CISA Issues Alert on Potential Legacy Oracle Cloud Compromise

BleepingComputer has confirmed the rumor that Oracle has suffered a compromise affecting its legacy environment, including the compromise of old customer credentials (originally denied by Oracle). Oracle notified some affected clients that old legacy data from Oracle Classic (last used in 2017) was involved in the incident. BleepingComputer has reportedly had direct contact with the threat actor, which has “shared data with BleepingComputer from the end of 2024” and posted newer records from 2025 on a hacking forum.
The incident was discovered in late February. According to BleepingComputer, “the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.” The threat actor offered over six million data records for sale on BreachForums on March 20, 2025, alleging the data originated from the Oracle incident.
On April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on the “potential legacy Oracle Cloud compromise.” The guidance confirms that the incident’s scope and impact are uncertain but provides information about the risks associated with compromised credentials.
The Alert states:
The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risks to enterprise environments. Threat actors routinely harvest and weaponize such credentials to:

Escalate privileges and move laterally within networks.
Access cloud and identity management systems.
Conduct phishing, credential-based, or business email compromise (BEC) campaigns. 
Resell or exchange access to stolen credentials on criminal marketplaces.
Enrich stolen data with prior breach information for resale and/or targeted intrusion.

The Alert provides recommendations to organizations “to reduce the risks associated with potential credential compromise.” The recommendations are solid for any credential compromise but particularly relevant to Oracle customers. 

Georgia Federal Court Denies TRO and Motion to Dismiss in Trade Secrets Case

On March 27, 2025, in Stimlabs LLC v. Griffiths, the U.S. District Court for the Northern District of Georgia ordered a former executive, Sarah Griffiths, to face claims related to her alleged theft of Stimlab’s trade secrets under the Defend Trade Secrets Act (“DTSA”) and the Georgia Trade Secrets Act (“GTSA”) after denying her application for a TRO. 
Background. Griffiths, the regenerative medicine company’s former Chief Scientific Officer, allegedly downloaded thousands of documents containing confidential information and trade secrets after the CEO told her the company was interested in negotiating her departure. These documents allegedly contained, among other things, information regarding future potential products, confidential communications with government agencies, data related to product development and information related to “a product made of donated human umbilical cord, which is applied to, and used in, the management of ulcers, wounds, and similar injuries to the body.” Griffiths allegedly was one of thirteen employees who had special access to the company’s purported trade secrets. According to the company, she was required to sign restrictive covenants as part of her employment agreement, follow the employee handbook, attend and comply with the confidentiality training she received, use best efforts to protect Confidential Information and comply with the company’s Information Security Policy. 
Rulings. Following a hearing on August 13, 2024, the company’s motion for a temporary restraining order was denied, as the court found that the company had “not introduced evidence that [Griffiths] accessed [Stimlabs’] documents for any purpose other than to do her job at the time, and the case law is very clear that this does not constitute misappropriation.” However, the court still denied Griffith’s motion to dismiss the complaint, finding that the company sufficiently identified 12 specific examples of trade secrets that purportedly were misappropriated, which were sufficient allegations to state a claim for misappropriation. The court emphasized the allegations that Griffith’s actions violated her employment obligations. In denying the motion to dismiss, the court noted that the complaint the TRO was based on had been amended and now included four exhibits including various agreements and policies that Griffith had allegedly violated. The court also decided not to dismiss the company’s breach of contract claim, despite Griffiths’ argument that the company suffered no damages. The court found that discovery was the best avenue to address this issue.
Implications. This case shows that even though an application for immediate injunctive relief may be denied, there still may be ground to develop claims that were raised in the request for injunctive relief application, and thus a motion to dismiss may not be in order. Here, by amending the complaint and identifying the trade secrets that allegedly were misappropriated, the employer was able to survive a motion to dismiss, allowing the case to proceed. We will continue to follow this case as the litigation progresses.

