This is a follow up to an article that I wrote in March of this year concerning captive insurance companies. I simply write this as a warning or  caution to emphasize that the IRS is aggressively reviewing these companies,  even more so when they are used as investment plans.

The IRS is aware  that captive insurance companies have been used improperly. They believe captive insurance companies are being used as fraudulent tax shelters. While many of these captive insurance companies serve legitimate purposes, some do not. The IRS has assessed additional taxes, penalties and/or interest on thousands of taxpayers. The IRS rules require filing Form 8866 for these investments so please see a knowledgeable CPA about these matters. The penalties for failing to file Form 8866 can be $200,000 for a business and $100,000 for an  individual.

If you are starting a captive insurance company or considering investing in one make sure you get a good legal opinion that there exists a legitimate purpose for the entity. If you are selling shares in a captive insurance company as an investment or tax shelter to your clients, another opinion as to the legitimacy of the business purpose is warranted.
 
Also, if you received a notice from the IRS, simply stopping additional funding into the captive insurance company or investment plan in the captive insurance company does not solve the problem. This is because you are continuing to receive a tax shelter for the money already invested. An IRS notice is definitely cause to seek counsel and an experienced CPA.
             
If you have any questions about captive insurance companies please contact me at jmcguire@c-wlaw.com.
 
 
Captive insurance companies are becoming more widespread in business today.  We see captives being used to save businesses money by reducing premiums, they have been used in asset protection plans, and they have been used as tax shelters.  Just what is a captive insurance company?

In its essence and simplest form, a captive insurance company is a wholly owned subsidiary of a parent company.  The parent company pays premium to the captive that would otherwise have been paid to an outside insurance company.  The captive then covers the claims made against the parent company.  This is the self-insured use of the captive that large companies have used for many years.  Most major companies and universities have formed their own captive.  Today, captives can be much more diverse and do not have to be owned by one parent company.

When used as insurance, the idea is that the parent company benefits from the good performance of the company rather than the outside insurance company.  If the premium is $10,000, for example, and there is $5,000 in claims in a given year, the company will have a $5,000 surplus.  If, on the other hand, there is $15,000 in claims paid on that same premium there would be a $5,000 loss.  For this reason, most captives will purchase reinsurance or excess insurance to cover claims in excess of a certain amount.  Alternatively, some captives have reserves that have grown large enough over the years that they can absorb such losses.

In 2002, the IRS issued guidance on how to establish a captive in compliance with the tax code.  This allowed many smaller companies to save money by establishing captives.  For instance many companies have formed captives to administer their health insurance.  This has also opened the door for other legitimate uses by smaller companies.  In addition, several companies and/or individuals can get together and form a captive of their own.

When marketed as an investment vehicle or asset protection device, the fact that a captive can potentially reduce income taxes and be transferred estate tax free to heirs are strong selling points.  However, the idea behind the captive is not to use it solely as an investment or asset protection vehicle.  My firm can assist you to form a captives for companies to insure against potential risks.  The IRS does look for abuses such as a captive that insures for a risk that the parent company does not have.

If you are considering a captive you will want to consider how it will be established and run.  You should have an attorney, CPA, and actuary who are familiar with the process during the formation.  There are companies that, for a fee, will administer the insurance program for you.  You must be prepared to handle claims and comply with insurance regulations, so having an experienced administrator is important.  There are also companies that will adjust your claims and handle the entire claims process.  No company should do this on their own.

Additionally, when considering a captive you need to determine which risks you wish to insure.  You may only want to cover health insurance or maybe worker’s compensation.  Also, a benefit of a captive is that you may be able to insure more than traditional insurance would insure if you choose to do so.  Many traditional insurance policies have exclusions that prevent a recovery and you do not have to write those into your own policy.  Waiting periods and caps can be changed to suit your preference and potentially cover your true business loss.

