients and then repeat what works.
Capture leads with what you know. There is a vast amount of basic information you know that prospects want. And there are a number of tools available for you to disseminate this information to them, including blogs, eBooks and free reports. Offer these in exchange for contact information as added value and the leads will follow.
Think mobile. If your law firm website is not already optimized for mobile, make that happen fast. Mobile-friendly sites perform better in search results and also provide a better user experience for prospects.
Automate your lead conversion. A comprehensive law firm marketing program that embraces multiple marketing tools – SEO, PPC, ads, email marketing, social media, blogs, etc. – means leads come in from many different sources. If you don’t have an automated way to deal with them, leads will slip through the cracks and all that hard work and financial investment will be for nothing. Small law firms lose tens to hundreds of thousands of dollars every year because they aren’t tracking their leads and quickly following up with them. Mid-sized law firms are losing millions. Lost leads also hurt your reputation with your referral sources if they supplied the referral and your team doesn’t follow through on the lead.
With 2016 in the rear-view mirror, we have been reflecting on the many data privacy and cybersecurity legal developments of the past year, both in the U.S. and internationally, as well as focusing on trends to watch in the new year. With best wishes for a Happy New Year from all of us, we present a number of highlights from 2016, and suggest a few areas to watch in 2017.
U.S. Courts Wrestle With Law Enforcement Access to Data
Debate over law enforcement access to data stored by technology companies was perhaps the most visible privacy and cybersecurity issue of 2016, with far-reaching implications in both the U.S. and abroad. In July, the Second Circuit issued a decision in Microsoft’s challenge to a warrant issued under the Electronic Communications Privacy Act (ECPA), seeking email content stored in Ireland. The Second Circuit unanimously held that ECPA warrants cannot compel U.S. providers to disclose the contents of customer communications stored on foreign servers. In 2017, we expect that decision to have significant implications for U.S. technology companies, as well as consumers and companies that store data with U.S.-based providers. The government has sought rehearing en banc, and also has indicated that it intends to submit legislation to Congress to address the implications of the decision. Congress has considered related issues in the International Communications Privacy Act.
Apple also engaged in a high-profile court battle with the government early in 2016 when the company refused the FBI’s request to unlock a terror suspect’s iPhone, though the dispute ended in March without a court decision when the FBI announced it had accessed the device without Apple’s assistance. Congress continues to grapple with the consequences of that case to include considering several encryption-related legislative proposals.
U.S. Supreme Court Addresses Privacy Standing in Spokeo
The U.S. Supreme Court issued its highly anticipated decision in Spokeo in May, addressing whether plaintiffs have standing to pursue statutory damages even in the absence of harm under the Fair Credit Reporting Act (FCRA). The Court reaffirmed that constitutional standing in federal court requires “concrete” (i.e., actual) harm and offered several guiding principles to assist lower courts in determining whether standing requirements have been met. Although the case specifically dealt with the FCRA, Spokeo has significant implications in privacy and data breach litigation because numerous federal privacy laws have been construed to allow statutory damages even in the absence of actual harm. Lower courts have begun applying the decision in data breach cases, including a recent district court ruling that a named plaintiff’s allegations that stolen personal information was used to file a false tax return were sufficient to impart standing under Spokeo. In 2017, we expect this process to continue, as lower courts continue to interpret the Supreme Court’s decision.
A New Framework for EU-U.S. Data Transfers
The EU-U.S. Privacy Shield, a new framework for the transfer of personal data between the EU and the U.S., was announced in February and finalized in July. Negotiators in the EU and U.S. worked on an accelerated timeline following the invalidation of the Safe Harbor in late 2015 resulting in the Privacy Shield—a significantly more stringent framework than its predecessor. Companies began self-certifying adherence to the Privacy Shield in August, and as of this post more than 1,300 companies have signed up at the Department of Commerce’s website. In 2017, we see continued uncertainty in this area. The Privacy Shield faces a legal challenge in the European Court of Justice, and another cross-border mechanism—standard contractual clauses—also is subject to an EU court action. The Privacy Shield itself was based, in part, on an exchange of letters between the Obama Administration and the European Commission relating to mass surveillance, and it remains to be seen if the Trump Administration will continue the commitments made in those letters. Relatedly, the European Parliament approved the EU-U.S. Umbrella Agreement in December—a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S.
