Cybersecurity Compliance Could Have Saved Capital One Millions

A recent cybersecurity breach involving one of the country’s largest financial services firms illustrates both the necessity of strong cybersecurity regulations and the imperative for credit card holders to jealousy safeguard their personal information. In a criminal complaint filed July 29th, 2019 at the U.S. District Court for the Western District of Washington, the federal government alleged that Paige A. Thompson, a computer engineer, had taken advantage of a gap in Capital One’s cloud security to obtain the personal financial records of millions of the company’s customers in the U.S. and abroad.1 Thompson, who used the online alias “erratic,” allegedly exploited a defect in Capital One’s firewall to access confidential financial information stored on the servers of the Cloud Computing Company, a Capital One service provider.1 Despite Capital One’s claim that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised,” the episode is a reminder that without robust cybersecurity measures and a broad-based commitment to personal data security, information stored with American financial institutions remains vulnerable to cyberattack.2 In fact, had Thompson been more careful to remain anonymous,3 the data breach could well have become catastrophic.

First, the data breach demonstrates the value of robust cybersecurity regulations. For example, if Capital One’s cybersecurity measures had met the stringent standards of the regulations issued by New York State’s Department of Financial Services that is now being enforced by the state’s new Cybersecurity Division, this problem may have been avoided. The DFS has committed itself to ensuring that “encryption and other robust security control measures” characterize the cybersecurity policies of the state’s financial services firms.5 Had Capital One encrypted or tokenized6 all of the data subject to the recent breach, it is possible that the effects of the cyberattack may have been less widespread. In fact, the criminal complaint against Thompson notes that “although some of the information” targeted by the cyberattack “has been tokenized or encrypted, other information[…]regarding their credit history has not been tokenized,” allowing “tens of millions” of credit card applications to be compromised.1 Of course, the cybersecurity regulations adopted by New York State are burdensome. But the alternative is even worse – especially considering that Capital One will “incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support,” a price tag that doubtless outstrips the costs of regulatory compliance.3

Pastore & Dailey is a leading firm in the drafting and implementation of procedures necessary to comply with federal and state securities and banking cybersecurity regulations and laws, which in this case could have saved Capital One millions if properly followed.

Second, the cyberattack bears out the importance of diligence in safeguarding financial information. According to Forbes, individuals worried about the security of their financial information can take a host of precautions: “[updating] passwords,” avoiding the use of e-mail accounts to share confidential information, “[establishing] two-factor authentication,” and so on.7 Cyberattacks like the one that recently struck Capital One have become a fact of life for many Americans who bank online, but they need not be costly. Common-sense precautions and security diligence can go a long way towards ensuring the integrity of your financial records.

Pastore & Dailey Secures Settlement in Failed Systems Case

Pastore & Dailey recently secured a favorable settlement in a case involving the loss of server data from an accounting firm. The settlement, which was reached after the loss of vital data from the client’s computer network, helped the client offset substantial financial harm produced by the server failure.

Cryptocurrency Tax Consequences

A recent decision by the Internal Revenue Service (IRS) to clamp down on cryptocurrency back taxes has understandably concerned many investors and thrown a host of complicated legal questions into sharp relief. In an effort to collect capital gains taxes on cryptocurrency trades, the IRS recently sent out a series of letters to about 10,000 investors warning them that failure to account for capital gains accrued in cryptocurrency markets could invite an audit or the imposition of even harsher penalties.1 The IRS has reportedly sent out three types of letters – one gently reminding investors to update their tax returns, another warning about the costs of tax evasion, and a third threatening an audit if a response is not received – “depending on the severity of the [tax] issue.”1

The IRS’ legal authority to send such letters and threaten enforcement action is rooted in the designation of cryptocurrencies as taxable property, rather than as currencies. In explaining this classification, the key consideration employed by the agency is that while cryptocurrencies can “be used to pay for goods or services” just like regular currencies, they can also be “held for investment,” a status that makes cryptocurrency subject to capital gains taxes.2 Cryptocurrency’s status as taxable property has a host of ramifications for tax preparation, the most important of which will be summarized below.