There is a strong potential for abuse through misuse of a captive.  They are subject to audit but the IRS does not audit a large percentage of the captives that currently exist. However, that may change as the IRS continues to look closer at captives.  Therefore, it is important that the company be set up and administered properly.

If you have any questions about captives please contact me at jmcguire@c-wlaw.com.

 
 
The following is an article which I wrote and was recently published via email by the PICPA.

Lost Your Smart Phone? Now What?


So much data is stored on phones, laptops, and other electronic devices that a loss can be devastating. FBI statistics indicate that a laptop is lost or stolen every 53 seconds. That is more than 10,000 every week. This statistic must be higher in the case of smart phones. In its 2003 Global Information Security Survey, Ernst & Young found that one-third of corporate chief technology officers indicated that they do not have insurance coverage for cyber events, and another 22 percent did not know if they had coverage. These numbers are frightening considering how much information we store on these devices.

I can’t emphasize enough that you should consult with an attorney about your actions if you find yourself in this position, but I am realistic enough to know that many of you will not. Perhaps this article will help you make more informed decisions, but please keep in mind that this article barely touches the surface of the numerous connsiderations that are dependent on your specific circumstances. 

From the moment an electronic device is placed in your hand, you need a well-thought-out procedure for how to handle its loss. Things to consider include what state and federal laws apply, and what are the legal requirements for reporting a loss. Compliance with the law is just the beginning. If not required under the law, should you still report the loss to your clients? Will you report to the authorities? Do you have security in place, such as the ability to wipe the memory on the device remotely or any tracking software? Do you need to cancel credit cards or change Passwords? There is much to consider.

When an item goes missing, the first step is to determine whether it was lost or whether it may have been stolen. The response is dependent on the circumstance. Also, if stolen, can you determine if it was taken for the device or the contents of the device? If stolen, do you contact the police or some other agency? Further, do you contact the press, shareholders, or your employees?

I’ll state again that you need to contact your attorney, and that may be the first contact you should make. Contacting your insurance company also will help you determine if you have coverage that will protect your loss. There are a number of types of insurance that may provide coverage, but general liability and most standard policies will likely have exclusions. This is something to consider prior to any loss. There is one other must-contact, in my opinion: your computer consultant. The consultant can help you navigate the security issues and determine what data may be or has been breached.

Know that once you notify any outside entity, you will begin to lose control. This will matter if you are attempting to avoid bad publicity or negative information going to your clients. Regardless, you may be required to notify clients, depending on the circumstances. The Pennsylvania Breach of Personal Information Notification Act (BPINA) will apply if you have a Pennsylvania company with a loss in the state and the affected clients are Pennsylvania residents. Requirements if the device is lost outside the state or some of the clients live in other states or jurisdictions is still an evolving area of law. The BPINA, effective in 2006, requires notification if personal information (as defined by the statute), which is unencrypted and unredacted, is “reasonably believed to have been accessed and acquired by an unauthorized person.” This is certainly not a bright line test and is subject to interpretation. There are some exceptions to the reporting requirement that have to be considered. How and when do you notify, what information you provide, and whether you must do anything else should all be considered.

The type of data on the device will make a difference as well.  Medical records are subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), both of which may apply to a CPA firm that provides services to a hospital or other medical provider. There are other federal statutes that may have notification requirements, too. 
 
Violations of these laws carry some harsh penalties. Violation of BPINA, for instance, is deemed a violation of the Unfair Trade Practices and Consumer Protection Law, is prosecuted by the office of the attorney general, and carries penalties that include treble damages and attorney’s fees.

If the decision is made that there is no legal requirement to notify clients, then whether to notify authorities becomes a tougher question.  Although convictions are made in about one in 10 of these types of thefts, they may be highly publicized by the police and prosecutor as they try to use the case as a deterrent. This must be considered. 
 
It is easy to say that passwords need to be changed, accounts closed, and credit cards canceled if that information was on the device, but it is easier said than done. Do you even know which of this information is on the device in some form? Another consideration, and one that you will want to make in consultation with your IT experts and possibly the authorities, is whether to keep any of these accounts active but have them alerted so unauthorized access
can be traced.

