Skip To The Main Content

Weekly National News

Aug. 3, 2018

3 Ways to Know if Your Firm Needs Cyber Insurance

(Accounting Web) By Tomas Suros, July 30, 2018 – Small accounting firms rarely consider advanced insurance protection and instead opt for standard insurance like errors and omissions, general liability, workers’ compensation and property and contents, assuming anything more advanced is optional.

Related CPE
Cybersecurity programs
Technology programs

But as your business expands, it becomes more and more important to think about how you would serve your growing clients base if the worst were to happen. And in a modern technology landscape, the worst often involves a digital threat to the most important asset your accounting firm has: your data and that of your clients.

Cyber insurance, also known as cyber liability insurance coverage or cyber risk insurance, helps offset costs involved with recovering from a cyber attack or security breach. It, of course, doesn’t prevent cyber attacks, but it can significantly offset the risk of a breach by underwriting reimbursable expenses like:

  • Investigation
  • Privacy notifications
  • Lawsuits and extortion
  • Business losses from network downtime
  • Data loss recover
  • Crisis management

Cyber insurance first appeared on the market in the late 1990s and early 2000s. However, it’s only in the past few years that it’s become a common insurance policy for businesses that collect and store data.

Technology decisions have a massive impact on the success (or not) of your accounting firm. Get it right, and technology is an invisible enabler. Get it wrong, and you could be crippling your future growth, or worse.

Roughly 33 percent of companies in the United States purchase some type of cyber insurance. In fact, cyber insurance is quickly becoming a default insurance option for companies that store any kind of data online.

Curious about whether or not your firm needs cyber insurance? Here’s a look at three reasons more accountants, tax preparers and bookkeepers than ever are considering this coverage:

  • Cyber attacks are on the rise

Despite companies consistently putting more sophisticated security measures in place, there’s still a consistent year-over-year increase in cyber attacks. Symantec’s 2018 Internet Security Threat Report cites increases in IoT attacks (600 percent), cryptojacking (8,500 percent), malware exploits (200 percent) and mobile malware variants (54 percent).

With the increasing volume and diversity of cyber threats, it’s more likely than ever that a business will experience a breach at some point. Cyber insurance mitigates the financial risk of an attack by helping your firm recoup lost productivity, as well as the active costs of notifying clients of a breach and recovering your data.

  • Even small breaches are costly

The typical ransom amount demanded from cyber attacks aren’t especially large – the worldwide average in the second quarter of 2017 was $500-$2,000. But it’s not the ransom that threatens your firm’s financial status; it’s the cost of lost time and additional effort to recover from the attack.

A firm that grosses $5 million a year is worth about $2,400 per work hour. Even if your firm opts to pay the ransom quickly, it can take hackers up to 48 hours to verify your payment, leaving your firm struggling to recover from a $44,000 disruption. The costs – both to your daily productivity and reputation – add up.

  • Pairing cyber insurance with proactive security measures provides true security

Cyber insurance alone can’t save your firm from costly attacks. It’s simply an important way to protect your company from the after-effects of a breach you hope will never come.

Since the best insurance is insurance you never have to use, the bulk of your attention should fall on building and maintaining a secure private cloud that limits the opportunities for hackers to gain access to your systems. Pairing cyber insurance with this kind of holistic, preventative data security is the best way to make sure you’re protecting your accounting firm from every angle.

As hackers and cyber attacks become increasingly sophisticated, it’s no surprise accounting firms have stopped asking, “Do we need cyber insurance?” and started asking, “How much cyber insurance do we need?” If you haven’t thought through your firm’s needs to pair a private cloud with cyber insurance, there’s no better time than now.

 

 

 

 

The California Consumer Privacy Act of 2018: Summary and Comparison to GDPR

(JD Supra) By Kramer Levin Naftalis, July 30, 2018 – On June 28, 2018, the California Consumer Privacy Act of 2018 (CCPA) was signed into law. The bill was drafted and passed quickly, just prior to a deadline for removing a similar initiative from the ballot that would have appeared before California voters in November. Many expect revisions to or guidance regarding the law to be promulgated prior to the CCPA’s entry into force on Jan.1, 2020. Nonetheless, businesses that will be subject to the law would be well advised to consider the process of bringing themselves into compliance sooner rather than later. Some businesses that will be regulated under the CCPA may also fall within the ambit of the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018 (see our previous publication). This alert will examine the provisions of the CCPA, drawing comparisons with the GDPR where appropriate, in an effort to identify the steps covered entities may need to take as the implementation date for this important new law approaches.

Related CPE
Cybersecurity programs
Technology programs

Who Is Protected by the CCPA?

The CCPA will protect “consumers,” a term defined to include natural persons who are California residents. 1798.140(g). Like the GDPR, the rights granted under the law do not extend to legal persons like corporations. Art. 4(1).[1]

Who or What Is Regulated by the CCPA?

To come within the regulatory reach of the CCPA, a business must collect “personal information” from consumers, it must “do[ ] business” in California for profit or for the financial benefit of shareholders, and must meet or surpass one of the following three minimum thresholds:

  • $25 million in annual gross revenue
  • Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers
  • Derive 50 percent or more of annual revenue from selling consumers’ personal information

1798.140(c).

“Personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  1798.140(o). The CCPA goes on to offer a nonexhaustive but extensive list of examples of data that qualify as personal information. The list includes:

  • Standard personal information, such as name, address, or government ID numbers
  • Commercial information including goods or services purchased by the consumer
  • Web-based information including browsing and search history
  • Geolocation data
  • Information related to a consumer’s employment or education
  • Inferences drawn from the above types of information to create consumer profiles

As in the CCPA, the definition of “personal data” in the GDPR is quite broad, encompassing most pieces of information that relate to an identifiable natural person. Art. 4(1). But in a notable difference from the GDPR, the definition of “personal information” in the CCPA excludes “publicly available information,” meaning information that is lawfully available through government records. In another difference, the GDPR identifies “special categories of personal data” that are entitled to extra protections, whereas the CCPA recognizes personal information as a single category that may be composed of different kinds of data. Art. 9. Note that the CCPA uses the statutorily defined term “business” to refer to the entities that will be regulated under the law, while the GDPR regulates the “controllers” who determine what personal data is collected and the “processors” who process personal data on behalf of controllers. Art. 4(7)-(8).