Before any investor can assess their cryptocurrency-related tax liability, they need to tabulate their “taxable events.” Taxable events, according to CryptoTrader.tax, encompass the following: “trading cryptocurrency to fiat currency” or to another form of cryptocurrency, “using cryptocurrency for goods and services,” and “earning cryptocurrency as income.”3 (Importantly, these provisions apply to cryptocurrency “miners,” the individuals who are paid in cryptocurrency to maintain blockchain networks).3 Whenever any of these taxable events occur, cryptocurrency investors need to log the “fair market value” of the cryptocurrency (plus any fees associated with the cryptocurrency purchase, sale, or trade) and determine if they incurred any gains or losses in the transaction.3 The tax rate on each transaction is determined by the length of time for which the investment was held. That is, cryptocurrencies purchased, held, and sold within a year are subject to the short-term capital gains tax (equivalent to regular income tax rates).4 Because U.S. tax law seeks to incentivize long-term investing, assets purchased and held for more than a year are subject to the long-term capital gains tax, which is considerably lower than the short-term rate.4

Although these rules may seem complex and burdensome, there are many ways to minimize your cryptocurrency tax liability. First and foremost, investors can actually claim deductions on their cryptocurrency losses – just as capital losses are deductible for more conventional assets.3 Moreover, as Accounting Today notes, investors can avoid capital gains taxes by gifting or donating cryptocurrency.5 Because the long-term capital gains rate is lower than the short-term rate (as discussed above), investors can lower their tax bill by making long-term investments.5 Finally, investors can reduce their tax liability by immediately converting cryptocurrency that has appreciated in value into a fiat currency like U.S. dollars, rather than using it to purchase another form of cryptocurrency.5 This is because both the conversion to U.S. dollars and the act of purchasing another cryptocurrency with capital gains are both taxable events.5

Despite the uncertainty and mystique surrounding cryptocurrency, these novel investment opportunities are governed by laws and regulations familiar to any experienced investor. Common sense, sound legal advice, and diligence will prevent your cryptocurrency tax bill from growing exorbitant.

 

  1. https://www.cnn.com/2019/07/26/tech/irs-cryptocurrency-taxes/index.html
  2. https://www.irs.gov/pub/irs-drop/n-14-21.pdf
  3. https://www.cryptotrader.tax/blog/the-traders-guide-to-cryptocurrency-taxes
  4. https://www.investopedia.com/taxes/capital-gains-tax-101/
  5. https://www.accountingtoday.com/opinion/minimizing-tax-liability-for-crypto-invested-clients

Cryptocurrency in Capital Markets: From ICOs to STOs

In the wake of chronic price volatility and a series of enforcement actions against the chaotic and unregulated market for Initial Coin Offerings (ICOs), alternative financial instruments have recently been developed to help investors share in the precipitous growth of cryptocurrency and blockchain technology. At first, the ICO – an instrument that Investopedia.com defines as “the cryptocurrency space’s rough equivalent to an IPO in the mainstream investment world” – constituted the primary vehicle for investment in cryptocurrency.1 Under the terms of an average ICO, investors purchase an emergent cryptocurrency either with traditional currency or another, established cryptocurrency in the hopes that the emergent cryptocurrency will enter widespread usage and increase in value.2

Despite their seeming promise, many ICOs have faced regulatory headwinds and practical challenges from the start. In fact, several high-profile ICOs have been shut down because their issuers failed to comply with SEC securities regulations. In SEC v. Howey (1946), the Supreme Court set forth a canonical test for classifying financial products as securities, asserting that financial products should be regulated as securities when they constitute an “investment of money” as part of a “common enterprise” which entails “an expectation of profits [generated by a] promoter or third party.”3 Armed with this binding precedent, the SEC has classified cryptocurrencies as securities and has not shied away from clamping down on unregistered offerings. As recently as June 4th, 2019, the commission filed suit against the instant-messaging service Kik on the grounds that the company had “sold [cryptocurrency] tokens to U.S. investors without registering their offer and sale as required by[…]U.S. securities laws.”4 At issue in the Kik case was not just the company’s failure to register the offering with the SEC, but also the disconnect between cryptocurrency’s avowed purpose as a mode of exchange and its practical role as a store of value.5 That is to say, it becomes harder and harder to claim that cryptocurrencies are not securities when investors primarily acquire them in order to capitalize on price fluctuations.

