Are You Sure You Want to Use Email?
Companies Rethink Policies About Deleting Messages in Wake of Sony Leaks
ENLARGE Devastating leaks from Sony's computer systems have dramatized the risks of storing corporate email for extended periods. Workers remove a poster-banner for 'The Interview' from a billboard in Hollywood. Agence France-Presse/Getty Images
By
Don Clark,
Shira Ovide and
Elizabeth Dwoskin
Devastating leaks from Sony Corp. 's computer systems have dramatized the risks of storing corporate email for extended periods. Some people in Silicon Valley wonder if it is time to rethink that practice.
Electronic mail, despite many attempts to replace it, remains a vital communications tool and an ad-hoc filing cabinet for employees at most companies. Retrieving important information and attachments by searching mail—which can be stored indefinitely—is simple and fast.
But as was highlighted in the Sony hack, this puts a single trove of both potentially embarrassing communication and critical company secrets within easy reach of cybercriminals. (Related Article: Obama Says Sony 'Made a Mistake' Canceling Film)
Many long-established companies have for some time had email-deletion policies, but for a different reason: Complying with demands for stored communication in legal cases can be expensive.
These policies typically call for automatic deletion of emails after a set period, often after 90 or 120 days. But many companies—especially startups—have no retention policies.
Some experts view the startling success of attackers in breaching Sony's defenses and distributing sensitive emails—an incident that U.S. officials have linked to North Korea—as a powerful argument for prompt destruction of nonessential messages.
"My belief is the retention policy should be 30 days," said Steve Blank, a veteran Silicon Valley entrepreneur and academic. "I think the Sony-North Korea thing just kind of reinforces the fact."
There are signs that some companies are heeding such calls. Cloud Sherpas, an Atlanta-based firm that helps companies buy Gmail and other workplace technology from Google Inc. and others, said two customers have changed their email retention systems since the Sony hacking.
Advertisement
One of them, a big technology manufacturing firm on the West Coast, asked for a customized software process to purge email of specific users whenever the business deemed it necessary, said David Hoff, Cloud Sherpas' chief technology officer. The other customer, a midsize manufacturer, added a Google function to automatically delete emails after a year, with a shared "safe" folder in which employees could stow emails that they needed to keep longer.
Deleting messages isn't necessarily an absolute defense against theft, since storage systems frequently retain traces of data that can be retrieved under some circumstances.
A Sony spokesman didn't respond to questions about the company's data-retention policies or details about the breach.
'My belief is the retention policy should be 30 days. I think the Sony-North Korea thing just kind of reinforces the fact.'—Steve Blank, a veteran Silicon Valley entrepreneur
Amid the uncertainty, some tech companies say they are reviewing their security precautions, in part because customers in government and other sectors are demanding to know their data will be safe.
"They have a lot more questions for us as we sell into those accounts," said Douglas Murray, chief executive of Big Switch Networks Inc., a Silicon Valley startup that is using a security firm to evaluate its safeguards. "People are concerned."
Executives at some startups say the very idea of regularly deleting emails is a foreign concept, and may be too drastic a solution.
"Destroying email that has become a repository for employees to go back and do research will be a significant culture change," said Justin Somaini, chief technology officer at Box Inc., which offers online data storage and related services. "A better approach than deleting email is the application of healthy security practices on the content itself."
Another familiar option is encrypting mails to make them unintelligible in the event they are stolen. Few companies encrypt all of their email, though, in part because many employees correspond with others outside their organizations who aren't using the technology.
Some startups, meanwhile, have been pushing alternatives to email that they believe improve collaboration. They include Slack Technologies Inc. and HipChat.
Matt Mullenweg, chief executive of the startup Automaticc, said it mainly leans on tools such as Slack and hardly uses email anymore. But those services also generate data that could tempt attackers.
"Search is one of the big features of these tools, so deleting old stuff would be counterproductive," Mr. Mullenweg said, who said his company has no plans to start deleting emails.
