CT Criminal Lawyer

IRS Special Agent Shaun Schrader’s affidavit in support of a search warrant for NOVA Benefit Plan’s offices in Connecticut has been widely circulated and reported. That affidavit is particularly damning for NOVA and apparently NOVA now wants to restrict your right to read it.

On January 31st, NOVA’s lawyers filed an Emergency Motion to Seal the affidavit. No ruling has yet been made by the court. NOVA Benefit Plans, Benistar 419 Plan & Trust, Grist Mill Trust, US Benefits Group and others – all players or promoters in welfare benefit and 419 plans – filed the motion.

During the investigation leading up to the raid of NOVA’s headquarters, several undercover IRS special agents posed as potential customers. The agents recorded conversations with senior company officials. These officials all but admitted the program was a scam. These recordings are transcribed in part in the search warrant affidavit. Apparently the promoters don’t want their clients hearing the truth – the truth that they probably have sunk hundreds of millions of dollars in abusive tax shelters. Investments that NOVA said were legal.

In one conversation, a NOVA representative discussed how easy it was to claim a disability and withdraw one’s money from the plan tax-free. He told the undercover agent, “We’ve never denied a claim? I recently, I don’t want to say the client’s name, but he went through a minor surgery, had a little-had a mole removed off his elbow I think and left a little scar the size of a pencil eraser, and, you know, that-that qualified.”

When discussing the “independent plan trustee” that must approve the claims, a Nova representative is recorded saying, “I, I’m gonna put this very simply for you, we control the trustee, okay, and I, I don’t mean that in a bad way. He’s independent but he’s part of the family and we control the stuff that happens, we have ways to make stuff happen?It’s best for us to pay out as much claims so when it times for us to fight this in tax court, we can play and sing the welfare benefit song.”

Why NOVA and its progeny now want to silence the truth is baffling. The affidavit has been unsealed for several months and multiple copies exist on the Internet.

Company lawyers have also disclosed in their own filings how 50 “heavily armed” IRS agents raided their offices and carted off a “tractor trailer” full of documents. Not the thing to say if you wish to keep your clients thinking everything is fine.

What are the real reasons for filing the motion? That too is a secret, at least for now. Plaintiff’s Emergency Motion to Seal filed January 31st is itself sealed.

Keeping the truth from clients, vendors and the public does not engender trust. It makes it look like the companies and their officers are as guilty as the IRS says they are.

If you purchased or invested in a welfare benefit, contact a qualified tax attorney or CPA well versed in welfare benefit plans. The stakes are very, very high. The attorney or CPA should be able to help you unwind the plan, amend returns and help abate the penalties that will certainly follow. An attorney can also represent you if the matter goes to tax court, if you elect to bring a lawsuit to recover your losses or if you become the target of a criminal investigation.

Penalties can be as high as $100,000 to $200,000 per year for having an unqualified or unreported plan.

Originally published here.

It was not until 1986 when a law protecting whistleblowers is made. Congress added an anti-retaliation protection to the then existing False Claims Act.

A whistleblower is a person who tells on something he believes is an illegal act. The employees are the most commonly known whistleblower. They tell on their employers which they suspect is doing or committing an illegal act.

Under the Whistleblower Protection Law, the employee should not be discharged, denoted, suspended, threatened or harassed in any form that discriminates the terms and conditions of his employment because of the legal act done by the employee.

The employee may be of aid in many ways possible on the investigation, testimony and the likes. However there are some constraints under the whistleblower protection law.

Reporting illegal acts that are only within the company is a ground for exemption. But still there may be public policies that could protect the employee from retaliation

If it turns out that an employer didn’t actually break a law, the employee is still entitled to whistle blower protection from retaliation, if he reasonably believed that the employer committed an illegal act.

The whistleblower protection law does not cover employer retaliation for complaints about personal loathe. Office politics is not to be used as a basis for filing a complaint against the employer and use the whistleblower protection for personal gain.

