By Jaye A. Calhoun, Jason R. Brown, and William J. Kolarik, II

In Smith v. Robinson, La. S. Ct., Dkt. No. 2018-CA-0728 (Dec. 5, 2018), the Louisiana Supreme Court held that the Texas franchise tax (also known as the “Texas margins tax”) was an income tax for purposes of Louisiana’s credit for tax paid to another state and held that a 2015 law that limited the credit was unconstitutional because it impermissibly discriminated against interstate commerce.  In Smith, the Louisiana Supreme Court struck down Act 109 of the 2015 Regular Legislative Session, which amended La. Rev. Stat. Ann. 47:33 (the “Credit Statute”).  Louisiana law taxes residents on income earned both within and without Louisiana but, prior to revision, the Credit Statute allowed a credit against Louisiana tax for “net income tax” paid to another state.  The credit prevented Louisiana taxpayers from being subject to income tax more than once on the same income.  The relevant portions of Act 109 limited the credit in two ways.  First, Act 109 provided that the credit was only available against taxes paid to another state if the other state offered a reciprocal credit to the state’s own residents transacting business in Louisiana.  Second, Act 109 capped the credit so that it could not exceed Louisiana income taxes paid.  The invalidation of Act 109 may present a refund opportunity for certain Louisiana resident individuals that either (1) had their credit limited by the cap in Act 109; or (2) paid Louisiana income tax on revenue from a flow-through entity that was subject to the Texas margins tax.

In Smith, the taxpayers were Louisiana residents who owned interests in several flow-through entities, specifically, limited liability companies and subchapter S corporations, with operations in Texas, Arkansas, and Louisiana.  The entities were subject to the Texas margins tax.  The taxpayers paid Louisiana individual income tax on the portion of each entity’s income that was subject to tax in Texas under protest and filed a lawsuit against the Louisiana Department of Revenue (the “Department”) seeking recovery of the tax.

In district court, the taxpayer filed a motion for summary judgment and asserted that Act 109 was unconstitutional because the Texas margins tax was a tax on income and, absent Act 109, the taxpayer would be entitled to a credit for the amount of Texas margins tax paid.  The taxpayer also asserted that Act 109 violated the dormant Commerce Clause because it resulted in a double tax on interstate income but not intrastate income.  The Department opposed the taxpayer’s motion for summary judgment, arguing that the Texas margins tax was not a tax on income because it contained both a net income component and a net capital component, which are not divisible.  The Department denied that Act 109 burdened interstate commerce because it was within the state’s power to regulate state income tax.  The district court granted the taxpayer’s motion of summary judgment and concluded that Louisiana First Circuit Court of Appeals decision in Perez[1], which held that the old Texas franchise tax was an income tax under Louisiana law, was dispositive of the income tax issue, and that the U.S. Supreme Court’s decision in Wynn[2] was dispositive of the constitutional issue.  The Department appealed to the Louisiana Supreme Court.

The Court first considered whether the Texas franchise tax was a net income tax within the meaning of the Credit Statute and held that it was, relying in part on the reasoning in Perez.  The Court also noted that the Department of Revenue had acquiesced in the Perez decision (LDR Statement of Acquiescence No. 03-001, Sep. 10, 2003) and had not revoked nor modified its acquiescence despite the 2006 revisions to the Texas franchise tax law.  In so holding, the Court also concluded that the calculation of taxable margin was essentially an income tax.

With respect to the dormant Commence Clause, the Court also agreed with the trial court that Act 109 violates the Dormant Commerce Clause, specifically, the fair apportionment and discrimination prongs of Complete Auto.[3]  The Court held that Act 109 violated the external consistency test developed to analyze fair apportionment because Act 109 operates to ignore where a taxpayer’s income is generated and does not take into account whether the income has a relationship to the state.  The Court agreed with the taxpayers that Act 109 failed to apportion out-of-state income.  The Court also held that Act 109 discriminated against interstate commerce because it exposes one hundred percent of the interstate income of Louisiana residents to double taxation and because the cap on the credit caused a portion of the taxpayer’s out-of-state income to be subject to double taxation.