What it means to “do[ ] business” in California is not defined in the CCPA, though the term is generally understood broadly under other California statutes. For example, the California Revenue and Taxation Code, Section 23101, provides that a company is doing business in California if it is “actively engaging in any transaction for the purpose of financial or pecuniary gain or profit” in California.

It may also be worthwhile to observe that the scope of the CCPA is tethered to the locus of the consumer—that is, it is focused on protecting the rights of people resident in California. The CCPA is not concerned with the manner in which California-based businesses handle the personal data of non-Californian consumers. By contrast, the GDPR regulates businesses established in the EU, regardless of whether the personal data collected concerns EU citizens or not, as well as businesses located outside the EU that offer goods or services in the EU and process the data of EU citizens.

What Rights Does the CCPA Establish for Consumers?

Making reference to past breaches of consumer privacy and observing that “[p]eople desire privacy and more control over their information,” the CCPA grants California consumers new rights over the personal information collected about them by covered businesses. These rights, in turn, create responsibilities for those businesses that will be regulated under the law. The section below summarizes the rights granted to consumers under the CCPA and the steps businesses must take to ensure that these rights are protected.

Right to Know What Information Is Collected About You

The CCPA grants consumers the right to request that businesses disclose the “categories and specific pieces of personal information the business has collected” about them. 1798.100(a).

To effectuate this right, the CCPA places several affirmative obligations on regulated businesses. Before collecting a consumer’s personal information, a business must inform consumers of the categories of personal information that it collects about them. This will likely be accomplished through the business’s privacy policy (see section below). Businesses are prohibited from collecting personal information from a consumer that would fall outside of the categories of information that it discloses it collects about consumers. 1798.100(b).

Upon request, a business must disclose to a consumer:

  • The categories of personal information it has collected about the consumer
  • The categories of sources from which the personal information was collected
  • The business purpose behind collecting the personal information
  • The categories of third parties with whom the business has shared the information
  • The specific pieces of personal information it has collected about the consumer

1798.110(a).

This information may be provided to the consumer electronically or by mail. If transmitted electronically, the data “shall be portable” and, to the extent possible, provided “in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.” 1798.100(d). Businesses are not, however, obliged to retain personal information for one-time transactions, so long as that information is not retained by the business or sold to a third party. The CCPA calls on the attorney general to adopt regulations concerning how businesses should verify consumer requests to ensure that businesses only share personal information with the consumer to whom the personal information relates. 1798.185(a)(7).

Like the CCPA, the GDPR allows data subjects to request information about the personal data that the controller has collected about them, though it distinguishes personal data obtained from the data subject and personal data obtained from outside parties. When personal data is collected from someone other than the data subjects, the GDPR grants data subjects the additional right to know from what sources the personal data originated. Art. 14. But the GDPR also identifies a number of situations in which controllers and processors need not share information with the data subject when the information was collected from an outside party, including if the data subject already has the information, where provision of the requested information would be “impossible or would involve a disproportionate effort,” where an EU member state provides for different rules that protect the data subject's legitimate interests, or where the personal data must remain confidential subject to “an obligation of professional secrecy” or a statutory obligation of secrecy. When it comes to requesting a copy of the personal information a controller or processor has obtained about a data subject, the GDPR makes no distinction—data subjects have the right to a copy of the personal data that was collected about them regardless of the source, with the caveat that this right “shall not adversely affect the rights and freedoms of others.” Art. 15.

Right to Request Deletion

The CCPA grants consumers the right to request that businesses delete any personal information about the consumer that the business has collected from the consumer. 1798.105. Note that the CCPA does not grant consumers the right to request that a business delete personal information obtained from someone other than the consumer.

To effectuate this right, the CCPA provides that regulated businesses must:

  • Inform consumers of their right to request deletion of information (see privacy policy section below). 1798.105(b).
  • Delete consumers’ personal information upon request and “direct any service providers to delete the consumer’s personal information from their records.” 105(c).

The CCPA does, however, indicate a number of circumstances in which a business need not comply with a consumer request to delete personal information. These include situations where the personal information is necessary to complete a transaction, to detect or prevent fraudulent activity, to comply with a legal obligation, or “[t]o enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” 1798.105(d).

The GDPR contains a similar provision, referred to as the “right to be forgotten,” allowing data subjects the right to have personal data concerning them deleted by the data controller under certain circumstances. Data subjects enjoy this right regardless of the source from which the data was obtained. Art. 17. As with the CCPA’s right to deletion, the GDPR’s right to be forgotten is cabined by several exceptions, allowing controllers to deny erasure requests when doing so is part of an exercise of free expression; is necessary for compliance with a legal obligation or the establishment, exercise or defense of legal claims; or when retaining the data is in the public interest. The GDPR also allows data subjects to request that controllers implement restrictions on the use of their personal data in certain circumstances, and requires businesses to notify any recipient to whom they have disclosed the subject’s personal data of any limitations or erasures requested by the subject that they have implemented. Art. 18-19.

Right to Request Disclosures About Personal Information That Is Sold

Californians have the right to request that businesses that sell consumer personal information, or that disclose personal information for a business purpose, provide information regarding these practices to the consumer upon request. 1798.115. The consumer may seek the following information from a business engaged in selling personal information:

  • The categories of personal information collected about the consumer
  • The categories of personal information that were sold, and the category or categories of third parties to whom the personal information was sold
  • The categories of personal information that the business disclosed about the consumer for a “business purpose”

Use of personal information for a “business purpose” is defined to mean use that is “reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.” The CCPA provides several examples of “business purpose[s],” including detecting security incidents, providing advertising or marketing services, processing payments, and other purposes. 1798.140(d). Businesses engaged in selling personal information are required to make affirmative disclosures to this effect, as explained in the privacy policy section below.