Sweeping New Data Protection Laws Approved in Europe
The European Parliament passed into law the General Data Protection Regulation (GDPR) in April, a sweeping new set of privacy and data security rules that will take effect in mid-2018. Unlike the EU Data Protection Directive which it replaces, the GDPR for the most part will have direct effect throughout the EU without requiring national implementation legislation. Companies doing business in (or with companies operating in) the EU have begun preparing for compliance with the new requirements, and the Article 29 Working Party released the first set of guidance on the GDPR in December. In 2017, we expect the Article 29 Working Party to continue to fill in some of the blanks left in the GDPR, and we also expect companies to intensify their preparation for the mid-2018 effective date of this landmark legislation.
FTC’s Data Security Authority Tested (Again) in LabMD
Following the Third Circuit’s decision affirming the FTC’s authority to regulate corporate data security in Wyndham last year, the FTC sought to further bolster its data security authority in LabMD. In July, the Commission unanimously vacated a prior Administrative Law Judge decision and found that LabMD’s actions were “unfair” under Section 5 of the FTC Act. In November, however, the Eleventh Circuit stayed enforcement of the FTC’s LabMD order, finding that LabMD was likely to succeed on the merits because the FTC’s interpretations of aspects of the FTC Act relating to its data security authority were likely not reasonable. The case will now proceed on the merits, but the grant of the stay suggests that the Eleventh Circuit may be receptive to LabMD’s arguments for ultimate reversal of the LabMD order. This could produce a circuit split between the Eleventh Circuit and the Third Circuit (which decided the Wyndham case), and thereby provide a basis for an attempt to secure Supreme Court review of the FTC’s jurisdiction. Moreover, this case could provide a vehicle for a new FTC, with a Republican majority, to reconsider the agency’s current aggressive approach on “unfairness” as applied to data security.
Newly Established Cybersecurity Requirements and Guidelines
A number of U.S. states and standard-setting organizations issued broadly applicable cybersecurity requirements and guidelines in 2016. In February, as part of the release of its 2016 Data Breach Report, the Office of the Attorney General for California established a de facto standard that companies doing business in California must, at a minimum, adopt twenty specific security controls established by the Center for Internet Security in order to have “reasonable” security practices in California. And New York State proposed first-in-the-nation cybersecurity regulations that contain several mandatory security requirements for financial services institutions—those institutions that are regulated by New York banking, insurance, or financial services laws—which are currently being revised following industry comments and are scheduled to take effect in March 2017.
At the federal level, in October, the Department of Defense (DoD) finalized its safeguarding and cyber incident reporting obligations, requiring DoD contractors to implement specific security controls for information systems that store, process, or transmit DoD’s data and to report actual or possible cybersecurity incidents involving such data to DoD within 72 hours. And in the coming year, similar security controls and reporting requirements will likely be required for all government contractors, as a September rule promulgated by the National Archives and Record Administration (NARA) set the stage for a Federal Acquisition Regulation (FAR) clause that will likely mirror DoD’s requirements. In November, the National Institute of Standards and Technology (NIST) released guidance for small businesses on cybersecurity preparedness, including a list of “recommended practices” that are applicable not just to small businesses, but entities of all sizes.
New Cybersecurity and Privacy Laws and Regulations in China
As expected, authorities in China were active in passing a new Cybersecurity Law and proposing new cybersecurity and privacy regulations in 2016. In November, the Standing Committee of China’s National People’s Congress passed China’s first Cybersecurity Law (the “Law”), which will take effect starting June 1, 2017. Described as China’s “fundamental law” in the area of cybersecurity, the new Law articulates the government’s priorities with respect to “cyberspace sovereignty,” consolidates existing network security-related requirements (covering both cyber and physical aspects of networks), and grants government agencies greater power to regulate cyber activities. It is the first Chinese law that systematically lays out the regulatory requirements on cybersecurity, subjecting many previously under-regulated or unregulated activities in cyberspace to government scrutiny. At the same time, it seeks to balance the dual goals of enhancing cybersecurity and developing China’s digital economy, which relies heavily on the free flow of data.
