IRS Form 990: The Investigator's Friend

Posted by Philip Segal on May 19, 2013

If we had five dollars for every time someone asked us to get hold of someone’s bank accounts (pretty much always against the law and therefore off-limits), we would have enough money to buy a lovely lunch for two.

Sometimes, people who call us perk up when we inform them that non-profit organizations in the United States are usually required to file an income tax form that becomes part of the public record.

The Internal Revenue Service is much in the news these days, and while its treatment of applicants for tax-exempt status has received lots of attention elsewhere, talk of non-profits always reminds us of the gold mine available to fact gatherers when a non-profit – once finally granted that status – gets to the point of filing its return.

The return is put on IRS Form 990, the idea being that if the public is foregoing the benefits of normal income tax payable by ordinary corporations, it has the right to look at the activities of companies that get a tax break. Religious organizations and very small non-profits are exempt, but most of the “501(c)” companies (named after the section of the tax code that governs them) do have to file.

The 990’s are often available on a company’s website, or else from guidestar.org or your state’s organization that governs charitable organizations.

A couple of caveats: not every piece of information about a non-profit is public, which is why part of the emerging scandal today involves leaks from within the IRS to news organizations about the activities of some charitable organizations generally opposed to some of the current U.S. government’s policies. Certain information is redacted from the 990 forms. If it were not, there would be no need to leak them to anyone.

The other warning is the same that we provide to clients about any other public information: it’s often just a starting point that requires a human brain to make sense of it.

We were once asked to investigate a non-profit, which turned out to share its premises with a boutique investment bank. The relationship between the two was unclear. From the 990 forms, we were able to see how much the non-profit paid each year in rent. We then visited the office (no litigation was pending so there was no worry about the no-contact rule that governs attorneys). 

We were able to estimate what square footage the charity occupied within the office, owned by a commercial developer, and what the going rent for such an office would be. We then concluded that the bank was subsidizing the non-profit handsomely, but that subsidy appeared nowhere on the 990 form.

Probing further, we saw that the African country the non—profit operated in was the same one in which the bank was pitching to do a huge deal. Plausible hypothesis: the bank was paying the non-profit for influence in that African country.

And all of this from a single line on a public tax form.

 

Privileges, Immunities, and Good Investigation

Posted by Philip Segal on May 03, 2013

What does the Supreme Court’s decision this week about the Privileges and Immunities Clause mean to investigators?

That they need to continue having a good national network to help one another.

investigation network.jpg

The Court this week upheld unanimously a Virginia law that grants the right to see documents under the state’s Freedom of Information Act (FOIA), but only to citizens of Virginia.

Investigators care about this kind of law, and many like it that restrict the kinds of information we can get. A fire inspection report in Tennessee, or some official record in Virginia? Local residents only.

We have been able to get around such laws for years, by hiring a citizen of the state in question to make the request. Since there is an unquestioned right to access certain public records, our Virginia or Tennessee agents need not reveal the purpose of their information requests, nor do they need to say they are acting as agents for companies out of state.

There is another reason to use cut-outs to gather information, however: in smaller jurisdictions, clerks talk and could tip the subject or the local papers that a search is underway, and in some cases the subject of the FOIA request may be notified that a public record about him has been requested.

For that reason, it may be prudent if you are sitting in New York to get a Texas agent to ask for a federal document in Washington, for instance.

One more tip when using agents to make requests for you. Don’t tell them why you need the documents, and request one or two unrelated documents to throw them off the track of why you are hiring them at all. Then if your agent gets unduly talkative when doing his job, there will be fewer beans to spill.

The Masters: In Golf, Facts and Law Just Like in Real Life

Posted by Philip Segal on April 14, 2013

tiger woods.pngThere has been no end of snobbery over the years that makes fun of the conservatism of golf: so much space to serve so few athletes, the cost to the environment, the exclusivity of the private clubs, and so on.

But this fascinating New York Times article made clear to me that in one respect, golf is far more democratic – and open to just outcomes – than many other sports. Its dispute resolution is also more like the kind of deliberative and open minded approach we tend to look for in our justice system. Namely, the idea that the testimony of credible witnesses should be admitted as evidence to be weighed by a finder of fact.

For an investigator who tells clients every day that talking to more people gets you closer to the truth than talking to fewer people or nobody, this was nice to see. We’ve written extensively about the power of interviews in Talk Isn’t Cheap Even When Offline  and Good Investigations: A Second Opinion on Almost Everything.

By now, sports fans know what happened at this weekend’s Masters golf tournament in Augusta, Georgia. Tiger Woods broke a rule about where he was allowed to replace a ball that had fallen into the water, but officials missed it. But since this is golf, Woods was penalized after a television viewer alerted Club officials that Woods had broken a rule. A review of television footage confirmed that the viewer was correct.