Implications

Any Louisiana resident individual that was previously subject to the limitations on the credit for taxes paid to other states should consider filing a refund claim.  In addition, any Louisiana resident individual doing business in Texas through a flow-through entity that paid Texas margins tax should review their returns and consider whether a refund claim is warranted.

While the case is not yet final, the recent decision in Bannister Properties[4], may limit the taxpayer’s ability to file a refund claim if a court concludes that the Department’s interpretation of the Texas margins tax was a mistake of law arising from the misinterpretation by the Department.  In that instance, it is possible that the Louisiana First Circuit Court of Appeals decision in Bannister Properties could limit the taxpayer’s ability to pursue the refund claim.

The issue in Bannister Properties was whether a taxpayer could file in the Board of Tax Appeals (“BTA”) for review of the Department’s denial of a refund claim arising from a mistake of law by the Department.   In Bannister Properties, the taxpayer filed a refund claim and a claim against the state for franchise taxes that were not paid under protest.  The taxpayer and the Department reached a settlement on the claim against the state but the legislature refused to appropriate the funds to pay the refund, so the taxpayer attempted to force the Department to pay the refund through the refund claim.  The refunds at issue were attributable to the invalidation of the Department’s regulation in UTELCOM.[5]  La. R.S. 47:1621(f) (the “Refund Statute”) appears to create a bar to a refund related to a mistake of law by the Department unless the taxpayer paid the tax under protest and filed suit to recover, or by appeal to the BTA in instances where such appeals lie.  According to Bannister Properties the phrase “appeal to the BTA in instances where such appeals lie” is limited to claims against the state and does not apply to appeals related to the denial of refund claims.  Bannister Properties will likely be appealed to the Louisiana Supreme Court because it has the potential to severely limit a taxpayer’s ability to obtain a refund for the overpayment of taxes caused by a mistake of law on the part of the Department.

While the scope of Bannister Properties is not yet clear and it is likely the decision will be appealed, the Department has indicated that it will not issue a refund claim related to the Smith case if the amount was not paid under protest.  Therefore, a taxpayer filing a new refund claim for a tax that was not paid under protest, should consider filing a protective claim against the state in the Louisiana Board of Tax Appeals in addition to a refund claim.  If successful, a claim against the state may only be paid by legislative appropriation.

For additional information, please contact: Jaye A. Calhoun at (504) 293-5936, Jason R. Brown at (225) 389-3733, or Willie Kolarik at (225) 382-3441.

*****************************************************************

[1] Perez v. Secretary of Louisiana Department of Revenue, 731 So.2d 406 (La. App. 1st Cir. March 8, 1999).

[2] Comptroller of Treasury of Maryland v. Wynn, 135 S.Ct. 1787 (2015).

[3] Complete Auto Transit v. Brady, 430 U.S. 274 (1977).

[4] Bannister Properties, Inc. v. State of Louisiana, Dkt. No. 2018 CA 0030 (La. Ct. App., 1st Cir., Nov. 2, 2018).

[5] UTELCOM, Inc. v. Bridges, La. Ct. App., 1st Cir., 77 So 3d 39 (2011) (Which held that La. Admin. Code 61:I.301(D) was invalid because it was promulgated based on a mistake of law due to the Department’s misinterpretation of the corporation franchise tax law.)

By Amanda Howard Lowe

In a decision of first impression interpreting the meaning of “operating” under the Oil Pollution Act of 1990 (“OPA,” 33 U.S.C. §§2701 et seq.), the U.S. Fifth Circuit held the owner and operator of a tugboat liable as the “responsible party” for a spill emanating from a tank barge in its tow, and consequently found the owner ineligible for reimbursement for the cleanup costs. See U.S. v. Nature’s Way Marine, LLC, 904 F.3d 416 (5th Cir. 2018).