Many startups also rely on services like Google's Gmail, rather than storing and managing email on their own servers as established companies tend to do.
ENLARGE President Barack Obama, in a news conference Friday, said the U.S. will respond to the hacking it traced to North Korea. Kevin Lamarque/Reuters
"We expect our email to stick around forever," said Jonathan Gray, chief executive of the big data startup Cask, which uses Gmail. "I think most would be best served thinking that way."
Mr. Gray said his company has strict policies around handling sensitive data from its enterprise customers, but had no internal policy governing how email data would be deleted.
John Schroeder, chief executive of big data startup MapR, said the company takes a similar stance. "We haven't implemented a deletion policy of any kind," he said, adding that the company has strict policies for handling customer data.
At the opposite extreme are companies like Intel Corp. , which grappled with email retention issues in a private antitrust suit by rival Advanced Micro Devices Inc. that was settled in 2009.
Some Intel employees failed to take the proper measures to stop relevant emails from being destroyed by the company's auto-delete system.
WSJ.D
WSJ.D is the Journal's home for tech news, analysis and product reviews.
Now the company automatically deletes emails after 90 days, unless employees individually take action to store them in folders, said Chuck Mulloy, an Intel spokesman.
These days, Silicon Valley companies seem more interested in reducing the risks with additional technology. Some entrepreneurs have advocated messaging systems, along the lines of the consumer service Snapchat, that are designed to delete messages soon after they are viewed.
Others believe that companies should develop technology that gives individuals or corporate owners of that data the ability to destroy it remotely if it falls into the wrong hands, though the feasibility of the approach remains unclear.
"The sender should have the right to delete the email," said Muddu Sudhakar, chief executive of Caspida, a Silicon Valley security startup. "These systems need to evolve to support that capability."
—Steven Rosenbush and Evelyn M. Rusli contributed to this article.
Write to Don Clark at don.clark@wsj.com, Shira Ovide at shira.ovide@wsj.com and Elizabeth Dwoskin at elizabeth.dwoskin@wsj.com
Whistleblowers Score a Big Payday
Three Individuals, One Firm to Receive $170 Million in Bank of America Probe
ENLARGE A Countrywide office in Arizona in 2007. Bank of America's 2008 purchase of Countrywide has led to a number of legal headaches for the bank. Agence France-Presse/Getty Images
By
Christina Rexrode and
Timothy W. Martin
There is a new winner in the biggest bank settlement to come out of the financial crisis: whistleblowers.
Four whistleblowers will collect a total of more than $170 million for helping investigators get a record $16.65 billion penalty against Bank of America Corp. , among the biggest such payouts to tipsters in history.
The payments, to three individuals and a small New Jersey mortgage company, are in exchange for the whistleblowers' cooperation in a probe into Bank of America's mortgage practices in the years leading up to the financial crisis.
The whistleblower lawsuits accuse the bank or the firm it acquired in 2008, Countrywide Financial Corp., of misdeeds like inflating the value of mortgage properties and selling defective loans to investors. The payments, which were sent out this week, also underscore how the bank's purchase of Countrywide continues to haunt the Charlotte, N.C., firm.
The allegations trace a familiar pattern, but the whistleblower rewards provide a new wrinkle.
The size of the payments is "unprecedented in the financial sector," said Richard Moberly, a law professor at the University of Nebraska-Lincoln who researches whistleblower cases. The biggest whistleblower awards have typically been associated with drug companies or health-care frauds, he said.
The rewards, some of which were disclosed this week in court filings, are the result of separate lawsuits the whistleblowers filed against Bank of America and were then folded into the bank's global settlement in August.
Advertisement
"These matters have been fully resolved," a bank spokesman said Friday, referring to the whistleblowers' allegations.
The three individuals will each receive payments of tens of millions of dollars, and the mortgage company, Mortgage Now of Shrewsbury, N.J., will receive about $8.5 million, according to court filings and people familiar with the rewards.