China’s National Information Security Standardization Technical Committee (NISSTC) drafted a Personal Information Security Standard, a non-binding standard for data privacy and security practices of companies operating in China. The NISSTC also released seven draft standards for comment in December, with a public comment period running until February 2, 2017. The Cyberspace Administration of China (CAC) has also been active in 2016, issuing new rules for mobile apps in July, and draft regulations aimed at protecting minors in cyberspace in October. Finally, in August China’s State Administration of Industry and Commerce (SAIC) released draft regulations for public comment that would amend consumer protection laws to, among other things, supplement existing privacy obligations for companies operating in China.
FCC Releases Broadband Privacy Rules
The FCC’s increasing focus on privacy issues continued in 2016 with the release of broadband privacy rules. The new rules, which were formally proposed in April, regulate the privacy practices of broadband Internet Service Providers (ISPs), including requirements to obtain consent for certain uses of consumer data and to adhere to certain data security practices. The rules were adopted by the Commission in a 3-2 party-line vote in October, so their fate is quite uncertain under the incoming Republican administration. Given that petitions for reconsideration currently are pending before the FCC and will remain so until the change in Administration, these rules could be one of the first areas in which the new FCC makes its mark on the policies of the Obama-era Commission.
Connected Devices and The Internet of Things
2016 saw several developments relating to the Internet of Things (IoT), such as internet-connected refrigerators and thermostats, which present unique opportunities and challenges from a privacy and cybersecurity perspective. In April, the U.S. Department of Commerce issued a request for public comment on the benefits, challenges, and potential government roles for IoT, and the U.S. Senate Commerce Committee approved a bill (which remains pending) to establish a working group to study and facilitate IoT growth. Around the same time, the European Commission released a series of industry-related initiatives addressing IoT, among other things. And in November, NIST released cybersecurity guidance for IoT, and the Broadband Internet Technical Advisory Group released another report detailing the unique security and privacy challenges posed by IoT. In 2017, we expect the focus on connected devices to escalate, particularly given the emergence of driverless cars and other innovative technologies.
A new U.S. Government report explains many reasons for identifying and penalizing Russian hackers, the Russian intelligence services, and the Russian leadership in response to hacks on U.S. government, political and business targets. The report contains detailed information that organizations can use to determine if the Russians have accessed their systems, plus a detailed list of prudent steps and best practices that all organizations should consider as part of their cyber security efforts.
The overarching message of the report is that the DNC hack was not an isolated incident but part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.
The report is best understood as a call to arms for U.S. private sector and government entities to strengthen their vigilance and defenses against Russian Intelligence Services and join DHS and FBI in their effort to counter them. Many organizations believe that because they hold no state secrets, defense-related intellectual property, or sensitive information on government employees, they have no stake in geopolitical cyber security. DHS and the FBI are saying that this is not true. The national interest in cyber security is materially weakened whenever organizations with credibility and standing allow their domains to be breached and used conduits for cyber-attacks on others –as happened in the DNC breach. Furthermore, data collected from breaches of non-traditional targets is often used to create the highly-targeted and highly credible email packages for use in spear phishing campaigns against more traditional targets. Geopolitical cyber security is being “democratized” with wide ranging potential public policy implications.
On December 29, 2016, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) jointly identified the Russian civilian and military intelligence services (RIS) as responsible for the 2015-2016 hack of the Democratic National Committee and its leadership. (In a nod to investigatory confidentiality, the joint DHS/FBI report refers to the targets only as a “U.S. political party,” and “multiple senior party members.”) The U.S. government has given the RIS effort the rather unartfully chosen name of “GRIZZLY STEPPE.”1
The joint DHS/FBI report provides the most detailed public discussion to date by U.S. law enforcement and cyber security agencies of the means and methods used in a foreign government-sponsored cyber-attack against U.S. interests. In October 2016, DHS and the Director of National Intelligence had reported that they were “confident” that RIS was behind the DNC attack. But this is the first time that a DHS/FBI joint report had formally assigned culpability for a specific cyber-attack to a specific nation. It is also the first time that specific operational groups within a foreign cyber directorate have been singled out and their identifying practices, approaches and tools have been publically discussed.