The underlying incident occurred in January 2013 when a tug owned by Nature’s Way was moving two oil carrying tank barges owned by Third Coast Towing, LLC (“TCT”), down the Mississippi River. The barges allided with a bridge over the Mississippi River, resulting in a release of over 7,000 gallons of oil into the river. The Coast Guard designated both Nature’s Way and TCT as “responsible parties” under OPA §2702(a). Nature’s Way and its insurers spent nearly $3 million in clean-up costs and the federal government incurred another $792,000.

Following settlement of auxiliary disputes between Nature’s Way and TCT, in May 2015, Nature’s Way submitted a claim to the National Pollution Funds Center (“NPFC”)[1] seeking reimbursement of over $2.13 million it spent in clean-up on the grounds that its liability (if any) should be limited to the tonnage of the tug alone, and not the tonnage of the barges. OPA limits liability of a “responsible party” based on tonnage of the vessel it was operating. While Nature’s Way admitted it operated the tugboat, it contested its status as operator of the oil-discharging barge. The NPFC rejected the request to decrease the limit of liability, concluding instead that Nature’s Way was the “operator” of the barges under §2702(a) and thus both barges were properly included in the limitation assessment.

In light of the NPFC dispute, the United States sued Nature’s Way and TCT in the Southern District of Mississippi to recover the $792,000 in cleanup costs directly funded by the federal government. Nature’s Way denied liability, and counterclaimed against the government asserting that the NPFC’s “operator” determination was wrong and violated the Administrative Procedure Act (“APA”) by erroneously applying §2702(a).

The U.S. moved for partial summary judgment on the sole question of whether the NPFC violated the APA by declaring that Nature’s Way was the “operator” of the barge. In opposition, Nature’s Way argued that TCT was actually the “operator” of the barge as it was responsible for instructing when the barge would be loaded, unloaded, and moved.  The district court disagreed with Nature’s Way, holding that a “common sense” interpretation of “operator” as used in the statute supports the conclusion that a “dominant mind” tug moving “dumb” barges (lacking the ability for self-propulsion or navigation) through the water is “operating” those barges. Nature’s Way appealed.

The Court focused on the express language of the statute, which defines an “operator” as “any person … operating” a vessel and a “responsible party” as “any person owing, operating, or demise chartering the vessel.” Though both terms use the word “operating,” the Fifth Circuit noted that “operating” is not defined within the statute. The Fifth Circuit also relied on Supreme Court jurisprudence construing the definition of “operator” in the Comprehensive Environmental Response Compensation and Liability Act of 1980 (“CERCLA”) as any person “who directs the workings of, manages, or conducts the affairs of” the facility/equipment in question.” U.S. v. Bestfoods, 524 U.S. 51, 66 (1998). Given that OPA and CERCLA have common purposes and a shared history, the Court found the parallel language between the statutes significant. The Fifth Circuit concluded that the ordinary and natural meaning of “operating” a vessel under OPA would thereby include the act of piloting or moving a “dumb” vessel like the TCT tank barges. The Court held that because “Nature’s Way had exclusive navigational control over the barge at the time of the collision, and, as such… was a party whose direction (or lack thereof) caused the barge to collide with the bridge,” Nature’s Way was the “operator” of the barges under OPA.

Significantly, the Fifth Circuit has now recognized the potential increased liability for negligent vessel operators who cause spills subject to OPA, as the Court has very plainly held that a tug pushing loaded “dumb” barges can only limit its liability to the full value of the entire flotilla. With the potential for increased exposure, this decision will obviously impact vessel operators and the oil and gas industry, as well as their respective insurers. Additionally, the ruling does not appear to foreclose the argument that the barge owner might also be considered an operator under OPA 90, if its actions also rise to the level of “operating.”