In order for the employee to be protected from employer retaliation, he may the have a suspected desecration of any Federal Law. But the supposed violation should have provisions that the law violated will protect whistleblowers.

The Whistleblower Federal Law, unlike the False Claims Act, allows the whistleblower to file a lawsuit in a federal court. The Federal Whistleblower Law does not permit the whistleblower to go directly to the court.

The individuals concerned are pursued administratively. These individuals concerned could file a complaint or charge to retaliate with or without a lawyer to represent them. However if the case is not resolved immediately, the administrative law judge may then preside over the only evidentiary hearing that may take place.

A whistleblower should not attempt to delay an investigation of the possible legal remedy. To maintain this ruling, the retaliation should then be brought to the attention of an appropriate government official within 30 days, else the complaint could not be pursued.

Most states have some sort of statutory or common law “whistleblower” or anti-retaliation laws. Like the federal whistleblower laws, not every lawyer will know about these laws, especially laws outside their own state.

These states and the District of Columbia have recognized a public policy exception to the “employment at will doctrine”: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.

Some states have explicit statutory protections for whistleblowers. These include: California, Connecticut, Delaware, Florida, Hawaii, Louisiana, Maine, Michigan, Minnesota, Montana, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oregon, Rhode Island, Tennessee, and Washington.

There are also state laws that offer special protections just for their own state or local government employees: Alaska, Arizona, California, Colorado, Connecticut, Florida, Georgia, Hawaii, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Missouri, Montana, Nevada, New Hampshire, New Jersey, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Washington, West Virginia and Wisconsin.

Originally published here.

James Monahan is the owner and Senior Editor of
WhistleblowerBuzz.com and writes expert
articles about whistleblowers.

Hurray, another end of the year list. This one though (from Bank Info Security) is not reviewing the top movies, songs, celebrities but, the miserable failures in data security of 2008. With nine more days until the end of 2008, this post could be pre-mature. Data breach threats show no regard for end of the year holiday parties and frivolities.

The data breach incidents of 2008 include the old stand-bys of lost tapes and data due to mistake and theft but also reveals an increased use of break in technologies to steal information from data bases. Numerous “hacking” incidences and infected computer systems not only resulted in millions of dollars in cost to businesses but exposed large numbers of consumers to fraud. Stolen data has to go some where and can be held in reserve for use at a later time, possibly changing hands often before reaching a perpetrator. Data is a commodity. After all, identity theft is a business – suppliers, middle men and end users are the norm, just like in any business.

At least one of these breaches began in 2007 and continued into 2008 due to law enforcement action. Last year’s breaches while not lacking of hacking incidents, were focused more on missing data. For comparison purposes, below the top 10 list find links to stories looking back on 2007 and a link to a comprehensive multi-year listing. APRPEH is currently taking predictions of data loss stories for the end of 2009.

For accuracy purposes, it is important to recognize the difference between lost back up tapes or disks and stolen computers, hard drives or data devices and must be further differentiated from data lost due to hacking, viruses, malware – any active invasion of data storage systems for the purpose of stealing information. It is this last category with its obviously pernicious intent to steal data (vis a vis hardware) which represents a greater threat equation for consumers. The ‘how was it stolen’ question makes a huge difference in predicting whether or not consumers are likely or unlikely to become victims of identity theft.

Top 10 Security Breaches of 2008 – Bank Info Security
Ghost of Christmas Past (TJX) Still Casts Specter on Present and Future
Linda McGlasson, Managing Editor
December 22, 2008

From Hannaford to Countrywide to the Bank of New York Mellon, 2008 has been a year of high-profile security breaches in or impacting the financial services industry. Here’s our list of the top 10 – and lessons that should be learned, so we aren’t back revisiting these issues in ‘09.