Right to Opt-Out of the Sale of Personal Information

The CCPA also allows consumers to demand that businesses cease and desist from selling their personal information, referring to this ability as “the right to opt out.” 1798.120. The CCPA adopts an “opt-in” framework where selling a child’s personal information is concerned: affirmative parental consent is required before the sale of personal information regarding a child under 13 years of age, while affirmative “opt-in” consent is required by the consumer for consumers between 13 and 16 years of age. 1798.120(d). The GDPR generally requires parental consent for any processing of a subject’s data where the data subject is under 16 years of age. Art. 8. These provisions may be of special relevance for businesses operating in the social media space.

The GDPR does not focus directly on the potential sale of personal data to the same degree as the CCPA, whose drafters pointed specifically to Cambridge Analytica’s improper use of Facebook user data as a motivation for passage of the law. But the absence of specific language addressing the sale of personal information does not mean the GDPR has nothing to say on the subject. On the contrary, the GDPR requires controllers to inform data subjects of the recipients or categories of recipients that have received their personal data (Art. 13-15) and to inform recipients of personal data of any restrictions or erasures undertaken at the request of the data subjects (Art. 19). It also grants data subjects the right to object to the use of their personal data for direct marketing purposes. Art. 21. Most importantly, under the GDPR, any “processing” of personal data, which would include “disclosure by transmission” or “otherwise making available” personal data to a recipient, must be based on one of the six lawful grounds for personal data processing articulated in Article 6. To the extent that any sale of personal data was based on the consent of the data subject (consent being one of the lawful bases for processing included in Article 6), withdrawal of the data subject’s consent would render any subsequent sale unlawful under the GDPR.

Right to Be Free From Discrimination

Businesses are barred from discriminating against consumers that exercise their rights under the CCPA. 1798.125. Specifically, following a demand from the consumer to stop selling their personal information, a business may not:

  • Deny goods or services to the consumer
  • Charge different prices for goods or services
  • Provide a different quality of goods or services
  • “Suggest” that the consumer will receive a different price or quality of goods or services

The drafters of the CCPA, however, included a qualification to the non-discrimination provision. The CCPA provides that businesses may still charge “a consumer a different price or rate, or [provide] a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” 1798.125(a)(2). In other words, a business may provide a different level of service or charge a different price if a limitation imposed by the consumer on the use of his or her personal information affects the business’s ability to provide a good or service to the consumer. The CCPA also provides that businesses may offer incentives to consumers for the collection or sale of personal information, though these financial incentives may not be “unreasonable” and are subject to an “opt-in” from consumers that they may revoke at their will. 1798.125(b).

What Should Businesses Include in a Privacy Policy?

Consistent with its nature as a disclosure statute, the CCPA includes a requirement that businesses describe the rights of consumers in a privacy policy or on the business’s website. 1798.130(5). The privacy policy must contain:

  • A description of consumers’ right to request disclosures regarding the personal information that has been collected about them, including the specific pieces of personal information the business has collected
  • A description of consumers’ right to request information about any sale or disclosure of their personal information
  • A statement of consumers’ protection against discrimination in the event that a consumer exercises any of their rights under the CCPA
  • A list of the categories of personal information collected about consumers in the past 12 months. The CCPA directs that the categories of information track the types of “personal information” listed in the statutory definition of that term (name, address, browsing or search history, etc.). 1798.140(o).
  • A list of the categories of personal information it has sold in the preceding 12 months or an affirmation that the business has sold no personal information
  • A list of categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months or an affirmation that the business has made no such disclosures

While the GDPR does not require businesses to implement a privacy policy per se, regulated controllers and processors are required to plainly convey to data subjects a variety of information regarding the use of their personal data, including the purposes of processing personal data, any sharing of personal data with third parties, the period for which personal data will be stored, and the right to request access to or deletion of personal data. Thus, as a practical matter, both laws require substantial disclosures to the consumer, whether or not they are contained in a document (or on a webpage) specifically designated as a “privacy policy.”

How Should a Business Field Requests From Consumers?

As discussed above, the CCPA requires that businesses field requests from consumers about their personal information. To facilitate these interactions, the CCPA mandates that covered businesses establish two means by which consumers may make requests under the CCPA. These must include a toll-free telephone number and if the business maintains a website, a URL where requests may be made. 1798.130(1). Information properly requested by a consumer under the CCPA must cover the preceding 12-month period and be delivered, free of charge, within 45 days of the request. Those businesses that sell personal information must maintain a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on its webpage, and link to that page in any online privacy policy or specific description of the rights of California consumers. 1798.135. The link should deliver consumers to a webpage where they may opt out of the sale of their personal information.

How Is the CCPA Enforced?

The CCPA permits private individuals to sue in the event of any unauthorized “exfiltration, theft, or disclosure” that results from the regulated business’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature” of the personal information they hold. 1798.150. Should such a situation arise, private plaintiffs may recover:

  • The greater of $750 per consumer per incident, or actual damages
  • Injunctive or declaratory relief
  • Any other relief the court deems proper

The CCPA does, however, place limits on private plaintiffs’ ability to bring claims. Any individual pursuing this course must notify the business of the specific provisions of the CCPA the consumer believes were violated and give the business 30 days to “cure” the violations. In the event the business succeeds in curing the violations, notifies the consumer, and assures him or her no further violations will occur, no individual or class-wide damages may be pursued. Consumers seeking only “actual pecuniary damages” as a result of a breach are not required to provide this notice. 1798.150(b)(1).

Once a private action has been initiated, plaintiffs must notify the attorney general within 30 days of filing a claim. Upon receipt of this notice, the attorney general may allow the private plaintiff to proceed, pursue his or her own enforcement action, or decide that the private plaintiff may not proceed with the action. 1798.150(b)(3). The CCPA also empowers the attorney general to pursue civil penalties against businesses that intentionally violate the law. Penalties for intentional violations may be assessed at up to $7,500 per violation. 1798.155(b).