The loss of data and the potential data breach can lead to numerous expenses. Losses and expenses include the cost of lawyers, the cost of a forensic audit, loss of reputation, cost of IT services, and the cost of credit and identity monitoring. There is also considerable loss of productivity from dealing with these issues.

It is important to be proactive, and consider some of these items prior to any data loss:         
     -    Data encryption other security measures 
     -    Insurance to cover any losses      
     -    Insurance to cover regulatory fines and penalties       
     -    Communication plan 
 
I hope you will consider the points in this article before you encounter the loss of a device. You certainly will be considering them if such an event occurs.

 Jeffrey T. McGuire, JD, is a partner with Cipriani
& Werner PC in Lemoyne and serves as legal counsel to the PICPA. He can be
reached at
jmcguire@c-wlaw.com.

 
 
Not that long ago I blogged about the new requirement for dentists to carry professional liability insurance.  Now Pennsylvania has added prosthetists, orthotists, pedothorthists and orthotic fitters to the list of medical professionals required to maintain professional liability insurance.  In fact, these professionals are now under the oversight of the Pennsylvania State Board of Medicine [Board] and will require licenses by 2014.
 
Governor Corbett signed HB 48 of 2011 into law on July 5, 2012.  This bill was supported by the Pennsylvania Orthotics and Prosthetics Society [POPS], Pedorthotic Footwear Association [PFA], National Orthotic Manufacturers Association [NOMA], the Pennsylvania Orthopedic Society [POS] and the Hospital and Healthsystem Association of Pennsylvania [HAP].  With its passage, Pennsylvania joins more than a dozen states including Ohio and New Jersey in regulating the practices of prosthetics, orthotics and pedorthotics.
 
The bill, as passed, is poorly written.  This is probably partially due to edits during the legislative process and the fact that part of it was standard language drafted on a national level which was cut and pasted into the Act.  Representative Scavello’s press releases indicate that beginning in 2014, in order to be licensed as a prosthetist and orthotist an individual will be required to have at least an associate’s degree in prosthetics or orthotics and an additional two years of education or a bachelor’s degree and meet a work experience requirement that is two years or 3,800 hours of patient care.  Further, each licensee will need to pass an exam and other requirements as set by the Board.  Pedorthotists and orthotic fitters must complete a board approved entry-level education program specific to their field and have a minimum of 1,000 hours of supervised work experience.   
 
There is also a requirement that a licensee must be of “good moral character”.  Further, an applicant cannot “be addicted to alcohol, narcotics or other habit-forming drugs.”  Nor can the applicant have a conviction for a felony under the Controlled Substance, Drug, Device and Cosmetic Act.  Please contact me if you need assistance navigating the application process.  Once granted the license must be renewed every two years.
 
There is a grandfather provision that will allow current practitioners to obtain a license as well. Current practitioners have to apply within two years from the effective date and must meet other criteria which are unclear from the language of the statute as passed.  Representative Scavello has indicated that they must either be holding a current national certification or have been in continuous practice for three years to qualify.  However, the statute also lists requirements for education and training and actually requires both the certification and three years of experience.
 
Finally, under this act, all licensees are required to maintain one million dollars of professional liability insurance. 
The statute requires the Board to establish appropriate regulations within eighteen months and I have been told that the Board has started to draft regulations.  Hopefully, the statute will be amended and we will have regulations that will clarify the licensing requirements.

If you need any licensing advice or advice interpreting this statute pl

 
 
As counsel to numerous professional firms and associations I am asked frequently about cyber risk.  As technology advances we have more and more information stored in electronic devices and in the so called “cloud.” Cyber risk is of particular concern for professionals like CPAs and attorneys because they have confidential client information like Social Security Numbers and financial information. There is no prohibition to maintaining our data electronically and particularly in the cloud, however, we must be aware of the risks and take reasonable precautions to protect our data and particularly our clients’ confidential information.  As professionals we must remember that our clients trust us and we have to make sure that trust is not misplaced.