Even though many ICOs have been registered after the fact to comport with securities regulations,6 they still constitute less than stable investment opportunities. According to a study conducted by Ernst and Young, “a lack of fundamental valuation and the due diligence process by potential investors is leading to extreme volatility of the initial coin offering (ICO) market,” trends which would presumably render them unacceptably risky choices for most investors.7

Faced with high levels of risk and the possibility of SEC enforcement, some investors are turning to Security Token Offerings (STOs) in order to acquire securitized cryptocurrency on capital markets. STOs typically offer securitized cryptocurrency “backed by real assets or things that have established value,” a characteristic that tends to immunize them against the price volatility of ICOs.8 STOs also have several key legal advantages over ICOs. Because the cryptocurrency offered is pegged to an identifiable group of revenue-generating assets, the issuers of the STO do not have to make the facile claim that their financial product is a mode of exchange and not merely a store of value. That is to say, as long as they are registered with the SEC and otherwise comply with securities regulations, STOs can be placed in essentially the same legal category as regular securities,5 a status which does not exempt them from federal oversight but can clear the way for the buying, selling, and trading of cryptocurrency on the open market. In this sense, STOs constitute safer, far less legally dubious vehicles for investors eager to take advantage of the cryptocurrency boom.

___________________________________________________________________________________

  1. https://www.investopedia.com/terms/i/initial-coin-offering-ico.asp
  2. Ibid.
  3. https://consumer.findlaw.com/securities-law/what-is-the-howey-test.html
  4. https://www.sec.gov/news/press-release/2019-87
  5. https://selfkey.org/stos-vs-icos-a-comprehensive-introduction-for-2018/
  6. https://www.clearyenforcementwatch.com/2019/02/sec-issues-first-ico-enforcement-action-against-a-self-reporting-token-issuer/#_ftn3
  7. https://www.ey.com/en_gl/news/2018/01/big-risks-in-ico-market–flawed-token-valuations–unclear-regulations-heightened-hacker-attention-and-congested-networks
  8. https://gomedici.com/2018-recap-move-over-icos-its-time-for-stos

FLSA: Congressional Intent and Gaming the System

Despite its status as a seemingly antiquated piece of New Deal legislation, the Fair Labor Standards Act (FLSA) has constituted the battleground for a long-running legal conflict over the right of employees to claim overtime. The Supreme Court issued its first major FLSA ruling in A.H. Phillips Inc. v. Walling (1945), a decision which established strict construction of the law’s provisions for exemption (a status that precludes overtime pay) as the legal norm. The case, which involved A.H. Phillips’ decision to deny overtime pay to employees in its warehouse and central office, demonstrated the Court’s determination to vindicate congressional intent. Writing for the majority, Justice Murphy noted that because the act constituted “humanitarian and remedial legislation” and comported with “the announced will of the people,” its provisions for exemption should not be subjected to jurists who might “abuse the interpretative process.”1 The provisions of the law at issue, the Court held, should be applied only to “those plainly and unmistakably within its terms and spirit,” setting the stage for narrow construction of the FLSA’s rules for overtime exemption and affirming the central purpose of the law: to ensure that workers in low-wage industries receive fair pay for the hours they work.2

Ironically, however, there has been a recent rash of otherwise well-off plaintiffs eager to claim non-exemption under the FLSA and obtain additional compensation, a development which surely contradicts the intent of the law’s framers. In fact, as Law360 notes, “almost all of Wall Street’s biggest banks have been hit with lawsuits alleging that they violated the Fair Labor Standards Act by classifying brokers as administrators rather than as sales people,” a classification which would render them exempt from FLSA overtime rules.3 These claims lack merit – especially in light of guidelines published by the Department of Labor that assert that “[e]mployees in the financial services industry generally meet the duties requirements for the administrative exemption.”4 Even in light of the obvious weakness of these assertions, the alarming fact that workers in the financial services industry (a field generally known to be lucrative) lodged such claims at all demonstrated that the intent of the law needed to be clarified again by the nation’s highest court.

The Supreme Court did just that in Encino Motorcars v. Navarro (2018), a landmark FLSA case on par with A.H. Phillips. Writing for the majority, Justice Thomas rejected a claim that “service advisors” employed by an auto dealership met the definition of nonexempt workers under the FLSA.5 Even more importantly, Encino Motorcars signaled the Court’s willingness to apply a broad standard in assessing exemption under the law, rather than a narrow standard that grants exemption only to those employees “plainly and unmistakably within [the FSLA’s] terms and spirit.”1 Although the Court’s recent decision constitutes a departure from precedent, it vindicates both the intent of the FLSA’s drafters and reaffirms the common-sense understanding that employees should be remunerated only in proportion to their willingness to work hard and accomplish the tasks set before them. In other words, both congressional intent and common sense dictate that financial services employees should be paid a salary reflecting the quality of their work product, not merely the hours they work. They are professionals, after all.