Importantly, the CCPA insulates a business from liability when it shares personal information with a service provider and the service provider uses the personal information in violation of the CCPA, so long as the business had no reason to believe that the service provider intended to commit a violation. Reciprocally, the CCPA relieves service providers of liability for any violations committed by the business that collected the personal information. 1798.145(h).

The GDPR takes a different approach to enforcement, calling on each EU member state to establish its own Data Protection Authority (DPA) endowed with the power to issue fines for violations of the GDPR. The GDPR itself guarantees data subjects the right to an “effective judicial remedy” when their rights have been violated, regardless of the particular enforcement powers or actions of an individual DPA. Art. 78-79. Both the GDPR and CCPA grant individuals whose data privacy rights have been violated the right to seek compensation, though recovery can be obtained under the CCPA only in the event of a breach. Neither law appears to require proof of actual damage—the GDPR allows individuals to receive compensation for both “material and non-material damage,” while the CCPA leaves room for private suits regardless of actual damage in providing for damages of up to $750 per consumer per data breach “or actual damages, whichever is greater.”  Art. 82; 1798.150.

General Exceptions to the CCPA

The CCPA carves out a variety of special contexts in which its provisions will not apply. Several exceptions relate to legal obligations, providing that the requirements of the CCPA will not restrict a business’s ability to comply with federal or state laws or with civil or criminal process, exercise or defend legal claims, or maintain privileged communications. Nor does the CCPA apply to health information collected by entities covered under laws and regulations concerning medical and health insurance information, personal information sold to or by a consumer reporting agency if the information will be used in a consumer report, or personal information collected pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act. 1798.145.

Overall Comparison to GDPR

While the GDPR and CCPA both seek to protect personal privacy, they differ from one another in important respects. At a fundamental level, the CCPA is a statute about disclosure and transparency. It requires businesses to proactively disclose to consumers the kinds of personal information that they collect and to tell consumers if they plan to sell consumers’ personal data. It gives consumers the right to request the specific personal data that businesses have collected about them, to request that the information be deleted, and to opt out of the sale of their personal information to third parties. Though the liability portion of the statute subjects covered businesses to lawsuits when their failure to “implement and maintain reasonable security procedures and practices” results in the unauthorized disclosure of personal information, the CCPA has relatively little to say about what security procedures and practices are “reasonable.” 

As a more comprehensive, “General” regulation, the GDPR goes into greater detail as to how personal data should be protected, containing an entire chapter addressing the measures that data controllers and processors may need to adopt to maintain the security of personal data. The GDPR provides that data controllers and processors of significant size generally must maintain specific records regarding their processing of personal data (Art. 30), use encryption where appropriate (Art. 32), undertake data protection impact assessments prior to using personal data in new ways that may pose a risk to the privacy of data subjects (Art. 35), and must designate a data protection officer where the controller or processor processes personal data on a large scale (Art. 37). The GDPR also grants rights to consumers that the CCPA does not. The GDPR gives data subjects the right to request that those who control their personal information rectify any mistakes contained therein (Art. 16), the right to request that restrictions be placed on the use of their data instead of outright deletion (Art. 18), and requires businesses to report data breaches to the relevant DPA and to affected data subjects (Art. 33-34).

Thus, in most respects, the CCPA is relatively more modest than the GDPR. It focuses on disclosure, whereas the more ambitious GDPR provides data subjects more rights and imposes more obligations on data controllers and processors.

Conclusion

The CCPA will not enter into force for well over a year, but given the technological and compliance-related measures covered businesses may be obliged to undertake, it’s not too soon to consider preparations. Businesses that are subject to the GDPR and have sought to comply with its provisions may already have satisfied the CCPA’s requirement that businesses implement and maintain reasonable security procedures and practices designed to secure personal information. They are also likely to have already disclosed much of the information that is required under the CCPA. However, given the particularities of the CCPA, even those businesses that are fully in compliance with the GDPR will likely need to take additional measures to satisfy the provisions of the CCPA when it becomes operative in 2020. Businesses should begin to evaluate whether they are subject to the CCPA, identify steps that will be required to comply with its provisions, and stay tuned for guidance or regulations concerning the CCPA from the California attorney general.

[1] References to the GDPR appear as citations to articles (Art.).  References to the CCPA appear as citations to the provisions added to California Civil Code at section 1798 by the CCPA.

 

 

 

 

 

Tax Strategy: What’s at Stake for Retailers and Their Tax Advisors from Wayfair

(Accounting Today) By Mark Friedlich, August 1, 2018 – Despite the Supreme Court’s decision in Wayfair, state sales and use tax nexus uncertainty continues even as the ink is barely dry on the ruling that overturns the long-standing mandatory Quill requirement that only physical presence meets the constitutional substantial nexus test.

Related CPE
Wayfair programs
Texas State Taxation Conference Webcast on Aug 7
Also see related article: Sales Taxes After Wayfair—Challenges and Opportunities for CPAs

With omni-channel commerce and digital disruption, sales tax obligations for the retail sector have never been more complex and dynamic.

And with the recent decision by the Supreme Court in Wayfair to overturn the decades-old physical presence nexus standard of Quill, states can now follow in South Dakota’s footsteps or may take their own paths to implement sales tax on the billions of dollars spent annually on online sales.

The court’s decision has a significant impact on states, businesses and consumers alike. It is critical for businesses to stay current and if they haven’t already done so, to establish processes and solutions to meet their tax obligations as nexus laws and regulations will continue to evolve at a feverish pace.

Major factors

What were the key developments leading up to the Wayfair case?

1. State revenue shortfalls. In 1992, when the Supreme Court decided Quill, it was estimated that the states were losing between $694 million and $3 billion per year in sales tax revenues as a result of the physical presence rule. Now estimates range from $8 billion to $33 billion.

