Creation of government databases should not come at a cumbersome, costly, or confusing toll for Small Business, and the threat of data breaches should be minimized.
On Dec. 8, 2024, the U.S. Dept. of the Treasury and its Financial Crimes Enforcement Network (FinCEN) announced a cybersecurity breach of Treasury data conducted by Chinese-sponsored hackers.
Following this announcement, NSBA sent a letter to Treasury and FinCEN regarding this breach, particularly concerned with how this breach could signal future issues with databases collected under the Corporate Transparency Act (CTA).
As part of the CTA, FinCEN is instructed by the law to create and maintain a database of beneficial owner information (BOI) of small businesses. This data includes social security numbers and other sensitive identifiers, and it is collected redundantly to other databases when small businesses are formalized.
Additionally, this database would be searchable without the need for FinCEN to secure a warrant - a plain violation of the Fourth Amendment - and large entities, including banks, are exempt from BOI disclosure requirements.
The CTA was originally passed as part of a national defense and security bill, included in the legislation under the premise that small businesses were responsible for facilitating a significant amount of international money laundering.
While money laundering occurs in any size business, for the purported purpose of the CTA being to stem financial crimes and banks to be exempt from the disclosures, NSBA has maintained a staunch position against this regulation.
Fortunately, federal legal action has reinstated an injunction against enforcement of the CTA, and, as of this writing, disclosures under the CTA are voluntary.
In a ruling from a contemporaneous federal court case, NSBA secured and maintained an exemption for its members in good standing as of March 1, 2024, and we are working to expand this exemption for all Small-Business owners through all channels, including work with Congress to repeal their previous passage of the CTA.
Underscoring our case for concern over this law is continued failures of databases maintained by the federal government.
Read our full letter to Treasury and FinCEN for full clarification on this recent breach below, and follow NSBA as we continue our work over the CTA.
___
January 8, 2025
Dear Secretary Yellen and Director Gacki:
As the nation’s oldest small business advocacy organization, representing our membership of more than 65,000 and the 70+ million owners and employees that make up the U.S. small business sector, we are writing to express our significant concerns related to the recent cybersecurity breach of U.S. Treasury data conducted by Chinese-sponsored hackers, which was publicly disclosed on Dec. 8, 2024.
While any breach of federal government systems is worthy of considerable scrutiny, this particular incident is of immediate relevance to American small businesses, who have been forced to reckon this past year with burdensome FinCEN reporting requirements established by the Corporate Transparency Act (CTA). The CTA was purportedly designed to address only corporations engaged in illicit activities; however, its language has impacted nearly all small businesses in the United States, requiring them to disclose sensitive "beneficial ownership information” (BOI) to FinCEN. Though the enforcement deadline for this information has been shifted back-and-forth repeatedly—leaving small businesses profoundly confused over their legal obligations—many businesses have nonetheless already submitted their BOI. Given the immensely sensitive nature of this information, it is vital that those business owners be made immediately aware if any of the data compromised during the incident included information related to their submissions, a violation that could potentially jeopardize their competitiveness and continued operations.
It is worth emphasizing that these small businesses forfeited their own security protections in order to abide by the federal government's mandates, with the hope and expectation that the government possesses the necessary technology and expertise to protect their information from falling into the hands of bad actors and foreign adversaries. Due to the significant degree of trust that these small businesses have placed in their government to protect and oversee their information, it is imperative that Treasury expeditiously confirm or deny whether their sensitive information has been stolen. Therefore, NSBA is requesting that Treasury immediately disclose whether any of the information accessed by hackers pertained to the BOI requirements mandated by the CTA, and if so, to make it clear whether that information has since been secured in the aftermath of the breach.
While we are aware that Treasury has already promised lawmakers it will disclose additional information concerning the incident in a supplemental report, we urge you to comprehensively address the issue of potential BOI theft during the continued review process. In addition, we request to be made aware of what steps, if any, Treasury is implementing to remediate the situation and ensure that U.S. businesses are not penalized for their attempts to comply with the law.
Sincerely,
Todd McCracken
President & CEO
National Small Business Association
###