The report links these operations by RIS to damaging or disruptive cyber-attacks committed in recent years on foreign interests.2 The report does not mention these attacks by name but apparently is referencing recent cyber-attacks on the Ukrainian electrical grid, banking system and other infrastructure,3 and on Estonian governmental and quasi-governmental entities. All of these cyber-attacks have been widely attributed to the Russian government, which denies that attribution.
As part of its call to arm, the DHS/FBI report provides “technical details regarding the tools and infrastructure” being used by the RIS “to compromise and exploit networks and endpoints associated with a range of U.S. Government, political and private sector entities.
The report shows how groups working within RIS have been able to plant command and control infrastructure within the servers and domains of U.S. organizations and educational institutions –infrastructure they used to send phishing emails to potential victims and to serve as a pipeline to receive and retransmit stolen data once a breach was established. The report infers that the Russians were able to camouflage their actions by routing this malicious internet traffic through otherwise known and legitimate –perhaps even well-respected— private and educational organizations.
In the report, DHS and the FBI provides “technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to these the indicators provided and information on how to report such incidents to the U.S. Government.” The technical indicators include the specific software fingerprints (Yara signatures) for the malware planted by RIS, and the specific IP addresses, URLs and file hashes that the RIS operatives have used in their attacks on U.S. computer systems.
DHS and the FBI call on the private sector and others to put this information to immediate use to identify and remediate on-going RIS breaches and to limit future vulnerabilities. It is likely that other private and governmental entities are subject to active and breaches by the RIS, and may be serving as infrastructure for on-going RIS attacks on others. To this end, the report recommends that network administrators “review the IP addresses, file hashes, and Yara signatures provided and add the IP addresses to their watchlists” to determine whether malicious activity is taking place in their systems today.
The DHS/FBI report cautions that some of the traffic crossing network perimeters or firewalls and reflecting the suspicious IP addresses and other identifying information may prove to be legitimate. Conversely, some traffic that appears legitimate may involve RIS or others scanning public-facing servers (e.g., HTTP, HTTPS, FTP) to identify websites that are vulnerable cross-site scripting (XSS) or Structured Query Language (SQL) injection attacks. This scanning can be the precursor to exploitation of the vulnerabilities found.
The FBI and DHS cannot impose direct legal consequences on private sector and governmental entities who fail to act on this information. But scenarios can be envisioned where the failure to do so could be considered a failure to provide the minimum levels of data protection that are may be required by the multiple statutory, regulatory and common law constructs under which businesses operate today. Womble Carlyle advises its clients to evaluate the DHS/FBI report carefully, and to document and the actions and decisions taken response to it for future reference.
As to the specific DNC attack, the report concludes that two separate groups within RIS breached the DNC computer system. These teams used different techniques and malware exploits and the report does not show direct coordination between the breaches. The report designates the two RIS hacking groups as APT (Advanced Persistent Threat) 28 and APT 29.
(An advanced persistent threat actor or APT is a hacker or team of hackers whose sophisticated methods, choice of targets, and the determination to breach those specific targets set them apart from even the most accomplished global cybercriminals. APTs are generally assumed to be associated with nation states and other political actors.)
The report indicates that the initial breach of the DNC computer resulted from a 2015 spear phishing campaign in which APT29 sent “out emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims.” But even before this, APT29 had breached a number of “legitimate [internet] domains, to include domains associated with U.S. organizations and educational institutions.” Through these earlier breaches, APT29 had set up operational infrastructure (i.e., false user and email accounts) within the computer domains of these legitimate organizations. These accounts allowed APT29 to send spear phishing emails to its victims from legitimate organizations, possibly organizations known to and respected by the potential victims, albeit from unauthorized and fraudulent email accounts hosted there.
Links in the spear phishing emails directed the victims to web pages created by APT29 and hosted, once again, on the domains of these otherwise legitimate organizations. The pages included malware droppers which downloaded malicious software on the targets’ computer system when the victims’ clicked on the links.