FTC Issues RFI on Anti-Competitive Regulations

On April 14, 2025, following President Trump’s recently issued executive order addressing regulatory barriers to competition, the Federal Trade Commission (FTC) issued a Request for Public Comment Regarding Reducing Anti-Competitive Regulatory Barriers (RFI).
The RFI asks consumers, workers, businesses, startups, potential market entrants, investors, and academics for comments on federal regulations that may have one of the six anti-competitive effects identified by the FTC. Those enumerated effects include creating or facilitating the creation of monopolies, creating unnecessary barriers to entry, limiting competition, creating or facilitating licensure or accreditation requirements that unduly limit competition, unnecessarily burdening the agency’s procurement process, and imposing distortion on the operation of the free market.
After identifying a regulation with one of the enumerated effects, the FTC requests, essentially, a legal analysis of the basis of the comment. The additional information requested includes:

a citation to the regulation,
the specific language in that regulation that leads to the anti-competitive effect,
an applicable legal authority interpreting the regulation,
an explanation of how the regulation operates (including relevant product and geographic markets affected),
an explanation of why the regulation should be eliminated or modified, and
an explanation of “whether the regulation satisfies the definition of ‘significant regulatory action’ in Executive Order 12866 of September 30, 1993.”

The amount of detailed information requested through the RFI suggests that the FTC will carefully consider industry comments, which may be submitted through May 27, 2025.

Judge Rules “Tester” Plaintiffs Cannot Bring Wiretap Claims under California Invasion of Privacy Act

In a big win for businesses, a California federal court just held that a “tester” plaintiff—someone who visits websites to initiate litigation—cannot bring a claim under the California Invasion of Privacy Act (CIPA). Rodriguez v. Autotrader.com, Inc., No. 2:24-cv-08735, 2025 WL 65409 (C.D. Cal. 1.8.25) Tester plaintiffs have started to focus on consumer protection statutes in hopes of broadening CIPA’s application to include internet communications, which would provide them a treasure trove of potential targets. However, the recent decision in Rodriguez provides a defense for businesses facing lawsuits by tester plaintiffs and bolsters another unrelated defense: setting privacy expectations with consumers.
I previously wrote about CIPA claims and the uptick in litigation claiming wiretap violations based on a website’s use of trackers.
Here, the plaintiff alleged violations of CIPA by Autotrader.com for its:

Operation of a pen register on its website using tracking technology that could collect a user’s IP address
Disclosure of website search terms to third parties (akin to illegal wiretapping)

The court dismissed these claims, stating that a tester plaintiff who “actively seeks out privacy violations” does not expect privacy. Because a tester plaintiff in a CIPA case visits the website and intentionally enters information into the website expecting their information to be “accessed, recorded, and disclosed,” the individual cannot claim an injury. The tester essentially expects the injury to occur.
What should your business do as a result of this decision? Be prepared and consider:

Reviewing your website and its Privacy Policy and Terms of Use;

Evaluate the types of tracking tools your website uses and their necessity/value (e.g., pixels, web beacons, cookies, etc.). Often, businesses discover that the website cookies and pixels are actually just left over from past initiatives or that certain cookies were installed but never used.
Consider using a scanning tool and analyze the scan results to learn what tracking technologies your website uses.

Determining what third parties do with the data collected via your website tracking tools;
Include appropriate disclosures in your Privacy Policy and cookie banner/preferences (e.g., to whom is the data disclosed, the use of the data, and a hyperlink to the Privacy Policy in the cookie banner).

For example, cookie banners should state that data is disclosed to third parties for targeted ad purposes, if that is the case, instead of only stating that the website uses cookies to improve user experience.

Providing an opt-out option (and symmetry of choice)
While opt-in consent is not required by applicable consumer privacy laws (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act), allowing users to make informed choices about website tracking could prevent CIPA claims against your business.

AI Powered Bot Targeted 400,000 Websites

SentinelOne researchers have discovered AkiraBot, which is used to target small- to medium-sized company websites with generative AI, and drafted outreach messages for website chats, comments, and contact forms. SentinelOne estimates that over 400,000 websites have been targeted, and the bot has successfully spammed “at least 80,000 websites since September 2024.”
The bot generated custom outreach messages to targets using OpenAI’s large language models (LLM) based on the purpose of the website and bypassed spam filters and CAPTCHA barriers to spam websites. OpenAI has since disabled the API key and other assets used in the campaign.
The SentinelOne researchers posited that “AkiraBot’s use of LLM-generated spam message content demonstrates the emerging challenges that AI poses to defending websites against spam attacks.”
As threat actors continue to evade detection, their generative AI usage will pose an ever-increasing challenge for protecting websites and filtering spam from email accounts.