*******************************************

[1] The National Pollution Funds Center oversees the Oil Spill Liability Trust Fund, 26 U.S.C.§9509, an OPA-created mechanism, funded by inter alia OPA civil penalties, from which faultless or partially at-fault “responsible parties” can recoup, to the extent of their non-fault, clean-up costs paid out pursuant to their strict OPA liability, see 33 U.S.C. §2708(a), 26 U.S.C. §9509)

By Tod J. Everage

The modern day contract is a direct result of trial and error. Generally speaking, transactional lawyers try to negotiate “bulletproof” contracts providing exactly what their client wants or needs. Despite their best efforts, litigators in later disputes try their level best to find the “errors” in those contracts that could benefit their client. Then the pattern repeats. Take Seismic Wells, LLC v. Sinclair Oil and Gas Co., 2018 WL 43377234 (5th Cir. 9/13/2018), for example. In that dispute, the parties had included a “prevailing party” fee provision in their Joint Operating Agreement (JOA): “In the event any party is required to bring legal proceedings to enforce any financial obligation of a party hereunder, the prevailing party in such action shall be entitled to recover … a reasonable attorneys’ fees.” At first blush, this provision appears fairly standard and innocuous. But, with over $1 million at stake in attorneys’ fees, the meaning of every word in that provision is fair game.

The facts leading up to the dispute aren’t relevant here, other than Seismic sued Sinclair under various agreements when it was concerned that Sinclair would not be holding up their end of the bargain. Seismic’s amended complaint included 17 counts, including claims of fraud, breach of contract, conspiracy, tortious interference, defamation/libel, and business disparagement. At the end of Seismic’s case at trial, the court granted Sinclair’s motion for judgment as a matter of law. Sinclair then moved for over $1 million in attorneys’ fees incurred in defending itself, citing specifically to the prevailing party provision in the JOA. The district court denied the motion for three reasons: (1) failure to properly plead under RFCP 9(g) (failure to plead special damages); (2) the provision did not apply because Seismic’s suit was not a legal proceeding brought to enforce a “financial obligation under the JOA”; and (3) Sinclair did not adequately segregate its fee to isolate the work performed defending fee-eligible claims. The Fifth Circuit only addressed the second issue.

The Fifth Circuit agreed that Sinclair was obviously the “prevailing party,” a decision the Court had previously affirmed. The operative question though was whether Sinclair was the prevailing party in a lawsuit “to enforce any financial obligation of a party” under the JOA. The first issue was one of context. How was the dispute brought? The prevailing party provision applies when a party brings a legal proceeding to enforce a financial obligation. The Court noted that many of the claims Seismic brought against Sinclair alleged fraud that induced Seismic to sign the contracts; those claims sought to void the contracts, not enforce them. In other words, those claims sought to render the contract unenforceable and therefore would not satisfy the fee provision.

Two other claims though asserted breach of contract allegations; however, only one of those claims was grounded in the JOA, so the Court focused in there. Count 12 provided that Sinclair breached the JOA by refusing to assign Seismic a leaky well or operate that well on its terms. So, it appeared that this provision did seek to enforce the JOA. But, that was not enough because the legal proceeding must be brought to enforce a financial obligation under the JOA. The Fifth Circuit noted that “financial obligation” is synonymous with “monetary obligation,” and was not persuaded that Seismic’s claim seeking monetary damages made this claim a financial one. Rather, this claim was to turn over a leaky well, which the Court held was not a financial obligation. As such, the prevailing party fee provision was not triggered.

Seismic filed this lawsuit, lost, then got away without having to pay for Sinclair’s attorneys’ fees under a provision that Seismic probably would have sought to enforce itself if it had won at trial. Without knowing anything about the negotiations, including the term “financial obligation” in the JOA’s prevailing party provision narrowed the remedies available to either party in this dispute. Using the term “enforce” arguably did as well given Seismic’s attempts to invalidate the contract. Whereas, had the parties used the more boilerplate language awarding attorneys’ fees to the prevailing party in any legal proceeding brought by “any party arising under this Agreement,” Sinclair may have recovered. Well, assuming that was their original intent.