If a professional hockey player trips an opponent and this isn’t seen by a referee, there is no penalty. A perfect baseball game pitched in 2010 by Armando Galarraga was spoiled because an umpire, Jim Joyce,  made an incorrect decision that was not appealable (even though Joyce knew after watching a replay that he had blown the call).

The “sentence” given to Woods (two strokes instead of disqualification) was criticized as being too lenient, just as civil and criminal penalties can be seen to lack sufficient deterrent effect.

Still, the fact that many people may contribute to gathering evidence should makes golf a little more palatable to those who think it an outdated game with little redeeming value.

 

A Cyprus Reminder: For Money and Other Data, There IS No Cloud

Posted by Philip Segal on March 26, 2013

Why is it that we would never decide to put $100,000 in the bank and tell people our deposits are “in the cloud,” but we readily do so with data that could be worth many times more than that?

Cloud computing investigations.jpg

This week’s drama in Cyprus, in which a lot of people have seen their money vaporized before their eyes, is a healthy reminder that money and data are the same thing: bits of information stored on a computer that is, for legal purposes, very much below the clouds and in a particular legal jurisdiction.

Consider the argument by the U.S. Attorney for the Eastern District of Virginia, here, who argues that because certain computer servers for the SEC and other organizations are located in his patch, he has jurisdiction to go after defendants in out-of-state securities frauds and alleged international copyright pirates.

Whether or not he prevails in his argument, the location of the server on which someone’s data resides is going to determine whether or not there is a legal fight over jurisdiction. That’s going to increase legal costs and headaches, never mind what happens if the U.S. Attorney is successful.

This kind of thing gets covered every year in good depth by Stanford’s annual conference on best practices in e-commerce, where I was warned a few years ago that if employee data from the U.S. gets moved to a server in a country with stricter privacy laws (say, France or Germany), then getting that data back could be a problem if it violates those stricter laws.

That hit home at the time, because just a few months before when I was shopping around for a payroll service for our firm, I asked a higher-cost provider why his competition was so cheap. “Their server is in India, and ours is in New York,” was the answer.

It's cloud illusions I recall

I really don't know clouds at all

--Joni Mitchell

Big Data? Good Investigators Prefer Their Data Small

Posted by Philip Segal on March 12, 2013

When you see two big book reviews and an entire special section of The Wall Street Journal devoted to a topic, a curious person should ask: how does this affect me, my family, my business, the worldBig Data.jpg?

The book is Big Data: A Revolution that Will Transform How We Live, Work and Think and one its authors, Kenneth Cukier, is a former colleague of mine. The book has received excellent reviews and deserves to be read by anyone who wants to understand what’s going on in a big sector of world business.

It’s clear that Big Data – the ability today to process more information about people than ever before – has huge implications for businesses. But its effect on a good investigation? Harder to see.

Good investigators don’t care if 68 percent of people who drive Cadillacs also eat at a steak house once every seven weeks. That may be a statistic worth something to steakhouse owners looking for new customers or Cadillac dealers wondering which kind of restaurant social network to link to.

But for us? Hard to see how it will help. Investigations are done one at a time. If we need to know exactly where someone is going to go on a certain day, we need to follow him.

It’s not good enough to know that many of the people in his congregation have summer homes in a particular part of Pennsylvania: if we are doing an asset search, we need to see if HE has a home there. Then we need to be able to prove it.

That’s where big data stops and investigation takes over. Big data is about probabilities, and investigation is about evidence and proof.

Of course, courts do not reject statistical evidence all of the time. The now-famous series of Shonubi decisions in the Second Circuit are well documented here. But given the choice between a statistical probability and hard proof, why would anybody who needed help with fact finding prefer the former?

When Go Turns to Stop in an Investigation

Posted by Philip Segal on March 06, 2013

When does green not mean go? As toddlers we drive with our parents and learn that green means go, yellow means caution and red means stop. But then later on, in driving and in life, we learn that green means “go, as long as…”

Private Investigator Ethics.jpgIn New York, green means go but you still need to “yield the right of way to other traffic lawfully within the intersection or an adjacent crosswalk at the time such signal is exhibited,” according to the statute. If you have a green arrow, you may “cautiously” enter the intersection.

What does any of this have to do with investigation? Plenty. When a client asks us to gather information, we assume until told otherwise that we have a red light as to picking up a phone and calling people. As we tell clients every week, there is always a chance that the person you are investigating will find out about it once you start calling around and asking questions about that person. The decision to take a chance that an investigation will surface belongs to the client.

Now suppose the client says, “Go ahead, green light to call people.” Does that mean the light stays green for the rest of the investigation or even the rest of that day? Not necessarily.