At least one targeted individual, apparently a “U.S. Government victim,” activated the malicious link from a computer on the DNC’s system. The downloaded malware granted APT29 remote access to that individual’s computer which the group then used to obtain control over the computer’s operating systems (PowerShell commands). The group established “persistence” in the form of difficult to detect “back doors” allowing its members to come and go on the system at will. They “escalated privileges” harvesting credentials that allowed them wider and wider access to the data on the DNC’s system. They created their own user accounts on the DNC domains to receive, encrypt and exfiltrate (steal) data. They conducted surveillance and began exporting data using encrypted connections.
Operational infrastructure unwittingly hosted on legitimate sites formed the pipeline for breaching the DNC and transmitting the stolen data to Russia. This made the malicious nature of the transfers harder to detect.
A second breach occurred in the spring of 2016 when a separate RIS group, APT28, hacked the DNC using a different spear phishing technique. DHS and the FBI report that APT28’s established modus operandi is to “leverage[e] domains that closely mimic those of targeted organizations.” This can mean, for example, substituting www.yourcompany.co or www.youcompany.com for www.yourcompany.com. Spear phishing emails can be sent that spoof an email from the targets’ IT department or other leadership. The email instructs the targets to confirm or update their passwords using a link provided. The link is to a fraudulent web page on an unwitting host’s system. If the targets click on the link and enter passwords as instructed, their credentials are immediately transmitted to the hacker who uses them to gain access to the computer and begin uploading malware and conducting exploits.
APT28’s approach appears to gained access to the email accounts of “multiple senior party members” at the DNC. The report indicates that the 19,000 emails and other documents posted on WikiLeaks on the eve of the Democratic National Convention were harvested by APT28.
Other reports indicate that it was APT28’s attempts to breach the DNC’s computers in the spring of 2016 that led to DNC to retain cybersecurity consultants to look for a potential breach. Apparently, by the time remedial action could be taken the damage had been done. It also seems that the investigation into the APT28 cyber-attack lead to the discovery of the older, on-going APT29 breach, which may explain the fact that the team responsible for the older breach was assigned the higher reference number.
The DHS/FBI report does not say which “U.S. organizations and educational institutions” were the unwitting hosts to the RIS’s activities. But it is very reasonable to assume that sometime in the summer of 2016, a legitimate and undoubtedly respected U.S. organization or educational institution received a call from the FBI telling them that their lax cyber security policies materially contributed to what the U.S. government is now reporting to be a deliberate attempt by Russia to subvert the U.S. political process. Other organizations may be in a similar situation today, with RIS actively using their infrastructure to carry out cyber-attacks on other U.S. interests.
Would an organization become civilly liable, if absent good reasons, it were to ignore the tools and recommendations cited in this report and then becomes (or continues to be used as) the conduit for future data breaches that injure others? The law on this point is in its infancy. The answer will only come when courts resolve claims by specific plaintiffs seek against specific defendants in future lawsuits. But the process for creating future precedents on these matters will likely be slow, embarrassing and expensive for the defendants involved. And the resulting reputational black-eye may represent the greatest cost of all.
Copyright © 2016 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.
1 Would a second such cyber-attack become the “GRIZZLY TWO-STEPPE” or simply “DANCING BEAR?”
As has been reported all over, it looks like the Automotive Industry will set some sales records in 2016 (see here, here, and here for example). As summarized by JD Power, “The full-year sales forecast of 17.5 million units would surpass the total from 2015 by about 5,000 units. Light trucks figure into the upsurge, along with higher incentives—eclipsing $4,000 per vehicle for the first time on record—as automakers clear out 2016 model-year vehicles.” When read that way, this news is less encouraging than it appears on its face.
Setting sales records is almost never bad. However, if they are set with huge incentives, discounts, and an intention to clear out inventory, that is obviously not any reason to anticipate further growth in 2017. In fact, a deeper dive into the numbers shows some slightly less favorable statistics. For example, the Wall Street Journal reports that “Retail sales, which strip out sales to fleet buyers, such as rental-car companies, were expected to reach 14.1 million units for the year, a 1.2% decline from 14.2 million units in 2015.”