1. TJX Case Winds Up, Arrests Made

Earlier this year, The TJX Companies (parent of retailer TJ Maxx) settled in federal court and paid out millions to its federal regulator, the Federal Trade Commission, banking institutions, credit card companies and consumers to bring to a close the court cases that had threatened to overwhelm the company.

The August arrest of 11 alleged hackers accused of stealing more than 40 million credit and debit cards brings law enforcement closer to closing what is still the largest hack ever. The U.S. Department of Justice brought charges against 11 alleged hackers from around the globe. Some of the hacking gang were nabbed and brought to the U.S. to face trial alongside three U.S.-based defendants. Two of the defendants, Christopher Scott and Damon Patrick Toey, have already pled guilty in the case. Others including the ringleader, Alberto Gonzalez, await trial.

Lesson Learned: The wide-range of the perpetrators brings to light something that those in the cyber intelligence realm have known for some time: Criminal hackers are part of a very mature and multi-billion dollar industry that reaches around the world. No organization is immune to the threat.

2. Bank of New York Mellon

An unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing on Feb. 27, after it was sent to a storage facility. The missing tape contains social security numbers and bank account information on 4.5 million customers – including several hundred thousand depositors and investors of People’s United Bank of Connecticut, which had given Bank of New York Mellon the information so it could offer those consumers an investment opportunity.

Lesson Learned: For Bank of New York Mellon, know that when data is released to a third-party that their security is as good or better than yours. Encryption isn’t just something that is good for the data held at an institution; it’s also something to consider for data that leaves the institution.

3. Hannaford Data Breach

In March, the Maine-based Hannaford Brothers grocery store chain announced that 4.2 million customer card transactions had been compromised by the hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.

The affected banks and credit unions were forced to reissue the credit and debit cards. Within two days of the breach announcement, two class action suits had been filed on behalf of customers against the retailer. The retailer claims its systems were PCI-compliant and had passed a PCI assessment shortly before the hack was discovered.

Lesson Learned: The case is still open, and forensic reports by security investigators brought in by Hannaford have not been made public. The PCI Security Council has pledged that if the PCI requirements are found to be wanting in light of the report, they will make changes to tighten the requirements. Cases such as Hannaford may be the impetus behind legislation to require prompt notification of a data security breach.

4. Countrywide Insider Theft

In August, a former Countrywide Financial Corp. senior financial analyst, Rene Rebollo, was arrested and charged by the FBI for stealing and selling sensitive personal information of an estimated 2 million mortgage loan applicants. How he did it over a two-year period was to download about 20,000 customer profiles each week onto flash drives, working on Sunday nights, when no one else was in the office. Rebollo then took the excel spreadsheets to business center stores to email to buyers.

Countrywide, now owned by Bank of America, was already facing money and reputation issues because of the subprime loan meltdown before it faced the insider threat of Rebollo.

Lesson Learned: While Countrywide and Bank of America now know firsthand what a rogue insider can do, other institutions need to do a better job of monitoring their employees and creating asset controls. As the economy continues to produce layoffs, this threat may become even more so, as fearful employees look to cash in on their trusted status and take data just in case they face unemployment.

5. GE Money Backup Tape Goes AWOL

Early in January, Iron Mountain said it could not find a backup tape that belonged to GE Money, containing information on J.C. Penney customers and 100 other retailers.

The tape was stored in an Iron Mountain vault, says an Iron Mountain statement issued about the loss, and had been requested by GE Money in October 2007. The tape contained the personal information of about 650,000 J.C. Penney customers and the other 100 retailers. GE Money processes credit cards for those retailers. As a records and archive company that specializes in records management, Iron Mountain was at a loss to explain the tape’s whereabouts.

Iron Mountain said it was an unfortunate case of a misplaced tape, but asserts that there was no evidence that the information was obtained and used by unauthorized persons. The missing tape also included about 150,000 social security numbers.