If we call Mr. Garcia to ask about Mr. Stein, we are on yellow and not green, whatever the client may think. That’s because if it turns out Mr. Garcia is represented by an attorney in this matter, the light turns red and we have to terminate the call so as not to violate the no-contact rule of professional ethics. The light is also yellow until you make sure to tell the person you are interviewing that you don’t want to find out any information that’s privileged or confidential. We wrote about this in Trial Ethics: A Template Can Save Your Life.

In what other situations would the light turn from green to red?

  1. The client changes his mind for any reason and tells us to stop calling.
  2. We find out that despite our best efforts and warnings that it could happen, our investigation has made its way back to Mr. Stein. We may then need to call the client to get permission to continue calling.
  3. The client instructs us to use the phone to obtain information we are not allowed to get, including bank accounts, phone records and medical records. The client is normally king, but nobody can prevail on us to violate a statute.

 

 

The Library's Hidden Treasure: Librarians

Posted by Philip Segal on February 20, 2013

When they’re stuck on a piece of research in my course on fact investigation, I often tell my law students that the loneliest people in the world are waiting to help them: reference librarians. That line came to mind this week after I read a blog entry by Kevin O’Keefe of Lexblog, who asked in a thought-provoking post: “What’s the relevance of your public library in a digital world?”

Library.jpg

Kevin rightly notes that public libraries are wonderful refuges from the commercial world. Content there is free, as opposed to just less expensive than something in print. Another perspective advanced by Emily Badger in The Atlantic this week is that libraries can act as incubators for new ideas as they did in Alexandria 2,200 years ago.

As importantly for the kind of work we do, there is no commercial consideration in the advice the reference librarians can offer. We have written about the commercial aspects of Google many times, for instance in our entry A Fact-Finding Test for Lawyers and Google is Not a Substitute for Thinking.

What we often have to explain to clients is that it’s not enough to have a lot of information at your fingertips if you don’t know how to sort through it. Even knowing where to look can be a challenge.

Imagine the world of U.S. public records – every city and county clerk in the country as a one big library. You want to find court or real property records involving a person, but where do you begin? If you think that he lives in “Atlanta,” which county do you mean? There are about 20 in the greater Atlanta area. Can you get records on line at the county you need? Is the online database reliable, or do you need to search the database in the courthouse itself? We find on-site searching is nearly always mandatory for a thorough search.

At the real public library (or at your high school or university library), the same bewildering choice of sources awaits. For anyone interested in not missing a critical source, the reference librarian is your best friend. Paid for not by the highest bidder, but by taxpayers or the institution to give you impartial and helpful advice.

What a bargain.

Bare Minimum: How to Make Your Gmail Messages More Secure

Posted by Maria Matasar-Padilla on February 08, 2013

Well, another day, another email hacking story. This one involves the Bush clan, with reports that a hacker who goes by the name Guccifer accessed private emails and photographs, telephone numbers and addresses sent between members of the Bush family, including both former presidents. Among the data released are catty emails about Bill Clinton, photographs of the ailing senior Bush in the hospital, and a security code to one of the Bush homes. The Secret Service is investigating the matter.

We know that despite stories such as these, many of our clients and colleagues are unwilling to take more sophisticated measures to ensure secure email communications, some of which are detailed in our article on the General Petraeus scandal, "Lessons Learned." For example, they are still unwilling to encrypt their messages (see our entry "Why You Should Encrypt Your Data Now" for a primer on encryption). And they fear that a service like 10 Minute Mail, which sets a self-destruct timer for messages and email addresses 10 minutes after a message is opened, is too extreme and potentially impractical.  Some even refuse to get off of Gmail, even though Google admits that it scans email content for marketing purposes. A point Microsoft is happy to exploit in a new campaign to get people to switch over to Outlook.

Short of deleting your Gmail account, what is the bare minimum you can do to make your Gmail communications more secure? A few simple adjustments would provide some peace of mind:

  • Google offers the option of two-step verification to sign in, which is a lot more secure than just using a password.  First you enter your password, which hopefully is hard to hack, and then you receive a code either via text, voice call or Google mobile app that needs to be entered as well. Google offers the option to have this two-step process every time you log in, which we think is best, or at least whenever you use a different computer. That way if someone is trying to access your email from another computer, you’ll receive a request for a code that will notify you that someone is attempting to infiltrate your account.  You can activate this feature via Accounts and then Security.
  • Google provides a list of your Last Account Activity to track where and when your account was most recently accessed. The list details what IP addresses most recently tried to log into your account. Click here and here for lessons on how to determine your IP address. And remember that your smartphone may also access your account, so you need to determine what its IP address is too. You can access the link to this data below your list of messages.

Sealed Court Documents During Due Diligence

Posted by Maria Matasar-Padilla on January 31, 2013

Sealed Court Documents.jpgOver the past few days we’ve dealt with two cases where our clients were deeply invested in the question of whether or not the contents of sealed court documents could be made public. And our answer to both of them was the same: If someone knows about the documents, some of the information might be obtainable.