2. Growth of U.S. sales tax jurisdictions and complexity. Nationally, there are a total of 10,708 jurisdictions in the United States that impose a sales tax, as of June 30, 2017, ranging by state on the high end from 1,277 in Missouri, 1,153 in Texas, 908 in Iowa, and 800 in Alabama, to just one each in the states of Connecticut, Indiana, Kentucky, Maine, Maryland, Massachusetts and Michigan.

The number of sales tax jurisdictions has grown each year and is up from about 6,000 at the time of the Quill decision. That’s almost double, and expect that rate of growth to continue at least at a similar rate as states face the prospect of increasing revenue shortfalls, particularly as the result of federal tax reform legislation passed at the end of 2017.

3. Nexus alternatives to physical presence. Particularly since Quill, many states have aggressively tested the limits of the meaning of “physical presence,” adding new nexus laws under a number of approaches, including:

  • Economic nexus (the Wayfair case);
  • Click-through nexus;
  • Affiliate nexus;
  • Marketplace nexus;
  • Cookie nexus; and,
  • Use tax notice/reporting.

Even a brief review of the creative and aggressive actions by the various states to introduce alternative nexus standards prior to the Wayfair decision illustrates the retailer’s challenges in sales tax compliance, with many states introducing two or even three new types of nexus.

4. Streamlined sales and use tax agreement. Another state-inspired approach has been the adoption of a streamlined sales and use tax agreement, the goal of which was to find solutions for the complexity in state sales tax systems that resulted in the U.S. Supreme Court holding in Quill. The agreement focuses on improving sales and use tax administration systems for all sellers and for all types of commerce. However, before Wayfair, only 23 states had adopted it in some form or another.

Inside the ruling

What did the Wayfair court say and not say about state sales and use tax nexus?

The South Dakota law at issue is S.B. 106, effective May 1, 2016, which requires that any entity exceeding an annual sales threshold of $100,000 or 200 separate transactions in South Dakota collect and remit South Dakota sales tax. This is often referred to as “economic nexus,” rather than “physical presence nexus,” because it is based entirely on economic presence, not physical presence.

This placed the statute clearly and intentionally at odds with Quill for the specific purpose of getting the Supreme Court to review it — and the court’s ruling overturned the Quill physical presence test as “unsound and incorrect.”

To many, the Wayfair case can be confusing because the court remanded the case back to South Dakota. Here is why it is important: The Wayfair court used the four-prong test of Complete Auto to test the validity of the South Dakota nexus statute. That test has been the appropriate test for decades — state taxes are valid so long as they:

  • Apply to an activity with a substantial nexus with the taxing state;
  • Are fairly apportioned;
  • Do not discriminate against interstate commerce; and,
  • Are fairly related to the services the state provides.

In Quill, the court held that only physical presence meets the first prong of the above test — “substantial nexus.” In Wayfair, the court said that physical presence is not the only way to establish the first prong of the four-prong test — substantial nexus. For example, economic presence, in this case, did just that. However, since the other three prongs of the Complete Auto test must also be met, the case was remanded back to South Dakota — to reconsider the South Dakota nexus statute in light of all four prongs of the test, but this time without the mandatory physical presence standard for the first prong of the test — substantial nexus.

In overturning Quill as unsound and incorrect, it opened the door for states to enact nexus laws that do not require physical presence.

So, what did the court mean by calling Quill nexus “unsound and incorrect?” Here is what the court said:

  • “The physical presence rule has long been criticized as giving out-of-state sellers an advantage. Each year, it becomes further removed from economic reality and results in significant revenue losses to the states. These critiques underscore that the rule is an incorrect interpretation of the Commerce Clause.”
  • “The physical presence rule of Quill is also an extraordinary imposition by the judiciary on states’ authority to collect taxes and perform critical public functions.”
  • In the absence of Quill, the test simply asks “whether the tax applies to an activity with a substantial nexus with the taxing state.” In the South Dakota law, “the nexus is clearly sufficient. It applies only to sellers who engage in a significant quantity of business in the state, and [companies like Wayfair] are large, national companies that undoubtedly maintain an extensive virtual presence.”

The immediate consequences

Many states already have legislation on the books with different effective dates, which can be described as “economic presence” laws because they have some “volume of economic activity” requirement to establish nexus, just like the South Dakota statute. However, the immediate issue is the effective date for collecting the tax, which varies with each state. For example:

  • States like Hawaii and Vermont have July 1, 2018, effective dates and have already made announcements to use “catch up” procedures for transactions in 2018 before the Wayfair decision.
  • Kentucky and Iowa, on the other hand, have announced that taxes will be collected on a “prospective” basis, with Iowa saying specifically Jan. 1, 2019.
  • Idaho announced that it is “still reviewing” next steps.
  • Ironically, South Dakota must wait while the case is being wrapped up in the state court system on remand, so the injunction preventing the enforcement of the law will remain in place.
  • The Minnesota Department of Revenue will provide more guidance within 30 days.
  • Louisiana will require remote retailers to collect sales and use tax if they meet certain sales thresholds. The thresholds apply to tax periods on or after the date of the Wayfair decision.
  • Illinois, Wisconsin and Alabama will require remote retailers to collect use and service use tax when they meet certain sales thresholds. This collection requirement begins Oct. 1, 2018.
  • Indiana will not enforce the law retroactively and will soon provide a specific date for enforcement.

Bottom line: State-specific guidance is being announced almost daily, and recommendations from groups like the National Conference of State Legislatures, the Multistate Tax Commission and the Streamlined Sales Tax Governing Board are forthcoming as well — all of which should be tracked carefully by retailers and their tax advisors.

The long-term consequences

Physical presence may no longer be a necessary element of sales tax nexus, but that doesn’t mean issues in this area will be greatly simplified. Once you eliminate the physical presence requirement, it opens up so many other things.

It’s a win for the states, particularly the smaller, less populous states with fewer brick-and-mortar retailers. But states like New York and California, which have very complex statutes on the books, will have to make some significant changes to their laws.

Wayfair has an especially important impact, particularly on those states that don’t impose state and local income taxes, because it’s their primary source of tax revenue.