Clients have an increased expectation that we are available 24/7 and that we have all their information at our fingertips to answer their questions and respond to their concerns. Therefore, we are more and more dependent on technology and storing more and more information, which is available remotely. This makes our data subject to increased cyber risk.  The first question is, are we prepared for the risk? Generally, the answer is that firms are
not.  They are not fully aware of the risk and are not prepared for it.  The second question is, are we prepared to respond to a breach of our data?  Again, generally, the answer is that firms are not.

Any size firm is subject to cyber risk.  The statistics are alarming.  Identity theft and security breaches are on the rise.  The cost to respond to a breach has been reported up to $204 per record with an average cost of $2.4 million per breach.  The cost to respond to a cyber-breach can be staggering.  The damage from a cyber-breach can be tremendous. Ignoring just the financial cost of responding, there may also be bad publicity, loss of productivity, and loss of reputation.

Now, I generally don’t use text messaging for work but where are those messages stored and how safe are they? 
When we are using technology we need to evaluate the risk and what if any safeguards are in place.  I just assume Verizon has those text messages secured on their end but what about my phone? If my phone is stolen everything that I have texted and not deleted is open for reading.  But do I have access to wipe the phone’s memory remotely? 
These are questions we need to know about all our devices.  Do we have an inventory of all the devices that are subject to cyber risk?  (Every server, desktop, laptop, iPad, cell phone etc.)  And not just company owned devices, but also personal devices that have access to company data.  Do we have an inventory of the types of data on each device? (Documents, emails, contact information, texts etc.)  Do we have an inventory of what data of each type on each device?  Without all this information, we can’t fully appreciate the cyber risks involved.

Of course, there is insurance available to help with some of the risk.  From a professional firm’s standpoint, insurance is about spreading or lessening risk.  There are several types of policies available and I suggest any firm consult with their insurance broker about the type of insurance that might work best for them. Fortunately, this type of insurance is not expensive, because although incidents are on the rise, there is a relatively low incident rate.  Unfortunately, as touched on above, the losses can be extremely high, so be careful that your policy will cover the full extent of the loss.

 The reality is that professional firms need to spend time addressing their cyber risk.  They need to catalog their data and determine action plans to prevent the loss of data and to respond to any loss. I recommend you address these issues immediately in consultation with your computer experts, your insurance broker, and your attorney.

Since posting this blog, the following exchange took place in LinkedIn which you may find helpful:

Jeffrey - it is far less costly and much more effective to implement appropriate (i.e., cost vs countermeasures; reduction of risk to an acceptable level) information system security policies, procedures and countermeasures than purchase insurance policies. Properly implemented, an adequate IS security program will obviate the need of additional insurance and go much further to prove prudent managerial action (for litigation). This is not just a technical issue as most incidents involve human behavior (both authorized insiders as well as non-authorized  outsiders). Also - there is a slight (but very important) differences in implementing risk mitigation for information system incidents versus disaster recovery planning. The IS security profession has been around for several decades and some very well-regarded professional certification systems are now key (e.g., CISSP, GIAC). There are even a couple LinkedIn groups for this.

My Response
Thanks for the additional information.  I completely agree that appropriate information system security policies, procedures and countermeasures must be implemented.  But I'm not sure there is an acceptable risk level.  This is particularly true for associations and depends upon what confidential information an organization or company maintains.  That is why I think everything should be assessed and considered.