Privacy Tip #440 – Text Scam Proceeds Surpass $470M in 2024

I have been getting a lot of texts that are clearly scams, and those around me have confirmed an increase in spammy texts.
According to an FTC Consumer Protection Data Spotlight, individuals lost over $470 million resulting from text scams. The top text scams of 2024 that accounted for half of the $470 million lost by consumers to fake texts included:

Fake package delivery problems;
Phony job opportunities;
Fake fraud alerts;
Bogus notices about unpaid tolls; and
“Wrong number” texts that aren’t.

According to the FTC, actionable ways to help stop text scams include:

Forwarding messages to 7726 (SPAM). This helps your wireless provider spot and block similar messages.
Reporting it on either the Apple iMessages app for iPhone users or Google Messages app for Android users.
Reporting it to the FTC at ReportFraud.ftc.gov.

How can you avoid text scams?
Never click on links or respond to unexpected texts. If you think it might be legit, contact the company using a phone number or website you know is legitimate. Don’t use the information in the text message. Filter unwanted texts before they reach you.
Remember that texts are just like emails and can be used for smishing instead of phishing. Treat them the same—with a healthy bout of caution and vigilance to avoid being victimized.

Northeast Radiology Settles with OCR

The Office for Civil Rights (OCR) announced on April 10, 2025, that it has settled alleged HIPAA Security Rule violations with Northeast Radiology for $350,000.
The investigation followed a breach report by Northeast Radiology to OCR in March 2020 after unauthorized individuals accessed radiology images stored in PAC servers. Northeast Radiology notified 298,532 patients of the breach. The OCR alleges that, during the investigation, Northeast Radiology “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.”
Northeast Radiology agreed to enter into a resolution agreement with OCR that included a settlement payment of $350,000 and a supervised corrective action plan for two years.

Video Game Developer’s Website Privacy Policy Disclosure and Cookie Banner Consent Defeat Wiretap Class Action

Video game developer Ubisoft, Inc. came out on top earlier this month in the Northern District of California when a judge dismissed, with prejudice, a class action claiming that the company’s use of third-party website pixels violated privacy laws. The judge concluded that the “issue of consent defeat[ed] all of Plaintiffs’ claims.” Lakes v. Ubisoft, Inc., No. 24-cv-06943, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).
The plaintiffs alleged that Ubisoft collected and disclosed plaintiffs’ personal information and website usage without their consent through website pixels. Ubisoft moved to dismiss the claims based on the fact that the plaintiffs’ claims relied on the lack of consent but that plaintiffs had “consented to the use of cookies and pixels . . . at least three times during the purchase process” when plaintiffs (1) “interacted with the Cookies Banner” when visiting the website; (2) created accounts on the website, which required the plaintiffs to “accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy”; and (3) “made purchases” at which point Ubisoft’s terms and Privacy Policy were displayed again.
The court took judicial notice of Ubisoft’s Privacy Policy, cookie pop-up, and cookie settings and held that the plaintiffs’ consent defeated their claims:

Federal Wiretap Act: The federal Wiretap Act allows for the interception of communications where “one of the parties to the communication has given prior consent to such interception,” and the interception is not “for the purpose of committing any criminal or tortious act.” The court determined that the plaintiffs provided consent and that the crime-tort exception to consent did not apply.
California Invasion of Privacy Act, California Constitution, and Common-Law Invasion of Privacy: The court held that the plaintiffs’ consent was a “defense to all three claims” under CIPA, the California Constitution, and California common law invasion of privacy.
Video Privacy Protection Act: The court determined that Ubisoft’s disclosures in its Privacy Policy, terms, and on its website through banners and pop-ups satisfied each element of the VPPA’s consent provision. 

The plaintiffs sought a request for leave to amend, but the court denied the request, concluding that any amendment would be “futile” because plaintiffs could not “amend their complaint to overcome the issue of consent.” 
A key takeaway for companies to consider is to revamp your website Privacy Policy disclosures, confirm that your website’s cookie preferences and banner are visible and user-friendly, and clearly articulate the use of third-party trackers and the data disclosed to your website users.

International Students Face Visa Revocations & Status Terminations – What Does that Mean for Higher Education Institutions?

