Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.

On February 2, 2017, the IRS issued an urgent alert to employers regarding a phishing scheme intended to steal employees’ tax related information to commit identify theft and tax fraud. The IRS reports that the scam involves spoofing an email to make it appear as if it is coming from an organization’s executive.  The email is sent to an employee in the Human Resources or Payroll departments, requesting a list of employees and their Forms W-2.  The IRS reports that the phony email may also request the names and social security numbers of employees with their addresses and dates of birth.  Since the email is disguised to be from an internal email address, should the HR or Payroll employee respond with the information it will actually be sent out of the organization to a cybercriminal.  The phishing scam is presently targeting healthcare organizations, shipping companies, school districts, restaurants, and temporary staffing agencies.

What preventative steps can be taken to guard against these attacks? Human Resources should ensure that policies and procedures are in place requiring that the sending of employees’ confidential tax related information by email only be done with 100% confidence that the intended recipient is within the organization and has requested the information. Indeed, the IRS advises that employers consider adopting written policies that govern the electronic distribution of confidential employee Form W-2s and tax related information.  One simple protective measure may be that a phone call confirmation is required before hitting the send button.  As a general matter, employers should have in place comprehensive written policies and procedures that govern the electronic sending, receiving and storage of confidential personnel related PII and provide workforce training to protect against data breaches and fraudulent schemes.  In addition to procedures verifying that the recipient of sensitive PII is actually within the organization, employers may also want to consider technologies providing for use of encryption when sending personnel related PII by email.  The maxim that “an ounce of prevention is worth a pound of cure” is in full effect here since a well thought out strategy is the best defense.

Robert Hudock, a Member of the Firm in the Health Care and Life Sciences practice at Epstein Becker Green, was quoted in an article titled “10 Steps for Thwarting EHR Hackers.

Following is an excerpt:

It’s bad enough that the number of security breaches of patient protected health information appears to be skyrocketing. But it feels downright creepy when the breach is at the hands of a hacker, as was the recent attack by Eastern European hackers that breached almost 800,000 Medicaid recipients in Utah.

And while a lot of hackers are attacking EHRs to steal the information within them for personal gain, many of them do it just for the fun of it, attorney Robert Hudock, with Epstein Becker Green in Washington, D.C., said in an exclusive interview with FierceEMR. “It’s very easy to scan for vulnerability and execute an exploit. People are curious,” he said.

Read the article on FierceEMR

On April 5, 2012, President Obama signed into law the Jumpstart Our Business Startups Act or JOBS Act.  In light of the sharp decline in the number of companies entering the U.S. capital markets through IPOs over the last ten years, Congress recognized a need for this legislation since small companies are critical to economic growth and job creation.  To promote growth and assist small companies in gaining access to capital, the JOBS Act amends the securities laws in several ways, which include the following:

(i)                  Establishes a new category of issuers known as “Emerging Growth Companies” (EGCs) which are issuers that have total annual gross revenues of less than $1 billion (after December 8, 2011).  EGCs  are exempt from certain regulatory requirements until the earliest of the date (a) five years from the date of their IPO, (b) they have $1 billion in annual gross revenue or (c) they become a large accelerated filer (i.e. a company with worldwide public float of $700 million or more);

(ii)                While EGCs must comply with SEC-mandated quarterly and annual disclosures, they would be exempt from Section 404(b) Sarbanes-Oxley requirements regarding auditor attestations of management’s assessment of its internal controls, for a transition period of up to 5 years.  EGC management would still need to establish and maintain internal controls over financial reporting and its CEO and CFO would still need to certify the company financial statements;

(iii)               Allows EGCs to provide audited financial statements for the two years prior to registration rather than three years.  Within a year of an IPO, the EGC would report three years’ worth of financial statements;

(iv)              Provides exceptions to rules on mandatory audit firm rotation;

(v)                Exempts EGCs from certain requirements under Dodd-Frank legislation such as the say on pay requirements and disclosure of median compensation ratios of all employees compared to the CEO.  EGCs would still comply with corporate governance and listing requirements including board member independence rules;

(vi)              Provides for more communications and information flow to investors and special provisions for providing draft registration statements for non-public review.  On April 10, 2012, the SEC Division of Corporate Finance issued FAQs addressing questions relating to the confidential submission of registration statements;

(vii)             Provides special exemptions in connection with solicitation and advertising to accredited investors;

(viii)           Establishes new thresholds for registration; and

(ix)              Sets forth special rules for a “Crowdfunding” exemption-Capital Raising Online While Deterring Fraud and Unethical Non-Disclosure. This allows for aggregate sales to all investors up to $1 million using web-based platforms (up to the greater of $2000 or 5% of the annual income/net worth of such investor (with additional requirements)).

Start-ups and emerging growth companies should take the time to explore the JOBS Act and the related guidance being issued.  The new law may address a particular hurdle previously faced which would allow certain companies to move forward and grow.