Prosecutors and regulators are increasingly making big payouts to tipsters who help them ferret out financial misconduct. The Securities and Exchange Commission in September announced that an informer would collect a record whistleblower award of more than $30 million, more than twice as much as the highest previous award.
Attorney General Eric Holder also said this year that he wants to boost payouts to motivate insiders to come forward with useful information.
Robert Madsen, a former employee of LandSafe Appraisal, a property appraisal company owned by Bank of America, will collect roughly $56 million, according to a person close to the situation. He had filed a complaint against the bank in 2011. Bank of America acquired LandSafe when it bought Countrywide. LandSafe is among the mortgage affiliates that Bank of America is trying to sell.
ENLARGE Edward O'Donnell, a former executive vice president at a Countrywide Financial Corp subsidiary, enters the Manhattan federal courthouse to testify as a witness in September 2013. Mr. O'Donnell will get almost $58 million. He filed a suit that was the basis for a successful U.S. case. Reuters
Mr. Madsen started working there around 2007. According to Mr. Madsen, his bosses started cutting his hours after he raised concerns about properties potentially being overvalued at the expense of borrowers and investors.
Mr. Madsen said he initially thought his case was a long shot, but pursued the lawsuit to protect his family. Along the way, he came to view the case as a way to stoke awareness about the importance of reliable appraisals. When "we don't know what the houses are worth, that undermines virtually every bond, every tranche, every investment instrument out there," Mr. Madsen said.
Mr. Madsen, who lives in Northern California, left the bank around early 2013 and started a company to help banks, investors and other clients identify potential fraud in appraisal work.
Shareef Abdou, a former Countrywide manager, will receive about $48 million for his cooperation in the investigation, a person familiar with the matter said. Mr. Abdou is on a leave of absence from Bank of America.
Mr. Abdou's complaint alleged that the bank sold defective mortgage loans to mortgage-finance companies Fannie Mae and Freddie Mac.
"He was able to indicate that there was an institutional breakdown within the bank, and this was a systemic problem, not an isolated incident," said Brian Mahany, a Milwaukee-based attorney who represents Mr. Abdou.
Edward O'Donnell, a former Countrywide executive, will collect nearly $58 million, according to a court filing this week. Mr. O'Donnell had originally filed suit against the bank in 2012, with allegations that are similar to Mr. Abdou's. His lawsuit created the basis for the government's successful case against the bank over a Countrywide mortgage program called the "Hustle," which U.S. authorities said churned out large numbers of mortgage loans without regard for quality.
Bank of America plans to appeal the Hustle verdict, and Mr. O'Donnell hasn't received a financial award from the government for that suit, according to his lawyer. The payout for Mr. O'Donnell will come thanks to a separate, similar lawsuit he filed in June against Countrywide and Bank of America.
Bank of America bought Countrywide in 2008. It said that the Hustle program ended before it bought Countrywide.
The company that filed a whistleblower suit, Mortgage Now, had accused Bank of America in 2012 of misrepresenting loans that it submitted to the Federal Housing Administration for reimbursement, according to one of the lawyers who worked on the case, Clifford Marshall.
A combined $1 billion of the $16.65 billion settlement was allotted to the three cases filed by the individual whistleblowers. Their payouts will all amount to roughly 16%.
Mr. Mahany declined to say what Mr. Abdou plans to do with the money. "He's a very private individual. I don't think he likes the notoriety of the case," said Mr. Mahany. "He would just as soon go on with his life."
—Lisa Schwartz contributed to this article.
Write to Christina Rexrode at christina.rexrode@wsj.com and Timothy W. Martin at timothy.martin@wsj.com
Sony Made It Easy, but Any of Us Could Get Hacked
A focused, skillful cyber attacker will always get in, warns a security expert.
The security hack that happened to Sony could happen to anyone. Co3 Systems' Bruce Schneier explains on the News Hub with Geoff Rogow. Photo: Getty
By
Bruce Schneier
Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment's computer systems and began revealing many of the Hollywood studio's best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama's presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of "The Interview," a satire targeting that country's dictator, after the hackers made some ridiculous threats about terrorist violence.
Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company (though it is still amazing that Sony made it so easy).
Related Coverage
To understand any given episode of hacking, you need to understand who your adversary is. I've spent decades dealing with Internet hackers (as I do now at my current firm), and I've learned to separate opportunistic attacks from targeted ones.
You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus—people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.
Advertisement
High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered "zero-day" vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you've heard about in the past year or so.
But even scarier are the high-skill, high-focus attacks—the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame, which many in the IT world suspect were created by the U.S.; Turla, a piece of malware that many blame on the Russian government; and a huge snooping effort called GhostNet, which spied on the Dalai Lama and Asian governments, leading many of my colleagues to blame China. (We're mostly guessing about the origins of these attacks; governments refuse to comment on such issues.) China has also been accused of trying to hack into the New York Times in 2010, and in May, Attorney General Eric Holder announced the indictment of five Chinese military officials for cyberattacks against U.S. corporations.
This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple's iCloud and posted them. If you've heard the IT-security buzz phrase "advanced persistent threat," this is it.
There is a key difference among these kinds of hacking. In the first two categories, the attacker is an opportunist. The hackers who penetrated Home Depot's networks didn't seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do.
But a skilled, determined attacker wants to attack a specific victim. The reasons may be political: to hurt a government or leader enmeshed in a geopolitical battle. Or ethical: to punish an industry that the hacker abhors, like big oil or big pharma. Or maybe the victim is just a company that hackers love to hate. (Sony falls into this category: It has been infuriating hackers since 2005, when the company put malicious software on its CDs in a failed attempt to prevent copying.)
Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies. Often, it isn't. We're much better at such relative security than we are at absolute security.
That is why security experts aren't surprised by the Sony story. We know people who do penetration testing for a living—real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker—and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren't sufficiently skilled, good security may protect you completely.
It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won't end up posted online somewhere, but Sony clearly failed here. Its security turned out to be subpar. They didn't have to leave so much information exposed. And they didn't have to be so slow detecting the breach, giving the attackers free rein to wander about and take so much stuff.
For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.
The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn't made racist jokes about Mr. Obama or insulted its stars—or if their response systems had been agile enough to kick the hackers out before they grabbed everything.
My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn't happen to the executives or the stars; it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.
This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook , by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.
So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn't something markets can fix.
—Mr. Schneier, a security technologist, is a fellow at the Berkman Center for Internet and Society at Harvard Law School and the chief technology officer of Co3 Systems, Inc., an IT-security firm.
What I Learned From a Dying Patient
The scientist wasn't sure about the existence of the Divine, but she revealed the connectedness of all our lives.
ENLARGE Getty Images
By
E. Wesley Ely
I had a patient recently whose death was particularly harrowing. Thirty-nine years old. Ph.D. scientist. Brilliant. She was sent to the ICU team as a "fascinoma," meaning a person with a constellation of problems the doctors couldn't figure out. This woman had been physically fine until two months earlier, and now she was growing progressively shorter of breath, had a little blood in her urine and had pain in her toes, which were turning blue and red in the cold. Imaging showed that she had a growth on her aortic valve and that sections of her kidneys were dying. The doctors at the outside hospital had diagnosed her with blood clots in her lungs and started her on a blood thinner, but her condition kept worsening.
As the day progressed, we started all the needed tests and interventions to help sleuth-out the problems and "fix" them. Hours into my periodic conversations with her and her mother and sister, her mother mentioned that my patient was agnostic. I realized that up to that point, perhaps because of the sheer rapidity of the way things were unfolding, I had neglected to take a spiritual history.
Since I teach medical students and residents in physical-diagnosis class about the importance of taking a spiritual history, you'd think that I wouldn't fall prey to this oversight, but I had. The literature shows that most patients want to be asked about their spiritual beliefs or nonbeliefs, and that many think it rude if health-care professionals don't consider this important aspect of their well-being.