Over the past two weeks, institutions of higher education have been faced with the challenges of notifying members of their campus communities about visa revocations and status terminations, and advising affected international students on what to do next. Unlike more high-profile immigration cases that followed student protest activity, the latest round of visa revocations and status terminations appear to be happening because students are “failing to maintain status.” But what does that mean and how should institutions react?
To understand the impact, the meaning of key terms like “visa” and “status,” have to be understood, because they are distinct concepts in U.S. immigration law. When people speak of how long someone can stay in the United States, they might say “their visa expires in June” or “they have to leave because their visa is expiring,”; such statements are technically incorrect, however, because they confuse a visa with status.
While a visa is a critical immigration document, it does not actually determine how long someone can stay in the United States. A visa is issued by the U.S. government and allows a noncitizen to apply for entry to the country, but does not guarantee that the noncitizen will be actually allowed to enter or remain in the United States. In contrast, a noncitizen’s status determines how long and under what conditions they can stay in the United States. Notably, noncitizens can change status, for example from F-1 student status to H-1B specialty occupation status, without ever leaving the United States.
Most higher education students come to study in the United States. on an F-1 student visa. F-1 visas are issued by the U.S. Department of State. Once students enter the United States., they are granted F-1 student status, and their F-1 status is tracked by the Department of Homeland Security’s Student and Exchange Visitor Program (SEVP). As long as a student continues to maintain their F-1 student status, the requirements of which are set by law, they are permitted to remain in the United States.
While visa revocations have not traditionally been common, they are a tool available to immigration authorities. One of the scenarios that has historically led to visa revocation is an arrest for driving under the influence (DUI) leading to a visa revocation on health-related grounds (on the basis of suspected alcoholism or other substance abuse issues). A visa revocation, while significant, only impacts a person’s ability to return to the United States. following international travel. It does not impact status. An F-1 student can have their F-1 visa revoked, expire or cancelled, but can still remain in the United States with their valid F-1 student status.
Termination of status, however, ends a person’s permission to stay in the United States. A student’s F-1 student status can be terminated if a student “fails to maintain status” or due to an agency “termination of status.” Historically, a student’s failure to maintain their F-1 status was reported by the colleges and universities themselves if, for example, an international student engaged in unauthorized employment, failed to maintain a full course of study, or was convicted of certain crimes. The agency-initiated termination of status is limited by statute.
During the past two weeks, the U.S. government has changed its practices related to visa revocations and status terminations, and has begun terminating international students’ F-1 student status, either in addition to or instead of revoking their F-1 visas. As a result, F-1 students whose F-1 student status has been terminated no longer have permission to stay in the United States, even if they have a valid F-1visa.
Institutions are finding out about students’ F-1 status terminations by auditing their SEVIS (Student and Exchange Visitor Information System) record. SEVIS is a web-based system that colleges and the Department of Homeland Security use to maintain information about F-1 students. In some cases, students report being unaware that their F-1 status had been terminated until they receive outreach from their school after such audits, because they received no communication from the U.S. government about their status termination.
These changes have caused stress and uncertainty for institutions of higher education and their international students. In light of concerns expressed by higher education clients, we suggest that clients and higher education institutions work closely with in-house counsel, and recommend international student offices to keep abreast of the latest developments in this area. Specifically, colleges and universities should:

Regularly check SEVIS to determine if students’ F-1 status has been terminated and communicate any developments to the affected students as soon as possible.
Prepare to refer international students to immigration lawyers for individualized assistance. Many institutions of higher education have referral lists, but legal clinics available on some campuses are also an option.
Consider options for international students who may choose to leave the United States, specifically how they can continue their studies or transfer to another college or university in their home country. These considerations may be especially important or acute for graduate-level students engaged in fellowships, research, and TA-ships on campus.
Prepare for possible federal immigration enforcement activity on or around campus, including the types of requests for information federal agencies might make, and the institution’s obligations under state and federal law.
Develop and implement a plan to handle campus community and leadership, local community, and political concerns. In addition to planning for internal and external communications, expect that individual immigration cases and class action lawsuits related to F-1 visa revocations and F-1 status terminations may occur.