New Hampshire is a state without a sales tax. According to a recent announcement, the governor plans to call a special session to consider legislation to protect New Hampshire businesses from improper attempts by other states to force collection of sales and uses taxes.

In addition, senators from two other “non-sales tax states” (Oregon and Montana) have joined the senator from New Hampshire to introduce federal legislation (Senate Bill 3180) titled, “A bill to regulate certain state impositions on interstate commerce” in an effort to overturn the U.S. Supreme Court’s decision in Wayfair.

It remains to be seen what the states will actually do, but state governments and their taxing authorities are well advised to adopt the economic presence nexus standard along lines similar to the South Dakota statute, which specifically requires only a certain volume of economic activity measured by either amount or number of sales in the state.

It’s a safe bet that if states follow the South Dakota model, they won’t be challenged by taxing authorities, tax advisors, retailers or anybody else.

It will take most states months to get their collection systems up and running. This is not likely to take place until January 2019 for many jurisdictions. A key feature of the South Dakota law was that there would be no retroactive imposition of sales tax on e-commerce sellers. Theoretically, states can impose sales tax retroactively as far back as 10 years, but most states would not go in that direction, because it would be challenged.

More legislative action?

There will be a lot of pressure for Congress to step in and simplify the sales tax collection and compliance process by providing one set of rates and standards that apply to all states that impose the sales tax. Several states that don’t currently impose a sales tax are actively considering doing so now that they effectively have been given a “safe harbor” to do so on e-commerce. Tax advisors and retailers, in particular, take note.

Although the Wayfair decision only applies to sales and use tax for the moment, there are some commentators who suggest that Wayfair may eventually be extended to other types of income, such as corporate income tax.

Whether the states will repeal or retain some of the other alternative nexus laws, e.g., cookie nexus, reporting/notice laws, click-through nexus, etc., currently on the books is an open question. State legislative actions over the coming weeks will have to be monitored carefully.

Next steps for retailers

To ensure that businesses will stay sales and use tax-compliant with the expanded nexus standards and minimize risks to their businesses, best practices should be put in place:

  • Understand their nexus profile — where do they have a sales tax obligation based on evolving standards?
  • Assess their capability to accurately, consistently and efficiently meet their obligations.

Mark Friedlich, Esq., CPA, is a senior director for tax & accounting for North America for Wolters Kluwer.

 

 

 

 

 

 

 

 

IRS Releases Early Guidance on New Uses, Options for 529s

(Accounting Today) By Jeff Stimpson, July 31, 2018 – The latest IRS regulations on three recent tax law changes affecting 529 education savings plans highlight tuition refunds, expanded rules for use, and rollovers.

Related CPE
New Tax Law programs
Texas State Taxation Conference Webcast on Aug 7

Notice 2018-58 addresses a change in the PATH Act and two changes in the Tax Cuts and Jobs Act. Taxpayers, beneficiaries and administrators of 529 and ABLE programs can rely on the rules in this notice until the Treasury Department and IRS issue regulations clarifying these three changes.

Tuition refunds: The PATH Act change added a special rule for a beneficiary of a 529, usually a student, who receives a refund of tuition or other qualified education expenses (this can occur when a student drops a class mid-semester). If the beneficiary recontributes the refund to any of their 529 plans within 60 days, the refund is tax-free. The Treasury Department and the IRS intend to issue future regulations simplifying the tax treatment of these transactions. Re-contributions would not count against the plan’s contribution limit.

K-12 education: A TCJA change allows distributions from 529s to be used to pay up to $10,000 of tuition per beneficiary (regardless of the number of contributing plans) each year at an elementary or secondary public, private or religious school of the beneficiary’s choosing.

Rollovers to an ABLE: Another TCJA change allows funds to be rolled over from a designated beneficiary’s 529 to an ABLE account for the same beneficiary or a family member. ABLE accounts are tax-favored accounts for certain people who become disabled before age 26, designed to enable these people and their families to save and pay for disability-related expenses. The regulations would provide that rollovers from 529s, together with contributions to the designated beneficiary’s ABLE account (other than certain permitted contributions of the designated beneficiary’s compensation) cannot exceed the annual ABLE contribution limit, which is $15,000 for 2018.

 

 

 

 

 

80% of Businesses that Outsource Accounting Likely to Refer Their Accountant

(CPA Practice Advisor) By Isaac O’Bannon, July 27, 2018 – A new survey finds that businesses using an accounting firm’s client advisory services (CAS) report higher profits and greater financial insights. These clients are more satisfied with their accounting firms, with nearly 80 percent likely to provide firm referrals. The study, conducted by Bill.com, the leading business payments company, and CPA.com, an AICPA company empowering CPAs for the digital age, reveals that companies can perform better when they outsource their accounting.

The 2018 Client Accounting Services (CAS) Survey, conducted by Bill.com with support from CPA.com, analyzed the responses of more than 1,700 companies to determine their opinion of CAS and how accounting services affect their businesses. Also called business process outsourcing or client accounting advisory services, CAS represents outsourced accounting, finance and back-office support, including AP, AR, payroll, virtual CFO services and the technologies that support them.

Findings include:

  • Eighty percent of CAS clients say they have more time to focus on their business.
  • Seventy-nine percent of companies that outsource accounting say they would refer their accountants. Sixty-eight percent report that accounting is easier and more efficient, thanks to CAS.
  • Half of the CAS clients say they worry less about mistakes.
  • Roughly 30 percent of companies outsourcing accounting have received advice from their accounting firms that has helped them increase profit. The same percentage also feels more prepared to make business decisions.

“Outsourcing helps accounting firms grow their positions as trusted financial advisors, while clients gain the tools they need to be successful – better financial insight, more time and expert guidance toward their goals. With these types of results, it’s not surprising that CAS clients will more often refer their accountants,” commented René Lacerte, CEO and founder of Bill.com.

Entry points for CAS

The survey pinpoints the accounting services businesses are most interested in outsourcing. One in five respondents say they are interested in outsourcing AP, AR and general ledger management.