What will 2017 bring?
There is no reason to think that sales will set another record. The Automotive industry is very cyclical and higher incentives, higher inventories and deeper discounts may sell more vehicles in the short run, but often leads to educed profitability and lower sales in the long run. Is your company planning for potential slower sales in 2017? What have you done with your supply chain and customers? If you have not already planned for the second half of 2017, or even that start of 2018, you are likely already behind.
© 2016 Foley & Lardner LLP
President Obama Authorizes Additional Sanctions on Russian Individuals and Entities: Executive Order 13964
Originally, EO 13964 focused on cyber-enabled malicious activities that harmed or significantly compromised the provision of services by entities in a critical infrastructure sector. This included significant disruptions to the availability of a computer or network of computers, or causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
In light of Russia’s recent use of cyber means to undermine democratic processes, the president has amended the EO to cover additional activities, authorizing sanctions on individuals/entities who tamper with, alter, or cause misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions. Under this authority, the president has sanctioned nine entities and individuals, including two Russian intelligence services (the GRU and the FSB), four individual officers of the GRU and three companies that provided material support to GRU’s cyber operations.
These new sanctions highlight the importance of regular and diligent screening of transactions, as well as the need to periodically review existing screening practices to ensure that they are up to date. It is critical to remember that an individual who may have been an acceptable business partner one day may be on a sanctions list the next.
©2016 Drinker Biddle & Reath LLP. All Rights Reserved
Several notable tax court opinions were issued 2016 dealing with a variety of substantive and procedural matters. In our previous post – Year in Review: Court Procedure and Privilege – we discussed some of these matters. This post addresses some additional cases decided by the court during the year and highlights some other cases still in the pipeline.
We have also written frequently on the 3M case, which involves whether the Internal Revenue Service’s (IRS) blocked income regulations are valid. That case has been submitted fully stipulated to the Tax Court and all briefs have been filed. For prior coverage, see here, here, and here.
Point: Transfer pricing is a point of emphasis with the IRS. Given that slight changes to a taxpayer’s transfer pricing methodologies can produce substantial adjustments, taxpayers need to continue to monitor judicial developments in the area. This includes not only how courts view the arm’s length standard, but also taxpayer challenges to the IRS’s rulemaking authority.
The Administrative Procedures Act and Deference to IRS Interpretations
Following the Supreme Court’s 2011 Mayo opinion, taxpayers have increasingly turned to the Administrative Procedures Act (APA) to challenge IRS actions. In addition to the posts linked above regarding APA challenges in transfer pricing cases, we have written about the QinitiQ and Ax cases dealing with whether an explanation provided in a notice of deficiency is insufficient under the APA. See here and here]. Additionally, the Supreme Court provided guidance in a non-tax case regarding the proper application of the APA in the analysis of the validity of agency regulations.
Another area we have frequently posted on is the level of deference afforded to IRS interpretations. Discussions of general deference principles and cases decided in 2016 can be found here, here, here, here, and here]. Additionally, as we noted here, the Supreme Court recently granted certiorari to decide the limits of Auer deference.
Practice point: Whether the IRS’s position in published or unpublished guidance is afforded deference, and, if so, the appropriate level of deference, is important to taxpayers both in planning their transactions and defending them before the IRS and the courts. This area continues to evolve, particularly in the area of Auer deference, and taxpayers need to be aware of new developments.
Information Reporting Requirements
The IRS’s Offshore Voluntary Disclosure Program remains a tool for noncompliant taxpayers to come to the IRS to resolve outstanding tax reporting matters. For an update on this subject, see here. The release of the Panama Paper in April 2016, which we wrote about here received considerable attention. A recent opinion out of a district court in California also provided more guidance on the willful standard for failure to file foreign information reporting forms. See here.
Practice point: OVDP remains open, but it could be closed by the IRS at any time. Noncompliant taxpayers need to consider all options in this area, and should consider which option might be best depending on their specific situation.