Further comment
If there is no acceptable level of risk, no firm has enough resources nor are there enough countermeasures available.   Here is synopsis of information system controls viewed to be critical: 

http://www.sans.org/critical-security-controls/

My Response
That is an excellent list! Thank you for sharing it.  I think we agree on this.  My point is that there is no one level of risk that is acceptable across the board and each company must assess the risk.  There are far too many variables.   Even if a company does everything listed, there remains a risk. For some companies I believe that risk is too great to not purchase insurance but that is why a complete assessment is needed.  From everything I have read on the subject the data cannot be completely protected if it is to be accessible and usable.  At that point, what confidential information is contained in the data will certainly be a factor.  Lawyers and CPAs whom I represent maintain social security numbers and a lot of other extremely confidential information.  A data breach would be extremely expensive and the firm should decide ahead of time
what risk they will take and whether they will insure it. 
Unfortunately, Many companies do not know the risks and take no
comprehensive action.

 
 
           
On June 22, 2012 Governor Corbett signed Act 65 into law [SB 388].  The law goes into effect August 21 (60 days after it was signed).  This law amends the Pennsylvania Dental Law to require dentists licensed in Pennsylvania to purchase professional liability insurance. Pennsylvania is one of only a few states to require dentists to maintain this insurance.
                 
The law requires limits of at least one million dollars per occurrence and three million dollars per annual aggregate. However, it does allow dentists to be self insured.  Until the regulations are passed, it is unclear exactly what proof of assets or solvency will be required to satisfy the self insured status.  
                 
What is required to under the law is to maintain insurance and provide proof of insured status upon license renewal.  In order to be compliant with the new law it is important that dentists have insurance in place on or before August
21.  The Pennsylvania Dental Board has the ability to refuse, revoke or suspend a dentist’s license for failing to
comply with this requirement.
                 
Commissioner Katie True of the Bureau of Professional and Occupational Affairs [BPOA] testified before the House Insurance Committee that requiring insurance would be beneficial to the public.  The Pennsylvania Insurance Department also supported this law. In Pennsylvania other professionals that are required to maintain professional
liability insurance in order to maintain their licenses include doctors, optometrists, chiropractors, nurse-midwives and physician assistants.  The question remains whether the BPOA and/or Insurance Department will push for the same or similar legislation for other professions or occupations.  So far the requirement to maintain insurance is limited to the medical boards although it is interesting to note that attorneys must disclose to their client the fact that they do not maintain a certain level of insurance and this information is available online if you search an attorney's license status.

For now, we'll just have to wait and see whether BPOA attempts to expand the insurance requirement to other Professional or Occupational licensees.
 
 
Are you insured for your professional licensing  matter?  Surprise . . . you may be.  I’ve represented many  professionals in licensing issues before the various Pennsylvania Licensing Boards.  I’ve also represented many  professionals in malpractice claims so I have had occasion to review many Professional Liability policies.  Many insurance companies do provide coverage for licensing complaints. Sometimes it is in the base policy and sometimes it is offered in a rider or even separate coverage.

 Often the insurance company will provide coverage because a license complaint is frequently filed in conjunction with a civil lawsuit and the insurance company doesn’t want the licensing matter to compromise the defense of the civil suit.  There is also an issue about control of what documents are provided in the licensing case and making certain no more than what must be disclosed is disclosed.

The insurance company will only cover your expenses, including legal fees, to defend the licensing case.  There will be no coverage for any fines or costs imposed by the licensing board.  Be certain to contact your attorney and/or insurance company early in the process so you have the benefit of their expertise from the beginning.  Often, the early intervention of an attorney can resolve a licensing complaint particularly when there is also a civil action or the treat of a civil action because those matters really should be dealt with in the civil courts rather than at the licensing board.

 If you would like me (or any specific attorney for that matter) to represent you and you do have insurance that will cover your attorney’s fees, you can request that the insurance company hire me.  If you let me know I can provide the insurance company with my resume and usually they will allow me to do the work rather than their panel attorney who may not have as much experience as I do.  In fact I may already be approved by the insurance company to do that work for them. 
 
So anytime an investigation is started or you receive an Order to Show Cause, make sure that you not only contact an attorney but also your insurance company in case you have coverage.