“Accountants interested in building CAS realize that automating bill management is a key component. This is where most firms start when they begin building an outsourcing practice,” said Michael Cerami, vice president of marketing and business development for CPA.com.

How technology enhances CAS results

Tech-savvy companies discover more success overall when it comes to accounting. Thirty-three percent that welcome technology recommendations from accountants say they have increased revenue and/or profit compared to 15 percent of those that do not. Likewise, 28 percent say they have greater financial insight versus 8 percent for those that aren’t open to new technologies.

When technology combines with CAS, companies multiply their benefits. For businesses that use CAS, pay a set monthly fee for services and welcome technology recommendations, 44 percent say they have greater financial insight.

A full report of the study results is available here.

An infographic covering the survey results is available here.

 

 

 

 

 

GOP Releases Sketch of Tax Reform 2.0

(Don’t Mess With Taxes) By Evan Cooper, July 25, 2018 – Republicans unveiled their outline for additional tax changes on July 24 and it's just that. A bare-bones framework.

House Ways and Means Committee Chairman Kevin Brady (R-Texas) acknowledged the skimpy structure. That was by design, he said, with the outline to serve as a starting point for his GOP colleagues to offer feedback.

Related CPE
New Tax Law programs
Texas State Taxation Conference Webcast on Aug 7

Yes, he said Republican feedback. As with the original Tax Cuts and Jobs Act (TCJA) that was enacted last December, Democrats were excluded from the legislative writing process.

Once things are fleshed out, Brady said he expects a Tax Reform 2.0 bill to go before the House in September.

Sorry, GOP Congressional staff, it looks like you'll be spending your usual August recess getting the new tax bill in shape for when your bosses return from their late summer vacations district work sessions.

Election-driven changes: Not to be too cynical, but proposals that focus on, as Brady was happy to point out, middle-class and small-business tax cuts just before a crucial midterm election are pretty darn convenient.

That approach looks to be tailor-made to counter the major Democratic rallying cry against the TCJA is that it disproportionately rewards big business and the wealthiest Americans.

And again, not to be overly suspect of the GOP's timing, but it also sorts its Tax Reform 2.0 sorts into three categories, each with a title that makes a great campaign trail tagline: Protecting Middle-Class and Small Business Tax Cuts, Promoting Family Savings and Spurring new business innovation.

Permanent tax cuts for all: As noted, opponents of the TCJA immediately latched onto the bill's apparent favoritism of big businesses.

They say the new tax law's huge tax break for big businesses — cutting the corporate tax rate from 35 percent to 21 percent — is a permanent part of the Internal Revenue Code.

Of course, we all know that nothing within Congress' reach is ever permanent as far as Merriam-Webster defines it. Rather, this means legislatively that the law, right now, doesn't have an ending date.

Meanwhile, note TCJA critics, its tax benefits for individuals and small businesses are temporary. They are set to expire at the end of 2025.

That complaint is taken care of in the first Tax Reform 2.0 section, Protecting Middle-Class and Small Business Tax Cuts.

Here, according to the GOP, this latest round of tax law change would make permanent many of the individual and small business TCJA tax breaks that are set to expire in seven years.

This pro-growth move, argues Tax Reform 2.0 advocates, will create 1.5 million new jobs, increase wages by 0.9 percent and increase Gross Domestic Product by 2.2 percent. The Ways and Means leadership didn't provide any supporting data for these figures

New and expanded savings: The next area of focus in Tax Reform 2.0, which the GOP outlines says in most instances is woefully inadequate.

More than half of adults don't expect they will be able to save enough to retire comfortably. A third do not have access to a workplace retirement plan.

To address these gaps, 2.0's Promoting Family Savings category calls for:

  • USA accounts: The proposed new Universal Savings Account is described in the Ways and Means outline as "a fully flexible savings tool for families." However, aside from that and its patriotic (and campaign-ready acronym), there are no details on the account.
  • Expanded 529 education account options: Here the Republicans wants to make using money in these state-administered tax-favored plans even easier than done in TCJA. If enacted, education savings also could be used to pay for apprenticeship fees to learn a trade, cover the cost of homeschooling and help pay off student debt.
  • New baby savings: Here money could be taken penalty-free from retirement accounts to pay for childbirth or adoption costs. Families could also pay back those accounts later.

Small business benefits: Finally, the third category covers, per the outline, Spurring New Business Innovation.

According to the Ways and Means leadership, the United States is falling behind when it comes to entrepreneurship. One way that Tax Reform 2.0 proposes to help encourage new businesses is to allow them to write off more of their initial start-up costs.

Just how much more is not specified. Neither are other proposals that the outline says would "remove barriers to growth."

Passage problems: While the House might be able to pass some tax bills before voters go to the polls on Nov. 6, such action is unlikely in the Senate.

That's why the Ways and Means' new tax proposals will be introduced as three separate bills, based on the areas highlighted in the outline: making temporary provisions permanent, bolstering savings and fostering innovation.

This legislative strategy will give the Senate, where the slim GOP majority will need Democratic help to get the 60 votes needed for passage, more flexibility in deciding which of the measures, if any, to consider.

Of course, Senate Majority Leader Mitch McConnell (R-Kentucky) could call a vote for political reasons. Dems voting against tax cuts would be a nice addition to last-minute campaign ads in hotly contested state and House district races.

But some Republicans in both the House and Senate also might balk at the added costs of Tax Reform 2.0. The provisions that would make the now-temporary tax cuts permanent are estimated to be around $600 billion.

Costs be damned: Then there are those who think that 2.0 doesn't go far enough.

GOP lawmakers already have started kicking around possibilities like repealing the TCJA's tax on private college endowments, tweaking the tax treatment small businesses passthrough companies (we're still waiting on Internal Revenue Service regulations for these) and indexing for capital gains.

And, of course, if any Democrats get to make suggestions, there's the wish by California, New York and New Jersey lawmakers to reinstate full state and local tax (SALT) deduction.

Brady is urging patience, at least among his fellow Republicans.

"We're going to consider those [GOP] ideas and they certainly haven't been excluded from 2.0," he said. The matter is timing.