  1. A.H. Phillips v. Walling (1945), Murphy, J. Majority opinion.
  2. Ibid.
  3. https://www.law360.com/articles/34738/investment-banks-take-the-offensive-in-flsa-suits?copied=1, para. 2
  4. https://www.dol.gov/whd/overtime/fs17m_financial.pdf, para. 3
  5. Encino Motorcars v. Navarro (2018), Thomas, J. Majority opinion.

Pastore & Dailey Wins Jurisdictional Motion Involving Connecticut, Pennsylvania, and Texas

On July 23rd, 2019, Pastore and Dailey prevailed in a jurisdictional motion against a Texas defendant accused of participating in the theft of intellectual property, obtaining a ruling that denied the defendant’s motion to dismiss for want of jurisdiction. An evidentiary hearing has been scheduled to assess the jurisdictional claims of two other defendants connected to the alleged intellectual property theft, which involves the transfer of proprietary information between competing health food companies.

New DFS Cybersecurity Division

Perhaps as a signal of its commitment to fight cybercrime and stringently enforce its cybersecurity regulations, New York State recently established a “cybersecurity division”1 within the state’s Department of Financial Services (DFS). The creation of the division marks yet another step taken by New York State to guard against the dangers posed by cyberattacks, perhaps motivated by its status as the home of many prominent financial services firms. In addition, the presence of the division strongly suggests that the cybersecurity regulation2 issued by DFS in Spring 2017 [WB1] cannot be taken lightly by the state’s largest and most important financial services firms. Aside from the comprehensive nature of the regulation and the sizable power afforded to the new cybersecurity division, the novelty of New York’s recent innovations in cybersecurity regulation suggests their importance and staying power. In fact, as JDSupra notes, the creation of the new division more or less completed a years long process that has made “New York[…]the only state in the country that has a banking and insurance regulator exclusively designated to protect consumers and companies from the ever-increasing risk of cyber threats.”1

Some financial services firms, conscious of their vulnerability to cyberattacks, will doubtless welcome these additional steps. As a report from the Identity Theft Resource Center notes, financial services firms “are reportedly hit by security incidents a staggering 300 times more frequently than businesses in other industries.”3 Far from being mere annoyances, these cyberattacks are often extremely costly. In fact, according to a study from IBM and the Ponemon Institute, the cost to a financial services firm per record lost in a cyberattack was more than $100 greater than the cost to the average company.4 Moreover, cyberattacks can also cripple consumer confidence in financial services firms, causing them to lose business and endure even greater costs.5 In general, then, cyberattacks can damage both a financial services firm’s sensitive records and its public image, making them a grave threat to any such company’s bottom line.

It would be a mistake, however, to think about DFS regulation purely in terms of cost reduction. Regulation also entails costs – not least because compliance with the 2017 regulation can be investigated and punished by DFS’ new cybersecurity division. In fact, these new developments indicate that cybersecurity will not come cheaply, especially because the regulation imposes a bevy of new security requirements on top firms, costing them a not insignificant amount of time and money. From multi-factor authentication to training programs to the appointment of a “Chief Information Security Officer,” the now fully enforceable regulation will force financial services firms to foot the bill for a host of cybersecurity measures.6

  1. https://www.jdsupra.com/legalnews/new-york-creates-cybersecurity-division-20881/
  2. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
  3. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 3
  4. IBM and the Ponemon Institute, The Cost of a Data Breach (2017), summarized in https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 6
  5. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 8
  6. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf, pg. 5

Cryptocurrency Mining and the Danger of Halving

As cryptocurrencies continue to grow more sophisticated and widespread, the economic possibilities offered by cryptocurrency mining have drawn greater attention from prospective investors. Cryptocurrency mining, which helps to ensure that “transactions for various forms of cryptocurrency are verified and added to the blockchain digital ledger,”1 is a potentially profitable activity because a small amount of cryptocurrency is awarded to the “miner” able to verify the transaction fastest. On a large scale, cryptocurrency mining could potentially provide a solid revenue stream to a company able to overcome hurdles related to capital and operating costs. In the first place, the capital costs (in terms of computers, software, and other tools) that deter many would-be cryptocurrency miners would not constitute major impediments to any well-funded company intent on entering the field. But operating costs, rather than capital costs, constitute a larger problem for large-scale cryptocurrency mining companies. Because a certain amount of power is consumed whenever cryptocurrency is successfully mined, ensuring that the cost of electricity does not exceed the value of the cryptocurrency awarded is necessary before any such mining can be profitable. The power required to validate one cryptocurrency transaction, while not large on its own, adds up quickly in the context of large-scale mining operations. According to a report compiled by Coinshares, which provides cryptocurrency-related research and investment tools, companies and individuals mining Bitcoin (a popular cryptocurrency) consume roughly 41 terawatts a year in power.2 And according to that same report, investing in higher-quality equipment will not reduce the power requirement because “only the value of the [cryptocurrency] reward[…]can impact the network’s total electricity draw.”2 The solution, then, is to locate sources of cheap electricity – a solution which many cryptocurrency mining companies have already hit upon. In fact, the report notes that bitcoin miners tend to cluster in “regions dominated by cheap hydro-power,” especially the Pacific Northwest and Northeast regions of the United States.3 Although the influx of cryptocurrency mining operations into these areas has produced a measure of political backlash,4 it is not unreasonable to assume that the economic benefits conferred by such activities will soon outweigh such resistance.