The question should be asked out of respect and in a nonjudgmental manner (as one might take a sexual history: "Do you have sex with men, women, both, or neither?"). Thus, I said to her, "Do you have any spiritual values that you want me to know about that might influence your medical decisions?" We'll get to her answer in a minute . . .
Within 24 hours of our meeting, the patient had been checked with an array of blood tests and imaging studies. The list of diagnostic possibilities was led by infections, cancers and rheumatologic diseases like lupus. I pushed for a bronchoscopy (looking into the lung with a light and lens), but others said it wouldn't change the care we were already giving her and argued that we move ahead with anything treatable.
I could see that the uncertainty was extremely disconcerting to her. "I'm a data person. I'm a scientist," she said, to which I replied: "Are you more conservative and can live with our guessing, or are you more of a risk taker?" She immediately said, "I'm not risk averse."
If we were to do the bronchoscopy, we had to do it right away because of her increasing shortness of breath, but transport in the hospital was busy and the backup for a procedure room was mounting. So I told her, "Let's go." The young attending physician and I wheeled her several floors away and bypassed enough systems that lots of people were annoyed and surprised.
Luckily, she tolerated the procedure well and as we wheeled her back into the room, she was sedated but pining for an answer. And there it was: The biopsies showed angry cells with too much nuclear size for healthy cytoplasm, and prominent nucleoli. Cancer. It was everywhere.
It became a whirlwind because she got shorter of breath by the hour as the cancer and fluid literally filled her lungs. We went from her arrival in the hope of figuring out what was wrong and seeking a cure—talking about how when she got back to her lab and students, she'd resume where she'd left off—to the depths of despair.
The patient's conversations with her sister were difficult, to say the least, and at times they both got very weak; eventually they both affirmed that we had to pave a way to prevent my patient's further suffering. With her mother, however, it was much worse. She looked at me through tears and fear and screamed, "This is not fair!" Over and over. Her sister began printing off her will from an iPad and having things notarized.
I won't forget my patient's look of shock and surprise, as if she'd heard me wrong, when I told her that the cells we'd seen under the microscope were cancerous, and that the cancer had already spread throughout her body. The looming threat was that at any minute she was going to throw another large blood clot, go into cardiac arrest and be subjected to bone-crunching chest compressions.
We shifted her from life support and the escalation of care, to the abandonment of self-control, and then finally into the peacefulness of dying without tubes and lines and buzzers. Only eight hours after we told her that she had this incurable illness and that our hope (which at the time seemed plausible) was to get her off the ventilator so she could talk to her family, she stopped breathing and died quietly without any apparent awareness of suffering.
Throughout the day, I had tried to be diligent about ensuring that she was able to spend time with her mother and sister. The initial challenge was to use a specific approach toward sedation that balanced her comfort and her clarity of mind so that she could really engage with the family. Then we needed to make a transition, and that was the benevolent approach to total comfort.
My last memory of this young scientist is that of her breathing, unconscious and unaware of her surroundings. At this point she was newly comatose on the sedation and pain killers as we removed the breathing tube and ventilator. I urged her family, nevertheless, to tell her "what you want her to know." It helps families to have no regrets in the days that follow.
The story is many things, and to you it no doubt means something different than it does to me. As this woman's physician, I find that one of the most enduring aspects of the story was the palpable oneness I felt with her and in knowing how in-synch we were with everything "body and mind." There was an unusually tight connection, and I sense that we both knew it.
Since antiquity, the greats such as Plato and Aristotle have taught us the concept of body, mind and spirit as the fullness of existence—a triad still embraced by many today. My patient and I were in tune after talking about those first two, and then, when I "took her spiritual history," she perceived that our beliefs diverged.
She affirmed what her mother had told me, "Yes, I am an agnostic, and it's OK that we differ on that." I nodded and was left to wonder how and why, without having talked about this earlier, she had both understood that we differed in this third piece of the triad and thought it important to offer me reassurance. For my part, I went about making sure others didn't keep asking her or the family about hospital chaplains, priests, etc.