That means, depending on the midterm results, there could be Tax Reform 3.0 or 4.0 or even 5.0.

Technical corrections, too: Also, some concerns about the new tax laws should be addressed in a technical corrections package.

Here, lawmakers make changes to the original bill to clear up areas, for example, where the text of the law doesn't reflect lawmakers' intentions. The rush to get the TCJA on the books before the end of 2015 created many such situations.

House Speaker Paul Ryan (R-Wisconsin) has said that technical corrections would come to the House floor during the post-election lame-duck session.

The reason for the delay in clearing up these confusing tax areas, said Ryan, is because Democrats are unlikely to support the corrections before the midterms. Again, that 60 vote margin will be needed in the Senate.

Flashback to the Affordable Care Act passage, where it was created and enacted without any Republican support. Democrats admitted back then that Obamacare, as it was quickly dubbed, needed some follow-up legislative work. However, Republicans refused to go along with any necessary changes, leading to many of the issues we currently face in connection with the health care law.

Rather than learn from mistakes, it looks like extreme political polarization will again rule.

And that again means, we'll have to see what happens on Nov. 6 to get an idea of how easy or difficult and Tax Reform 2.0 and technical corrections to the original will be.

 

 

 

 

 

Unlock the Hidden Benefits of Lease Accounting Rules

(CFO) By Bill Maloney, July 23, 2018 – Yes, complying with the new lease accounting standard presents a compliance burden. But the effort may well lead to operational and cost improvements.

Everyone in the accounting and finance world is inundated with information about the new lease guidance, from its effective date and primary financial statement impacts to the inherent complexities and best practices for a successful adoption.

This flow of information confirms that, yes, the impact of the new guidance is in large part a gross-up of the balance sheet aimed at improving comparability among companies and more accurately reflecting a company’s financial position.

Yes, ensuring a complete population of leases, including embedded leases, and abstracting pertinent data from those leases requires a concerted organizational effort. And yes, companies will most likely need to implement new processes and invest in lease accounting software.

However, with all that has been written and discussed about the new lease accounting standard, is it possible that the most important and beneficial aspects of implementation have yet to be unearthed? Can companies unlock certain operational benefits, thereby reducing costs and increasing the bottom line, as part of adopting this new guidance?

In a word: Absolutely.

If the implementation is approached strategically and thoughtfully, the inevitable byproduct is a centralized and efficient lease management structure that yields significant benefits to companies in providing greater data visibility, more robust governance, and increased resource optimization.

Faster, Better Decision Making

In an area as critical as procurement of capital assets, centralizing lease management will increase a company’s ability to analyze its lease spending by making all of the lease data visible and in one place.

A centralized system will not only house the payments, terms, vendors, and locations of lease spend. It also will provide data on key procurement decisions such as how often leases evergreen, which vendors are used for similar assets, and the types of end-of-term options commonly negotiated.

Consider a company with numerous locations that leases hundreds of copiers from multiple vendors. With a centralized view of lease data, this company would be able to see how often and what terms are negotiated for each copier and realize cost savings by consolidating vendors and terms for all copiers.

Additionally, increased data visibility improves the accuracy and efficiency of financial reporting using automated calculations and workflow. That enhances the ability to rely on lease data for disclosure and reporting and reduces reporting risk for potentially material obligations.

Increased Control over Spending

As companies grow, managing operations spending is a crucial concern — but gaining a full picture of lease spending is often more difficult. By creating a global inventory of lease assets, financial executives will be able to see the breadth of a company’s leasing program and where leasing decisions are not appropriately managed.

In many companies, equipment leases may be negotiated at the local level without complete visibility of similar leases and their respective performance. The centralized lease management required to maintain the data for the new lease standard can determine where current spending limits are not observed, which will ultimately improve a company’s ability to enforce the appropriate procurement policies.

Improved Cost Management

The impacts of negotiating a bad lease can be significant and long-lasting. That’s why access to relevant and insightful information, when faced with lease versus buy decisions, is important.

Most operations personnel are not privy to the company’s lease strategy or current lease data and therefore make decisions based on the operational needs of the business without considering the best financial decisions.

Moving from decentralized lease management to centralized lease data and management will give companies the power to negotiate lease terms that are globally optimal instead of locally suboptimal.

For instance, a regional warehouse manager who wants to procure additional warehousing space quickly does not have to make financially suboptimal decisions. Keeping her operational needs in mind, she can leverage company lease data to get a competitive rate and negotiate a better lease with an existing real estate vendor, thus enabling her to optimize the decision both operationally and financially.

As a secondary impact, the same lease data could also be leveraged to negotiate and utilize vendor managed inventory options. Easy access to better lease information leads to globally optimal leasing decisions.

Lease Accounting the “Right Way”

Companies that implement the standard with the long-term view toward improving processes and identifying efficiencies must embrace three critical factors to successfully realize these ongoing operating and cost-saving benefits.

Cross-team collaboration: Colleagues from various functions such as accounting, procurement, real estate and IT, who normally have little to no interaction, must work together to identify leases and find long-term process solutions to yield efficiencies for future lease management.

Business process changes: Reporting requirements of the new standard demand a new level of rigor. To remain compliant, companies must optimize their processes around entering, managing, and tracking leases. Processes should be redesigned to capture and track key lease data for companies to maximize technology investments and realize benefits beyond financial reporting.

Furthermore, improved lease-spend analysis and procurement capabilities should be inherent in accurately tracking the data required under the new standard.

Technology system investments: Investments in lease accounting software will centralize data for optimal viewing, reporting, and analyzing lease spend information. A proper system implementation is key to the continued utility of lease management tools, including careful consideration of how lease accounting output will interface with the general ledger, how lease payments will be reconciled to accounts payable, and how lease expenses will be allocated across departments.

Implementing the lease guidance is undoubtedly challenging and complex, requiring significant investments of time and resources. However, approaching the project with a view toward long-term benefits will let companies better manage their lease spend and realize benefits beyond financial reporting.