This case presents a good example of the interplay between the words used in the contract, and the words used in the complaint filed to enforce/or invalidate that same contract. Both transactional lawyers and litigators should take note.

By R. Lee Vail, P.E., Ph.D.

On December 3, 2018, the EPA published a final rule in the Federal Register (83 FR 62268) making the 2017 amendments effected as of that day.  In doing so, the EPA noted that it had no discretion in the matter as the U.S. Court of Appeals for the District of Columbia Circuit Court issued its decision vacating the 2017 Delay Rule and later issued its mandate which made the RMP Amendments now effective.  EPA further saw no good cause to open rulemaking to accept comments or delay effectiveness for another 30 days.

Many of the requirements in the amended rule contained future compliance dates (beyond 2018) and therefore this action has no effect on them.  However several requirements are now effective including:

  • Tri-annual audits cover each process units;
  • Supervisor training requirements;
  • Emergency response coordination requirements;
  • Incident investigation report and scope (i.e., near miss) revisions other than “root cause analysis provisions in §§68.60(d)(7) and 68.81(d)(7) which go into effect in 2021; and
  • Emergency Response Plan updates where appropriate.

Whereas the proposed Reconsideration Rule could roll all this back, these provisions are now in effect.

By Jessica C. Engler

Canada’s new data breach law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), became effective on November 1, 2018. The Office of the Privacy Commissioner of Canada released new guidance providing explanations of the breach reporting requirements for private-sector businesses that operate in Canada or do business with Canadian customers. The new requirements of this law, particularly the breach notification requirements, should be on the radar of any United States-based businesses that also do business in Canada.

Under PIPEDA, organizations must report security incidents to the Privacy Commission of Canada if an incident carries “a real risk of significant harm” to consumers.[1] Regardless of the size of the breach or number of affected persons, the breach must be reported if the business determines that there is a real risk of significant harm resulting from the breach. The guidance provided by the Privacy Commissioner clarifies that the organization that controls the data is the organization required to report and notify individuals of a breach. Even when an organization has transferred the data to a third party processor, the organization is still responsible for reporting and notification.

Naturally, a standard such as “real risk of significant harm” is a standard that is open to some level of subjectivity and interpretation; however, the Privacy Commissioner has offered guidance to assist businesses in their review. Significant harm is defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record and damage or loss of property.” Factors to be considered in determining whether the breach creates a real risk of significant harm include: (1) the sensitivity of the personal information involved in the breach; and (2) the probability the personal information has been/is/will be misused. “Sensitivity” is not defined by PIPED, but the concept is discussed in Principle 4.3.4 and provides some general considerations:

Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

Notification must be given “as soon as feasible” after the organization has determined a breach occurred. The notification must be conspicuous, understandable, given directly to the individual, and include several pieces of information including:

  • A description of the breach circumstance and, if known, its cause
  • The day or time period when the breach occurred
  • A description of the personal information subject to the breach
  • A description of the organization’s risk mitigation measures
  • A point of contact
  • The number of individuals affected
  • A description of how the organization will notify individuals

Organizations are required to maintain records of each data breach for at least 24 months after the date on which the breach was discovered. The records must contain sufficient information to allow the Office of the Privacy Commissioner to confirm that the organization has complied with the law.

The new law, which has been in the works for quite some time, includes extensive requirements and regulations in the event of a breach. In the event that a business determines that the sensitive information of a Canadian customer has been breached, the business would be well advised to consult with an attorney knowledgeable about PIPEDA and Canada’s data security laws.

***********************************************

[1] “What you need to know about the mandatory reporting of breaches of security safeguards”, Office of the Privacy Commissioner of Canada (available at https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/#_Part_1).