An autopsy will answer many questions, like what was growing on her heart valve and the source of her cancer, which we think was bowel, pancreatic or ovarian, but no physical finding, microscopic sighting, or laboratory test is going to help me learn any more about her spiritual side. I remember her loving manner and her inquisitiveness about life. I know that she was thinking of her estranged father, her students, and her nieces whom she'd never see again.
She wasn't sure about the existence of the Divine, but her courage—daring to face what was happening despite not wanting to hear the worst possible news—utterly confirmed the human spirit. She revealed the connectedness we have in all of our imperfect, vulnerable lives, and I can still feel it now.
Dr. Ely is a professor of medicine and critical care at Vanderbilt University Medical CenterHow Google, GE and U.S. Firms Play the Tax 'Audit Lottery'
Big Companies Have Amassed $188 Billion in Tax Benefits the IRS May Reject
ENLARGE Uncertain tax positions—recorded in an obscure entry in companies' filings—reflect tax breaks that push the envelope with tax authorities. Bloomberg News
By
Theo Francis
Buried deep in American companies' securities filings is an indicator for how aggressively they are working to shield their income from the Internal Revenue Service and other tax authorities.
The obscure entry—under the heading "uncertain tax positions" or "unrecognized tax benefits"—is where companies account for tax breaks that push the envelope. And they are adding up.
Exxon Mobil Corp. reported that it had $7.8 billion of these uncertain tax positions outstanding as of Dec. 31, including $1.5 billion from 2013 alone. Pfizer Inc. reported $6.1 billion, including $1.2 billion from 2013. Google Inc. reported $3.1 billion at the end of September, up from $2.6 billion at the end of 2013.
All told, companies in the S&P 500 had amassed $188 billion in unrecognized tax benefits by the end of their 2013 fiscal years—$21 billion of which was related to that year's taxes, according a Wall Street Journal analysis of figures from Calcbench Inc., a financial data provider. The companies have added between $19 billion and $22 billion of new uncertain tax positions each year since 2010.
Related
Corporate Intelligence: A Primer in Risky Tax Bets
Accounting rules define these tax benefits as ones that tax authorities have strong grounds to reject, by the companies' own analysis. Seeking those breaks is perfectly legal, and since companies have already lowered their profit numbers as if the taxes had been paid, there's little risk in rolling the dice. A win down the road will boost profits, while a loss typically does no additional damage. Either way, companies often get to use the disputed cash in the meantime.
Advertisement
"It gives a broad indication of which companies are engaging in risky tax behavior," says Matthew Gardner, executive director of the Institute on Taxation and Economic Policy, a Washington, D.C., nonprofit that produces widely used federal and state tax models and supports progressive tax policies.
Some tax professionals call it the "audit lottery." At stake are billions of dollars that may never find their way into the government's coffers at a time when companies' contribution to overall income-tax revenues is running low by historical standards.
ENLARGE Few companies give much detail publicly about the tax benefits they're seeking, but experts say internal transactions that cross national borders and credits for research and development spending underlie many of them. Other uncertain tax benefits boil down to questions of how much of a claimed tax break companies will get or when.
"What you're really talking about is whether Treasury gets $100 billion or not," says Lynn Turner, a forensic accounting expert and former chief accountant for the Securities and Exchange Commission. "That's real money."
Not all big companies have large or rising uncertain tax positions.
A fifth of S&P 500 companies added no new uncertain tax positions for last year—among them, General Dynamics Corp. , Southwest Airlines Co. and Lockheed Martin Corp. For more than half the companies in the index, the uncertain tax positions added for recent years amounted to a tiny fraction of their overall tax expense.
General Dynamics and Lockheed say they work with the IRS ahead of time to address potential problems. A Southwest spokesman declined to comment.
But more than a third of the large companies examined by the Journal added uncertain tax benefits faster than they added revenue.
At Google, the unrecognized benefits rose 126% between 2010 and 2013, to $2.57 billion, as revenue increased about 104%, company filings show. Valero Energy Corp. nearly tripled its unrecognized tax benefits from 2010 to 2013, when they came in at $950 million, as the refining company's revenue rose about 70% in the same period.