In the first instance, we were engaged to complete a thorough background check on a potential business associate. Over the past several years, the potential associate had been the subject of numerous lengthy newspaper and magazine profiles, most of which mentioned his criminal past.  The articles provided a broad overview of the events that led to his arrest, and noted that the charges were eventually dropped when his victim refused to press charges, and the businessman successfully petitioned to have the rest of the case sealed.

Of course, the sealed documents prevented us from finding out the full details of the case. But the act of having the file sealed clearly failed to keep all the information from becoming public knowledge. Those details can come to light a number of ways:

  • As in this instance, press coverage of the original arrest with some of the key facts about the incident detailed can be pulled up during a thorough media search;
  • And interviews with colleagues or adversaries, including perhaps the assault victim himself or his family, who knew about the matter and are more than happy to share details.

In the second instance, our client asked if we could assure him that the sealed details of his contentious divorce would not come up if he was the subject of a due diligence search. The best way to learn what the public record says about someone is to do a complete and thorough public records search. Although we knew there were public records that were unobtainable, we went to the courts anyway to affirm that the files would not be accidently released. 

As we predicted, the sealed documents were not made available. Our client was relieved… until we reminded him that thorough due diligence would also include interviews with friends, former colleagues and associates. And if any of them knew any details about his divorce, they might reveal that information during an interview, even if they are not asked about that matter directly.  

As we mentioned in our blog entry, "The Key to a Good Interview Is Silence," a smart interviewer asks a lot of open-ended questions, and leaves subjects time and space to talk. It’s in those pauses that people tend to reveal information an interviewer may have not even suspected existed, and that a subject of a due diligence search may want most to keep hidden. The real issue then isn't whether or not the court will release sealed documents. The bigger concern is whether or not people will spill the beans.

 

Data Breaches in Small Businesses: Safeguarding Credit Card Terminals

Posted by Maria Matasar-Padilla on January 17, 2013

Credit Card Hackers.jpgWe have written here and here about the dangers of not having more sophisticated or complex passwords for technical devices and online accounts. We are also strong proponents of fighting hackers with encryption. None of this should come as a surprise to knowledgeable online users. Yet, as the press enjoys pointing out,  sometimes even self-professed tech geeks rely on easy-to-crack passwords, use the same passwords for multiple accounts or never bother to update the default passwords their devices and accounts came with in the first place. Whenever one of these articles is published or news stories air, you can virtually hear the echo of hands smacking on foreheads as people realize they’re guilty of the lazy practices hackers exploit. It stings to realize you’re the low-hanging fruit identity thieves love to target.

What gets less coverage, however, is how often small business owners are the weakest link in an identity theft chain. Certainly big businesses have been called out for serious data breaches, including misrepresenting whether or not their data was encrypted. But, as it turns out, personally taking pains to protect against hackers and identity thieves can all be for naught if thieves are accessing your digital data via the smaller businesses you frequent. This could include your favorite local restaurant, or the neighborhood Mom and Pop bookstore or boutique you proudly support. Take credit card terminals, for example: Small businesses are especially vulnerable to the plethora of ways hackers collect cardholder data via credit card terminals used to process credit card sales.

Here are some ways small businesses can protect their client’s data from credit card terminal breaches:

  • Some credit card terminals are set with a default password and a default programming code that vendors are supposed to change to ensure their clients’ credit card information is secure. Needless to say, many don’t make the effort, or use an easy-to-guess password, leaving themselves vulnerable to hacks. Insert hand-smacking-forehead sound here.
  • Some businesses scrimp on card terminals from reliable vendors with more sophisticated security measures. Of course, this isn’t to say that trusted vendors don’t make bad equipment, but in security, as in almost everything else, you get what you pay for. And better to pay for equipment from a vendor with a solid reputation and a good track record, and decrease the likelihood of getting hit with legal costs for data breaches.
  • Brazen hackers will go into a store pretending to be a service person sent to update or replace card terminals and actually be granted access to the terminals. Devices are then doctored to leak cardholder data.  This is akin to getting a phishing email that appears to be from your bank with a link to change the password on your online checking account. The take away is that no bank or processor is going to send out a service person without notifying the business first. If a technician claims otherwise, show him the door.
  • Sometimes hacks leave clues that there is a security breach. For instance, credit card data may be hacked by linking a credit card terminal to an external network or an external device. Card holder data is then funneled via this link. Any indication of this sort of external activity is a massive red flag that cardholder data is being leaked. Vigilant business owners will diligently monitor their connections. That way, they can track the traffic their devices generate, including whether any data is being transmitted to terminals or devices outside their network. If a leak is suspected, all traffic should be immediately stopped and the local FBI office should be notified.
View Older Posts