By Sarah W. Anderson

On November 1, 2018, Senator Ron Wyden, a democrat from the state of Oregon, introduced a bill that attempts to create a stronger consumer privacy act.[1] The draft legislation, referred to as the Consumer Data Protection Act, SIL18B29 (the “Bill”), amends and increases the powers of the Federal Trade Commission (“FTC”).[2]

According to Senator Wyden’s webpage, he drafted the Bill due to “[t]he explosive growth in the collection and sale of consumer information enabled by new technology poses unprecedented risks for Americans’ privacy,” which he believes the Federal Government continually fails to address. [3]  Therefore, Senator Wyden’s Bill both imposes greater security protection standards and sharpens the FTC’s teeth in terms of enforcement.

The Bill permits the FTC, as the “nation’s main privacy and data security regulator” to fine and yes, even jail, American executives for failure to protect consumer information. Specifically, the Bill proposes the following powers and tools for the FTC, which Senator Wyden hopes will give Americans greater privacy and control over their own personal data:

  1. Establish minimum privacy and cybersecurity standards.
  2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
  3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
  4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
  5. Hire 175 more staff to police the largely unregulated market for private data.
  6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.”[4]

Additionally, businesses with annual revenue exceeding $1 billion, which also store data of more than 50 million consumers, will have to submit an annual data protection report to the FTC detailing its compliance with relevant security regulations. What’s more, in proposed §1352(b), entitled “Failure of Corporate Officers to Certify Data Protection Reports,” Chief Executive Officers, Chief Information Security Officers, and Chief Privacy Officers may be jailed for failure to certify and file annual reports to the FTC that document company efforts to comply with the Bill.

An executive’s first offense of this section will result in a fine “not more than the greater of $1,000,000.00 or 5 percent of the largest amount of annual compensation the person received during the previous 3-year period…imprison[ment] not more than 10 years, or both[.]” The same section prescribes that “intentional[ly]” certifying false statements for annual reports will result in a fine of “not more than the greater of $5,000,000.00 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period” or imprisonment “not more than 20 years, or both[.]”[5]

If passed, the Bill would represent a massive overhaul and increase in the FTC’s powers and available punishments. Generally, the FTC currently only has privacy protection powers under theories of “unfair trade practices.”

*****************************************************

[1] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[2] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

[3] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[4] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-one-pager

[5] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

By Sarah W. Anderson

While an ocean away, supermarket Morrisons’ loss in the United Kingdom’s appellate court should act as a warning to all United States-based and international companies. On October 22, 2018, Morrisons lost its recent appeal in a landmark high-court ruling, being held vicariously liable for a former employee, Andrew Skelton’s intentional actions that lead to the leak of more than 100,000 of its employees’ personal information. This decision came down despite Morrisons’ demonstration that it had lawfully discharged its obligations under the United Kingdom’s Data Protection Act of 1998. In July 2015, Skelton was sentenced to eight years in prison.

This decision represents the United Kingdom’s warning that organizations have a significant duty to protect the personal data of their customers and employees that is beyond the applicable data breach protection rules issued by varying countries. And with 5,558 members of the Class Action, it is expected that Morrisons will face a hefty compensation ruling. According to Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the class, “Large corporations take responsibility when things go wrong in their own business and cause harm to innocent victims.   It is important to remember that data protection is not solely about protecting information – it is about protecting people.”  A spokesperson for Morrisons publicly stated that they will now appeal this decision to the Supreme Court.

Going forward, compliance officers for various corporations should anticipate legal responsibility for any type of data breach under the legal theory of vicarious liability if the Morrisons decision crosses the Atlantic. This is yet another signal of the importance to improve security protocols for company data, as well as additional screening for employees entrusted with that data.