Google declined to comment. Valero's filings indicate that $556 million of the increase relates to tax refunds the company hopes to collect for blending biofuels into its products since 2005. A Valero spokesman declined to provide additional detail.
Factoring in uncertain benefit claims can put companies' reported tax bills in a new light. Abbott Laboratories reported $138 million of tax expense on pretax income of $2.5 billion in 2013, for an effective tax rate of 5.5%. But the pharmaceuticals company also claimed $244 million in uncertain tax positions for last year, which if upheld would offset its entire tax bill for the year and then some.
A spokesman for Abbott Labs declined to comment.
Pfizer put its 2013 tax expense at about $4.3 billion. But if the company's $1.2 billion of new uncertain tax positions for the year pan out, its tax expense might prove to have been closer to $3.1 billion, pulling its effective tax rate of 27.4% down to about 19.9%.
"As we mention in our filings, the unrecognized tax benefits relate primarily to issues common among multinational corporations, but we don't provide a more granular qualitative or quantitative breakdown of these issues," Pfizer spokeswoman Joan Campion said. She wouldn't be more specific.
By default, large companies pay a 35% tax rate on profits, but many reduce that figure, often significantly, with deductions and credits, among other means. Large profitable companies averaged an effective federal tax rate of about 19% in recent years, ITEP estimates.
Exxon Mobil spokesman Scott Silvestri said the company's unrecognized tax benefits amount to just 6.4% of its total tax expense over the last five years and reflect potential disagreements between the company and tax authorities as far back as 1998, with little potential harm for investors. He added that the company doesn't expect them to have a material impact on its near-term earnings or effective tax rate.
General Electric Co. , which reported nearly $6 billion in unrecognized tax benefits at the end of September, is suing the IRS to recoup $658 million in taxes and interest it sought to avoid with the 2003 sale of ERC Life Reinsurance Corp., at the time part of the company's Employers Re insurance business.
The dispute centers on a $2.2 billion capital loss that GE claimed from the sale for tax purposes, a loss that it carried back to offset capital gains from the company's tax return for 2000. The IRS argued that GE didn't in fact realize a loss on the sale, because the company improperly accounted for an earlier restructuring.
GE spokesman Seth Martin declined to discuss details of the dispute with the IRS. "As we address specific items with tax authorities around the world, our balance of unrecognized benefits changes over time," Mr. Martin said in an email. "GE pays billions in cash income taxes annually."
Bets on those breaks or credits pay off if a company can prevail in court, if tax authorities don't challenge the claims or if the statute of limitations expires—typically after three years for U.S. federal taxes. And companies typically get at least some of what they claim.
"We generally end up—almost always—settling issues at amounts less than what we have on reserves," says Al Cappelloni, a partner with accounting and consulting firm McGladrey LLP's national tax practice who helps public companies prepare their tax-accounting statements and audits other clients' tax provisions.
'We generally end up—almost always—settling issues at amounts less than what we have on reserves.'—Al Cappelloni, a partner with McGladrey LLP
Apple Inc. had accumulated $4 billion in uncertain tax breaks through the end of September, nearly double what it reported at the end of 2012. In its Oct. 27 annual report, the iPhone maker said the IRS had completed audits of its tax returns for 2004 through 2009, resolving about $570 million of the uncertain tax benefits. Of that, Apple was able to recognize $166 million, or about 29%. Meantime, the company recorded $882 million in new unrecognized tax benefits for tax positions taken over the course of the year.
Apple declined to comment.
Sometimes, companies lose. After more than two years of haggling, fertilizer-maker Mosaic Co. struck an agreement with tax officials in the U.S., Canada and the Netherlands on how to tax the company given its internal cross-border transactions.
The pact resolved nearly $324 million of tax benefits Mosaic had claimed. At the same time, the settlement led the company to designate as uncertain another $129 million of tax positions taken in prior years. Once Mosaic factored in other consequences of the agreement, it wound up recording an additional $4 million in tax expense during the last seven months of 2013.