The IRS has been increasingly asserting penalties in cases. We recently discussed here some of the penalty procedural rules at issue in the Graev case. We also discussed the substantial authority defense, as applied by the Fifth Circuit in Chemtech Royalty Associates. See here.
Point: Taxpayers who are facing penalty determinations and assessments should consider whether they may have any procedural challenges to the IRS’s method of approval and assessment of penalties, in addition to considering the more standard, substantive defenses like reasonable cause and substantial authority. It is important to adequately document your position prior to taking a tax return position to avoid any initial assertion of penalties by the IRS.
Register for the 24th Annual Marketing Partner Forum January 25-27: Client Collaboration & the New Rules of Engagement
In January 2017, Marketing Partner Forum returns to Terranea Resort in Rancho Palos Verdes, CA for a three day summit on law firm marketing and business development set against the breathtaking Southern California shoreline. Marketing Partner Forum will welcome law firm marketing partners, rainmakers, practice group heads, business development leaders and esteemed corporate counsel for a dynamic and vibrant conference designed for the industry’s most experienced professionals.
Call to register: 1-800-308-1700
Marketing Partner Forum is designed for client development partners, rainmakers, and the senior-most legal marketing and business development professionals across the legal industry. Our content reflects the experience and sophistication of our international audience in terms of rigor, ambition and scope. Attendees can expect to hear from venerable thought leaders both within and outside of the legal industry. Enjoy ample networking opportunities and the stunning scenery, golf course, spa and hiking trails at one of California’s most picturesque resorts. Take advantage of our brand new Marketing Partner Conference Track consisting of several compelling sessions designed specifically for the law firm partnership. Interact directly with senior clients and network for new business. Explore the brand new Marketing Partner Forum Technology Fair. Bring your family to our Thursday night reception and Friday Bloody Mary Brunch. Depart the event with practical takeaways to share with peers and firm leadership.
A federal district court recently issued a preliminary injunction barring enforcement of a rule prohibiting the use of pre-dispute arbitration agreements with patients in long-term care facilities that participate in Medicare and Medicaid programs.
The new rule, promulgated by the Centers for Medicare and Medicaid Services (CMS), would have taken effect on November 28, 2016. It would have prohibited (1) entering into pre-dispute arbitration agreements and, (2) requiring the signing of an arbitration agreement as a condition of admission. The injunction was granted by U.S. District Court Judge Michael P. Mills, who sits in the Northern District of Mississippi, at the request of members of the nursing home industry to stop the rule from taking effect while it is being challenged in court. In their lawsuit, the American Health Care Association and four other state and local health care groups are claiming that CMS and the Department of Health and Human Services are overstepping their authority in issuing the rule. Specifically, the plaintiffs contend that Congress has repeatedly rejected legislation to invalidate arbitration agreements, and further argue that the rule isn’t necessary to protect the health and safety of nursing home residents.
In entering his order, Judge Mills did concede that the CMS rule does appear to be based on “sound public policy.” As some residents of nursing homes suffering from ailments such as dementia and the like might not have the capacity to grasp what an arbitration agreement entails, in addition to the fact that there is stress upon nursing home residents and their families that is inherent to the admissions process, it can be argued that arbitration and the nursing home admissions process do not belong together.
However, in granting the injunction, Judge Mills stated that, as sympathetic as the court may be to the public policy considerations that motivated the rule, it is not willing to allow the federal agency to overstep its executive authority and “engage in a rather unprecedented exercise of agency power. The court is unwilling to play a role in countenancing the incremental ‘creep’ of federal agency authority beyond that envisioned by the U.S. Constitution.”
The nursing home industry has said that arbitration offers a less costly alternative to court. Facilitating more lawsuits, the industry has said, could drive up costs, forcing some nursing homes to close. Lawyers representing residents, however, state that people being admitted to nursing homes are often at the most stressful juncture of their lives, and are not equipped or capable of understanding what it is they are being asked to sign. Regardless of whether one believes striking down the rule would help the nursing home industry reduce its legal costs, or that the rule assists the families of nursing home residents in getting justice, it is clear that the court’s grant of the injunction as well as the impending decision in the underlying case will have an impact upon the future of the nursing home industry.