Indeed, on October 26, 2018, the Middle District of North Carolina approved a class-action settlement for a 2016 disclosure of personal identifying information of employees of HAECO Americas, Inc. (“HAECO”), after W-2 statements were leaked in response to a phishing scheme. See David Linnins, et al v. HAECO Americas, Inc., 2018 WL 5312193 (M.D.N.C., 2018). The class action plaintiffs “asserted claims for negligence, invasion of privacy, and violation of the North Carolina Unfair and Deceptive Trade Practices Act[,] which included an alleged violation of the North Carolina Identity Theft Protection Act.” Id. at *1. According to published details of the settlement agreement, HAECO agreed to the following terms:

  • Provide affected parties with 2 years of Experian Protect MyID Elite services;
  • Reimbursement of $350 for members of the class that previously purchased similar identity theft monitoring programs;
  •  Establish a claim fund in the amount of $312,500 to compensate class members for damages, expenses, and inconveniences they incurred; and
  • HAECO agreed to take data and cyber security steps, including mandatory cyber security training for all employees, for at least three years. Id. at *1-*2.

The Middle District of North Carolina further ordered that the Plaintiffs’ counsels’ request for $150,000.00 in additional attorneys’ fees was reasonable. Id. at *4.

By Angela W. Adolph

Opportunity Zones (“OZs”) were added to the US Tax Code by the 2017 Tax Cuts and Jobs Act (“TCJA”).  OZs are economically-distressed communities where new investments, under certain conditions, may be eligible for preferential tax treatment. Communities are nominated by the states and approved by the Treasury Department as designated OZs.

OZs are designed to spur economic development by providing tax benefits to investors. First, investors can defer tax on any prior gains invested in a Qualified Opportunity Fund (“QOF”) until the earlier of the date on which the investment in a QOF is sold or exchanged, or December 31, 2026.   If the QOF investment is held for longer than 5 years, there is a 10% exclusion of the deferred gain.  If held for more than 7 years, there is a 15% exclusion of the deferred gain.  Second, if investments in the QOF are held for at least ten years, investors are eligible for an increase in basis of the QOF investment equal to its fair market value on the date that the QOF investment is sold or exchanged.  Importantly, investors do not have to live in the OZs in order to take advantage of the benefits; they need only invest a recognized gain in a QOF and elect to defer the tax on that gain.

Last week, the Treasury Department released the first set of proposed regulations and a related revenue ruling for OZs.   The proposed regulations provide for the types of gains that may be deferred, the timing to invest such gains in QOFs, and the mechanism for selecting deferral of such gains. The proposed regulations also address self-certification of the QOF, valuation of QOF’s assets, and identification of OZ businesses.

Revenue Ruling 2018-29 addresses issues related to the qualification of an existing building and land in an OZ as OZ Business Property (“OZBP”).  OZBP is tangible property used in a trade or business of the QOF (1) that is purchased by the QOF after December 31, 2017; (2) the original use of which commences with the QOF or the QOF substantially improves the property; and (3) during the QOF’s holding period, substantially all of the use of such property is in the OZ.  OZBP is treated as substantially improved by the QOF if, during any 30-month period beginning after the date of acquisition, additions to basis exceed the adjusted basis of such property at the beginning of such 30-month period.

The Revenue Ruling notes that, given the permanence of land, land can never have its original use in an OZ commencing with a QOF.  The Ruling then holds that, regarding an existing building located on land that is wholly within an OZ, the original use of the building in the OZ is not considered to have commenced with the QOF, and the original use requirement is not applicable to the land on which the building is located.  Second, substantial improvement to the building is measured by the QOF’s additions to the adjusted basis of the building. Finally, measuring substantial improvement to the building does not require the QOF to separately substantially improve the land upon which the building is located.

The Treasury Department and IRS anticipate providing additional information, including additional legal guidance, on this new tax benefit over the next few months.

