PRACTICE AREAS

Regulatory Compliance

Cybersecurity has become one of the most rapidly evolving areas of federal regulatory compliance. Healthcare organizations, government contractors, and financial institutions now face overlapping federal cybersecurity requirements enforced by multiple agencies — with civil penalties, program debarment, and potential False Claims Act criminal prosecution for organizations that fail to meet applicable standards and then misrepresent their compliance posture to the federal government.

The DOJ's Civil Cyber-Fraud Initiative, launched in October 2021, specifically targets government contractors and grant recipients who knowingly misrepresent or fail to report cybersecurity incidents or non-compliance with contractual cybersecurity requirements.

Healthcare — HIPAA Security Rule Compliance (45 C.F.R. Parts 160 and 164)

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). Failure to comply is enforced by the HHS Office for Civil Rights (OCR) through a tiered penalty structure:

Violation Tier Description Penalty Per Violation Category Per Year
Tier 1 Did not know and could not have known with reasonable diligence $100 – $50,000 (max $25,000/year)
Tier 2 Reasonable cause — knew or should have known, not willful neglect $1,000 – $50,000 (max $100,000/year)
Tier 3 Willful neglect — corrected within 30 days of discovery $10,000 – $50,000 (max $250,000/year)
Tier 4 Willful neglect — not corrected within 30 days $50,000 minimum, up to $1.9M per year

In addition to civil penalties, HIPAA breaches affecting 500 or more individuals must be reported to OCR and to the media in the affected geographic area. Breaches involving 500 or more individuals nationally require notification to OCR within 60 days of discovery. OCR may initiate a compliance review following a breach notification — which can escalate to a full investigation of the organization's overall HIPAA compliance posture.

Government Contractors — CMMC and FAR Cybersecurity Requirements

The Cybersecurity Maturity Model Certification (CMMC) program, administered by the Department of Defense, requires defense contractors and subcontractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) to achieve certification at specified CMMC levels as a condition of contract award. The DFARS clause at 48 C.F.R. § 252.204-7012 imposes

NIST SP 800-171 requirements on defense contractors. Misrepresentation of cybersecurity compliance status to the federal government can constitute a False Claims Act violation — with treble damages and per-claim civil penalties in addition to any contract remedies.

MB Law's Cybersecurity Compliance Services

HIPAA Security Rule risk assessment and gap analysis

Identify vulnerabilities in ePHI safeguards and build documented compliance record.

OCR breach investigation defense

Representation in OCR investigation and civil money penalty proceedings following a breach notification.

CMMC readiness assessment

Evaluate the contractor's NIST SP 800-171 implementation against CMMC Level 2 and Level 3 requirements prior to assessment.

FCA cyber-fraud exposure analysis

Assess whether cybersecurity certifications submitted to federal agencies accurately reflect the organization's actual security posture — identifying false certification risk before the government does.

Breach response as legal counsel

Direction of breach response under attorney-client privilege — preserving privilege over forensic investigation findings, coordinating notification obligations, and managing regulatory agency communications.

Cybersecurity compliance failures that are represented as compliant to the federal government can constitute False Claims Act violations. MB Law provides legal oversight for cybersecurity compliance to ensure your federal certifications are accurate, defensible, and privileged.

IRS Audit and Tax Compliance

IRS audits range from routine correspondence audits conducted entirely by mail to full-scale field examinations conducted at a business location to IRS Criminal Investigation referrals that transform a civil tax matter into a federal criminal prosecution. The transition from civil examination to criminal investigation can occur without explicit notice to the taxpayer. Understanding where on this spectrum an IRS matter sits — and preventing inappropriate escalation from civil to criminal — is a core function of competent tax defense representation.