Recent Decision on Nondiscretionary Performance Bonuses in Pay Calculations Has Wide-Ranging Implications for Illinois Employers

In Illinois, nondiscretionary “performance bonuses,” such as bonuses paid in recognition of employees satisfying certain performance and safety metrics and seniority goals, must be factored into employees’ regular rate of pay when calculating overtime wages, even when those bonuses are not directly tied to the number of hours worked, according to the Illinois Supreme Court’s recent decision in Mercado v. S&C Elec. Co., 2025 IL 129526 (2025).
Background
The employer routinely gave performance bonuses to its non-exempt hourly-paid factory workers. The bonuses were identified as “KPI Incentive,” “MIS bonus,” “Success sharing,” or “Seniority award,” among other descriptors, on employees’ pay stubs. The employer did not factor these bonuses into the employees’ regular rate of pay for purposes of calculating their overtime pay (which, under the Illinois Minimum Wage Law, is one and one-half an employee’s regular rate of pay). It cited the exclusion from the regular rate for “[s]ums paid as gifts such as those made at holidays or other amounts that are not measured by or dependent on hours worked” from the definition of “regular rate.” 56 Ill. Adm. Code 210.410(a).
Court Decision
The Illinois Supreme Court held that the Minimum Wage Law provision provides only one exemption: sums paid as gifts (including gifts “made at holidays” and gifts in the form of “other amounts that are not measured by or dependent on hours worked”).
Because the performance bonuses were not “gifts,” the Court ruled those bonuses were not exempted under this provision, even though the bonuses were not dependent on hours worked.
The Court did not address a separate exclusion under Illinois law for discretionary bonuses “paid in recognition of services performed which are determined at the sole discretion of the employer.”
Implications
This decision has wide-ranging implications for employers in Illinois. Organizations should review all forms of compensation paid to their non-exempt employees to ensure that overtime pay is properly calculated. This is especially important given the Illinois Minimum Wage Law’s steep penalties for underpayment of wages. A prevailing plaintiff may recover triple the amount of the unpaid overtime wages plus five percent of the amount of any such underpayments for each month they remain unpaid, as well as attorneys’ fees and costs.

If You Don’t Ask, The Answer’s Always No

One of the first rules of business is that you don’t leave money on the table. That adage is equally important in tax matters. Taxpayers can leave behind funds by failing to follow the rules. The importance of compliance with the procedural requirements in requesting a refund was highlighted in the recent Michigan Tax Tribunal decision in Comerica, Inc. v. Michigan Dep’t of Treasury, MTT Docket No. 17-000150 (Mar. 18, 2025).
At issue in Comerica was whether the company was entitled to interest on refunds paid by the Department of Treasury (the “Department”). The company challenged an assessment, and after decisions from the Tax Tribunal, the Court of Appeals, and the Michigan Supreme Court, the Department paid the company refunds of almost $11 million. The company then filed a motion with the Tax Tribunal related to its request of over $6 million in interest and costs.
The Department argued, in part, that the company did not request refunds and, therefore, interest was not permitted under the statute. On review, the Tax Tribunal reiterated that in order to receive interest on a refund, there are three required steps. First, the tax must have been paid. (It is unsurprising that it is not possible to receive a refund of something if it was never paid.) Second, the taxpayer must make a claim for a refund or petition for a refund. Finally, the refund claim (or petition) must be filed.
In Comerica, the only issue was whether a claim or petition for the refund had been made (i.e., step two). Notably, the Tax Tribunal stated that there is no specific form or manner by which the refund must be claimed. Instead, it must merely be a request for the refund. While the company requested a refund in a letter to the Department during the audit, the Tax Tribunal held that was premature as the Department had not made a determination until the audit was complete.
In reviewing the petitions originally filed in the matter, the Tax Tribunal noted that there was no explicit request for a refund. Nevertheless, the Tax Tribunal held that filing a petition constitutes a claim for refund. Therefore, it held that the company was entitled to interest under the statute starting 45 days after the petition was filed to the date of the refund payments.
In addition, the Tax Tribunal held that the company was entitled to costs and attorney fees related to the proceedings on remand related to the request for interest because the Department’s payment of the refunds undermined the Department’s arguments that interest was not permitted.
The decision in Comerica serves as an important reminder to ensure you always request all of the funds to which you may be entitled. Because if you don’t ask for it, you won’t receive it.