By Sarah Anderson

Adding publicity to the recent string of security breaches, Gemalto’s Breach Level Index released information on October 9, 2018 stating that for the first half of 2018, approximately 291 records were stolen or exposed every single second.[1]  Gemalto estimates that 945 data breaches led to the release of 4.5 billion data records being compromised worldwide, which increased approximately 133% in the last year.  These data breaches came from varying industries, with health care representing 27% of data breach incidents and the financial sector following with an estimated 14% of the data breach incidents.  Of all the data and records stolen, it is estimated that just 1% of this data was encrypted and only 9% of the security breaches were the result of an accidental loss.

This information comes as more than just a P.S.A. Both threatened and actual data security breaches pose a significant legal threat to all types of businesses – large and small, global and local. Therefore, many forward thinking organizations are increasing their security systems and updating policies to mitigate potential legal claims for security breaches.

While the question of whether or not the fear of identity theft following a data breach is sufficient to constitute standing for a class action is largely undecided in the United States, the United Kingdom’s High Court already answered in the affirmative. More than 5000 current and former employees of Morrison’s, an online supermarket, are suing their former employer in a class action for damages related to a data leak that resulted in exposure to potential identity theft and financial losses. In 2014, a former Morrison’s employee leaked 100,000 names, addresses, bank account details and salaries of his co-workers online and sent it to a newspaper.[2] While Morrison’s spent more than 2 million pounds to mitigate the effects of and remedy the breach, the issue of monetary damages that it may owe its former employees remains outstanding.

The Morrison’s matter was the first data leak class action in the United Kingdom.[3] In 2017, the High Court ruled that Morrison’s was vicariously liable for this criminal data breach by its former employee and allowed those affected by the data breach to claim compensation for distress. Morrison’s is presently appealing this ruling.[4]

No similar legal battle has yet played out so openly in the United States, as Target’s 2017 data breach resulted in a multi-million dollar settlement with the affected customers.  However, with the ongoing and ever increasing number of cyber threats and attacks on both private and public organizations, it is expected that victims of data breaches may become the next wave of class action plaintiffs.

If you have questions on how to protect your business and/or mitigate such claims in the future, please contact Sarah Anderson and Erin Kilgore.

____________________________________________

[1]https://www.gemalto.com/press/Pages/Data-Breaches-Compromised-4-5-Billion-Records-in-First-Half-of-2018.aspx

[2] https://www.bbc.com/news/uk-england-42193502

[3] https://www.theregister.co.uk/2018/10/09/morrisons_data_breach_appeal/

[4] https://www.bbc.com/news/uk-45793598

 

By Scott Huffstetler

On May 12, 2016, the U.S. Occupational Safety and Health Administration (“OSHA”) published a rule that required a “reasonable procedure” for employees to report work-related injuries and illnesses and prohibited retaliation against employees who report such injuries or illnesses.  The regulations defined an unreasonable procedure as one that deterred or discouraged a reasonable employee from accurately reporting a workplace injury or illness.  Although no portion of the rule itself expressly prohibited post-accident drug and alcohol testing, commentary accompanying the rule stated drug testing policies should limit post-incident testing to situations in which employee drug use is likely to have contributed to the incident and for which the drug test can accurately identify impairment caused by drug use.  Since then, there has been great uncertainty among employers as to when post-accident drug and alcohol testing policies and procedures could be applied.  Last week, on October 11, 2018, OSHA issued a memorandum clarifying that the Department’s position is that the May 2016 rule does not prohibit post-incident drug testing.  The memorandum stated that most instances of workplace drug testing are permissible under the rule and then listed the following as examples: (a) random drug testing; (b) drug testing unrelated to the reporting of a work-related injury or illness; (c) drug testing under a state workers’ compensation law; (d) drug testing under other federal law, such as a U.S. Department of Transportation rule; and (e) drug testing to evaluate the root cause of a workplace incident that harmed or could have harmed employees.  Of course, the memorandum included the caveat that the testing must include all employees whose conduct could have contributed to the incident, not just employees who reported injuries.  Assumedly, doing the latter could still subject the employer to retaliation.  To read the complete memorandum, click here.