Types of IRS Audits

Audit Type Format Typical Scope Escalation Risk
Correspondence Audit Conducted by mail — IRS requests documentation for specific line items Single issue: charitable deduction, expense claim, income item Low unless documentation is missing or inadequate
Office Audit Meeting at local IRS office with IRS examiner Multiple issues across one or more years’ returns Moderate — examiner may expand scope if irregularities identified
Field Audit IRS examiner at taxpayer’s place of business Comprehensive examination of books, records, accounting systems Higher — typically for business taxpayers with complex records
Eggshell Audit Civil examination where taxpayer knows or suspects fraudulent items exist in the return Varies — examiner may not know the risk the taxpayer perceives Critical — every document produced and statement made may be used in a subsequent criminal prosecution

The 'Eggshell' Audit — When Civil Becomes Criminal

The most dangerous audit situation is the 'eggshell audit' — a civil examination in which the taxpayer or their advisors know or suspect that the return contains fraudulent items that, if discovered, could trigger a criminal referral to IRS Criminal Investigation. A civil examiner who suspects fraud is required under IRS policy to suspend the examination and refer the matter to IRS-CI — after which the full apparatus of criminal investigation is brought to bear.

In an eggshell audit, the taxpayer's obligation to cooperate in good faith with the civil examination must be carefully managed against the Fifth Amendment right against self-incrimination. This requires defense counsel who understands both the civil examination process and the criminal exposure it creates. MB Law represents taxpayers in eggshell audits by: managing document production privilege-first and strategically sequenced; presenting the client's factual narrative to the examiner in a way that maximizes the civil resolution opportunity; and monitoring for warning signs that the civil examination has or may be converting to a criminal investigation.

Key Statutes of Limitation

Situation Civil Assessment Limitation Notes
Normal return filed, no substantial omission 3 years from filing date (or due date, if later) Standard rule — IRS has 3 years to assess additional tax on a filed return
Substantial omission (>25% of gross income omitted) 6 years from filing Significantly expands the audit window
Fraudulent return or no return filed No limitation — unlimited IRS can assess at any time; criminal prosecution statute of limitations is also extended for tax evasion
Foreign information reporting (FBAR, Form 8938 FATCA) 6 years from filing Separate rules; civil penalties for FBAR violations up to $100,000+ per willful violation

The IRS Civil Dispute Process — From 30-Day Letter to Tax Court

Following an audit, IRS issues a 30-day letter identifying proposed additional tax, penalties, and interest. The taxpayer has 30 days to agree, request an IRS Appeals conference, or do nothing (which moves the matter forward to the IRS Appeals Office automatically).

The Office of Appeals is an independent function within the IRS with authority to settle disputes without litigation. Over 80% of cases reaching Appeals are settled at this stage. MB Law prepares comprehensive written protests presenting factual and legal arguments for each proposed adjustment — the quality of the protest submission is the primary determinant of the Appeals outcome.

If Appeals does not resolve the matter, IRS issues a Notice of Deficiency. The taxpayer has 90 days to file a petition in U.S. Tax Court to challenge the deficiency before paying the disputed amount.

The primary forum for contesting IRS deficiency determinations without first paying the disputed tax. MB Law prepares Tax Court petitions, engages in the Tax Court discovery process, and litigates contested factual and legal issues.

For cases where the taxpayer has paid the disputed amount and seeks a refund, litigation may be pursued in U.S. District Court or the U.S. Court of Federal Claims — forums that may offer strategic advantages depending on the legal issues and available defenses.

If you are under IRS audit, have received a Notice of Proposed Adjustments, or have received contact from what appears to be IRS Criminal Investigation, contact MB Law immediately. Early representation significantly increases the probability of resolving the matter at the examination or Appeals stage — before litigation becomes necessary.

Strategic Federal Defense Starts Early

Early legal intervention can significantly impact the outcome of a federal investigation or prosecution.

Mansoor Broachwala, Esq. — Licensed in Illinois since 2017

ATTORNEY ADVERTISING. This website is for informational purposes only. Visiting this website does not create an attorney-client relationship. Do not submit confidential information until an engagement agreement has been executed. Past results do not guarantee future outcomes.