Despite the evident promise of large-scale cryptocurrency mining, some have suggested that the upcoming “halving” of the cryptocurrency awarded for mining Bitcoin might seriously eat into profits and upset the delicate balance of power costs.5 However, this is not likely to constitute a serious headache for the industry for several reasons. First, as a Forbes article on the “halving” notes, Bitcoin operates according to the basic principles of supply and demand. That is to say, as fewer and fewer Bitcoins are disbursed during the mining process, fewer are available to be traded, causing their price to increase. This would conceivably offset the “halving” somewhat. Moreover, the recent increase in miner fees6 (fees paid by blockchain users to miners which supplement the cryptocurrency awarded) could also counterbalance the “halving.” All in all, despite the obstacles posed by power costs, capital investment and the gradual reduction of cryptocurrency awarded, large-scale cryptocurrency mining promises both steady revenue and growth potential in the years to come.

  1. https://www.webopedia.com/TERM/C/cryptocurrency-mining.html
  2. https://coinshares.co.uk/assets/resources/Research/bitcoin-mining-network-june-2019-fidelity-foreword.pdf , pg. 6
  3. https://coinshares.co.uk/assets/resources/Research/bitcoin-mining-network-june-2019-fidelity-foreword.pdf, pg. 10
  4. https://www.politico.com/magazine/story/2018/03/09/bitcoin-mining-energy-prices-smalltown-feature-217230
  5. https://www.forbes.com/sites/forbesfinancecouncil/2019/05/10/what-will-the-next-halving-mean-for-the-price-of-bitcoin/#d8a2fc15f340
  6. https://www.coindesk.com/bitcoin-fees-jump-to-nearly-1-year-highs-but-why

Upon Information and Belief Requires More than Information and Belief

Under the Federal Rules of Civil Procedure, a party must allege fraud with particularity. FRCP 9(b). When a party alleges fraud upon information and belief, that is generally insufficient to meet the standards under FCRP 9(b) absent additional allegations that demonstrate the origin of the information and belief. This is a nuanced difference from the particularity requirement for claims that are not alleged upon information and belief. This subtle difference is discussed in the cases Exergen Corp. v. Wal-Mart Stores, Inc. 575 F.3d 1312 (Fed Cir. 2009) and Munro v. Lucy Activewear, Inc., 899 F.3d 585 (8th Cir. 2018).

In Exergen, the Court found that where deceptive intent was plead on information and belief and the Plaintiff did not plead either information on which it relied on or any plausible reasons for its belief, the pleading was insufficient. The Court further stated that the circumstances Plaintiff did allege do not plausibly lay out the elements required for a claim of deceptive intent. Similarly in Munro, where the Plaintiff’s allegations are based on information and belief and the Plaintiff’s complaint did not set forth any supporting facts showing that Defendant intended to defraud him, the Court found the Plaintiff did not adequately allege fraud under Minnesota law.

This rule is applied in multiple jurisdictions and one to consider carefully when pleading allegations on “information and belief.” (Mikityanskiy v. Podee, Inc., 2011 U.S. Dist. LEXIS 55746 (S.D.N.Y 2011) (a complaint that was made up entirely of allegations made on “information and belief” was not sufficient especially when some allegations were made of readily available facts) Easton Tech. Prods. v. FeraDyne Outdoors, LLC 2019 U.S. Dist. LEXIS 60313 (D. Del 2019) (pleading was not sufficient under Rule 9(b) standard because there were no allegations of underlying facts to support the allegations made on “information and belief”); Gamevice, Inc. v. Nintendo Co., Ltd 2018 U.S. Dist. LEXIS 221777 (N.D. Cal. 2018) (allegation of prosecution laches is insufficient when the complaint does not plead the specifics of which of the five patents at issue unreasonably delayed prosecution).