Mosaic declined to comment on details of the settlement.
Write to Theo Francis at theo.francis@wsj.com
France Fines Major Consumer Product Companies
Antitrust Authority Fines Companies Nearly $1.23 Billion for Anticompetitive Practices
By
Ruth Bender And
Sam Schechner
PARIS—France's antitrust authority on Thursday said it fined a dozen personal and home-care products companies a total of nearly €1 billion, or about $1.23 billion, for anticompetitive practices between 2003 and 2006.
The Autorité de la Concurrence fined companies including Colgate-Palmolive Co. , Unilever NV, Procter & Gamble Co. and Reckitt Benckiser Group PLC a total of €345.2 million for collusion, including coordinating price increases for their home-care products sold to supermarkets. Other companies that make personal-care products, including L'Oréal SA, Beiersdorf AG and P&G's Gillette, were fined a total of €605.9 million.
The fines are among the highest imposed by the regulator to date and highlight the latest action against companies by one of Europe's most active antitrust watchdogs.
The authority said it acted on a tip-off by SC Johnson, Colgate-Palmolive and Henkel AG & Co., which applied to benefit from leniency procedures.
"When we discovered that one of our people was involved in misconduct, we quickly reported our findings to the appropriate authorities and we cooperated fully throughout the investigation," said Kelly M. Semrau, a senior vice president at SC Johnson.
L'Oréal, which was handed the largest fine of €189 million, denied the accusations. "L'Oréal is extremely surprised by this decision and the amount of the fine, which are totally out of proportion," the company said in a statement.
Unilever also considers the sanction "totally unjustified," saying it was involved only to a little extent in what were "instances of information exchanges." L'Oréal and Unilever said they would appeal the decision.
Advertisement
Henkel and P&G said they would review the ruling before deciding on possible further action. A spokeswoman for Reckitt Benckiser said the company was cooperating with the authority.
A spokesman for Colgate-Palmolive said the company is reviewing the decision. "It is Colgate-Palmolive's policy to comply with all laws, including competition laws. If we ever discover an issue with respect to our compliance, our policy is to correct it promptly."
Thursday's fines cover alleged behavior dating to the early 2000s and stem from raids by the authority first carried out in 2006.
"The concerted practices were particularly sophisticated," the competition authority said in a statement. "To discuss about each sector, they met regularly and secretly to coordinate their commercial policies and discuss their pricing policies."
One raid at a Parisian restaurant interrupted several of the accused companies, including Colgate-Palmolive, SC Johnson and Henkel, the competition authority said.
The goal of the meetings was to coordinate their positions in price negotiations with distributors to avoid increasing competition among them, the authority alleged.
In one meeting, a manager at Henkel took handwritten notes of the proposed price increases to be coordinated in 2004, according to the competition authority.
Besides regular meetings, commercial and sales managers also exchanged information in their private homes and in phone calls, the authority said.
France's competition authority said these practices eventually led to artificially high prices.
"The concerted practices distorted negotiations with distributors to the benefit of suppliers," the authority said. "They allowed to maintain artificially high selling prices to retailers, which were then passed on prices paid by end consumers."
Unilever refuted such accusations. The company said alleged effects on consumers weren't established, citing several economic studies.
France's competition authority said the practices were particularly serious, not only because of their secret nature but because they harmed the economy by distorting price evolutions in a market already involving only a limited amount of players.
In recent years, France's competition authority has broken up an alleged laundry-detergent price-fixing ring and levied a €242 million fine on millers who had allegedly rigged the French packaged-flour market for nearly half a century.
The competition authority said the fine imposed in the laundry-detergent case had been taken into account in the calculation of the latest fines.
—Peter Evans and Paul Ziobro contributed to this article.
Write to Ruth Bender at Ruth.Bender@wsj.com and Sam Schechner at sam.schechner@wsj.com
__._,_.___
No comments:
Post a Comment