Lesson Learned: While GE Money paid for credit monitoring for the 650,000 credit card holders, Iron Mountain may have learned to better monitor where media is located. For the rest of companies that hold information of a personally identifiable nature, there is another reason to keep it safe from prying eyes. The cost of an average data breach can hit a company’s bottom line. According to a study conducted by the Ponemon Institute, an independent information security and privacy research group, data breaches are costing businesses an average of $197 per customer record, up from $182 in 2006.

6. RSA Report: Half-Million Banking ID’s Stolen

In November, security vendor RSA said it found a single Trojan that had taken more than 500,000 online banking accounts credentials, credit cards and other resources. The company’s Fraud Action Research Team added that the hacking gang behind the Trojan may have been operating for as long as three years. The compromised data came from hundreds of financial institutions around the world.

Lesson Learned: The Trojan Sinowal is so tricky that the average institution or customer would not even know that they are infected with it. Taking a professional, defense-in-depth approach to protecting a network and customers is the best remedy.

7. Compass Bank Hard Drive Stolen, 1 Million Accounts Taken

At the sentencing of a former bank programmer at Compass Bank in Birmingham, AL. in March, it was revealed that the accused had stolen a hard drive with 1 million customer records and used it to commit debit-card fraud. James Kevin Real is now serving a 42-month sentence and was ordered to pay back the more than $32,000 that he and an accomplice withdrew from Compass Bank customer accounts. The bank claimed that the customer records contained limited information, but Real was able to create 250 counterfeit debit cards. He used 45 of them to access and withdraw cash before being arrested.

At the time of Real’s sentencing, Alabama was one of 11 states that didn’t require companies to automatically notify customers of data breaches.

Lesson Learned: Compass Bank dodged a bullet in terms of cost on this breach. It would have had to notify all 1 million customers of the compromise of their data had the hard drive theft been in a state that requires notification. Other than the 250 customers that Real took money from, no other customers were notified of the data loss. That means that 999,750 of the other 1 million customers weren’t notified of the potential risk.

8. Ski Resort Okemo Suffers Hannaford-Like Data Breach

In an attack similar to what hit Hannaford Brothers in March, the Okemo Ski Resort in Vermont said in April it had been hit by hackers that installed malicious software to capture credit card data as it was being processed at the resort. Law enforcement officials at the time said they were investigating as many as 50 other similar incidents in the Northeast.

Lesson Learned: PCI compliance is like a driver’s license — it may mean that a retailer has passed the test for compliance, but doesn’t necessarily mean it is in compliance.

9. Retailer Montgomery Ward

Six months after a breach happened at the parent company of the Montgomery Ward website, the company Direct Marketing Services finally began notifying customers that their credit card information was stolen in the hack. At least 51,000 records were stolen out of a database in December, 2007.

Direct Marketing said it had promptly contacted its payment processor and Visa and MasterCard, and it also notified the U.S. Secret Service.

Lesson Learned: Direct Marketing Services was forced into contacting the customers after the company CardCops, an investigative firm that tracks credit card thefts for the financial services industry, found more than 200,000 payment cards being offered for sale on an Internet chat room often visited by card thieves. Better to take the public relations role and confess the breach than possibly face data breach notification lawsuits by consumers and state attorney generals.

10. More Than $5 Million Taken By ATM Capers

The Automatic Teller Machine capers are hitting everywhere. In June, two men were charged with making hundreds of withdrawals from New York City ATMs, grabbing $750,000 in the process, using stolen information from a previous computer intrusion into a Citibank server that processes ATM withdrawals. One of the same accused also allegedly took $5 million in withdrawals from iWire prepaid MasterCard accounts.

Lesson Learned: While Citibank denied the indictment’s charge that their server had been breached and blames a third-party transaction processor for the compromise, it still meant it had to notify and reissue new debit cards to those customers that the bank believed were exposed to increased risk.

The Top 10 Data Breaches of 2007 – CSO Online

Originally published here.

APRPEH is a seasoned identity theft investigator having helped numerous consumers with identity theft matters.