Massachusetts Court Subjects Nonresident to Income Tax on Gain from Stock Sale

In a decision with troubling potential implications, a Massachusetts appellate court held that a nonresident individual was subject to Commonwealth income tax on capital gain from the sale of his stock in the corporation that he formed and worked for because the court concluded that it related to his trade or business in the Commonwealth. Craig H. Welch v. Comm’r of Rev., No. 24-P-109 (Mass. App. Ct., Apr. 3, 2025). 
The Facts: In 2003, Craig Welch (“Welch”), a resident of Massachusetts at the time, formed AcadiaSoft, Inc. (“AcadiaSoft”), a Massachusetts-based business that developed and marketed derivative and collateral management solutions to institutional investors. Over more than a decade, Welch worked exclusively for AcadiaSoft in various capacities, including as its President, Chief Executive Officer, and Treasurer, primarily in Massachusetts, and received a salary. Although initially the corporation’s sole stockholder, over time his stock ownership percentage was diluted as outside investors were brought in and additional financing was obtained.
By 2015, however, Welch no longer had an operational role at AcadiaSoft. In June 2015, AcadiaSoft offered to purchase Welch’s stock, and he accepted the offer and submitted his resignation. Later that month, AcadiaSoft purchased Welch’s stock for $4.7 million. Since Welch had a zero cost basis in his stock, the entire sales proceeds were capital gains for federal income tax purposes.
Significantly, on or about April 30, 2015—two months before the sale—Welch and his wife had moved to New Hampshire, and he was no longer a Massachusetts resident.
From 2003 through 2014, Welch and his wife had filed Massachusetts resident income tax returns. No longer a resident after April 30, 2015, Welch filed a Massachusetts nonresident/part year resident tax return for 2015 but did not report the $4.7 million capital gain as Massachusetts source income.
After an audit, the Department of Revenue (“Department”) assessed income tax on the capital gain, treating it as Massachusetts source income. The Massachusetts Appellate Tax Board (“ATB”) upheld the imposition of the tax, ruling that the stock gain “was of a compensatory nature” attributable to Welch’s employment in Massachusetts. This appeal followed.
Taxation of Massachusetts Non-Residents: Like most states, Massachusetts taxes nonresident individuals only on their in-state source income. “Massachusetts source income” is defined to include income “derived from or effectively connected with . . . any trade or business, including any employment carried on by the taxpayer in the commonwealth” and “gain from the sale of a business or of an interest in a business . . ..” Mass. G.L. c. 62, §5A(a).
The Department‘s regulations provide that the taxation of gain from the sale of a business applies to the sale of interests in, for example, sole proprietorships and partnerships, but that this rule “generally does not apply… to the sale of shares of stock in a C corporation or S corporation, to the extent that the income from such gain is characterized for federal income tax purposes as capital gains,” unless it is “connected with the taxpayer’s conduct of a trade or business . . ..” 830 Code Mass. Regs. § 62.5A.1(3)(c)(8).
Welch argued on appeal that it was AcadiaSoft that was conducting a trade or business, not Welch personally, and that his stock was not compensation for his services since he acquired it before AcadiaSoft conducted any business.
The Decision: The Court, applying a deferential standard of review, upheld the taxation of Welch’s capital gain from the stock sale, holding that it was “derived from and was effectively connected with his trade or business or employment.” According to the Court, because Welch obtained the stock soon after founding AcadiaSoft and expected that the value of the stock would appreciate because of his “hard work,” the ATB had substantial evidence for concluding that Welch’s gain “was derived from his employment.”
Observations: The Court’s decision fails to recognize the distinction between AcadiaSoft’s business—for which it filed Massachusetts corporate tax returns and apportioned 100 percent of its income to the Commonwealth—and Welch’s employment with AcadiaSoft for which he received a salary and paid Commonwealth income tax. Also troubling is that the Court failed to apply the Department’s own regulation providing that Massachusetts source income generally does not include gain from the sale of stock in a corporation characterized as capital gains, not compensation for services, for federal tax purposes. The Court emphasized Welch’s desire that his stock appreciate in value because of his efforts, but that can be said about every founder of a business who anticipates that the business will be successful and that the value of the stock will increase over time. If left standing, the decision would make Massachusetts an outlier in taxing founders of corporate businesses who eventually wish to sell their stock and exit the business.