Just when it looked like Hewlett-Packard had recovered from its missteps of the past few years, a scandal involving its board chairman and investigative firms with questionable techniques threatens to derail the Silicon Valley icon's momentum.
The company has acknowledged investigating its own directors to determine who was leaking company information, after HP Chairman Patricia Dunn was angered by a CNET News.com story about HP's long-term strategic plans.
However, the outside firm used by HP in its investigation appears to have used a controversial tactic called "pretexting" to gain access to its directors' phone records. Pretexting--misrepresenting your identity to gain access to privileged information--is illegal under federal law with regards to financial records, but the law is murkier when it comes to telephone records.
HP claims that pretexting is "not generally unlawful," but that it can't conclusively say that the agencies it employed to track down the source of the leak stayed within the bounds of the law. So what did HP do? What is the law? What penalties might HP face? Here are some answers that help explain the current situation.
How did all of this come to light?
In a filing with the Securities and Exchange Commission on Wednesday, HP acknowledged that it investigated its own board of directors to discover who leaked information that led to a News.com story about HP's future strategic plans. HP also said that the outside firms used to obtain the identity of the source of the leak might have used a technique called pretexting to obtain telephone records of calls made by HP directors from their home phones and cell phones.
What is pretexting and how is it done?
Pretexting involves posing as someone you are not to get information from a company. An individual will call up the phone company, or visit its Web site and attempt to bluff his or her way into obtaining confidential information by pretending to be a certain customer.
In a letter to HP's board (click here for PDF), Tom Perkins said his accounts were "hacked," and attached a letter from AT&T explaining how the breach occurred. Records of calls made from Perkins' home phone were obtained simply with his home phone number and the last four digits of his Social Security number. His long-distance account records were obtained when someone called AT&T and pretended to be Perkins, according to the letter from AT&T.
Is this illegal?
While there is no specific federal law prohibiting pretexting for telephone records, there are some general civil prohibitions that probably apply. When it comes to financial records, pretexting is clearly illegal. Legislation is pending in both the House of Representatives and the Senate that would make pretexting for telephone records a criminal offense, but after a flurry of activity earlier this year concerning companies selling phone records on the Web, not much has happened.
The Federal Trade Commission has tried to prohibit telephone pretexting under Section 5 of the FTC Act, which bars "unfair or deceptive acts" in business practices. It has filed several lawsuits this year against companies that sell phone records on the Internet, an FTC representative said.
But things are different in California. The state is investigating HP's actions under two statutes: one concerning identity theft and one covering obtaining information illegally from a computer system, said Bill Lockyer, California state attorney general, in an interview with CNET News.com.
What are the penalties?
It's usually a misdemeanor in California, but it can be a felony in certain situations, Lockyer said. Under one statute, the misdemeanor can be punishable by up to six months in prison or a $2,500 fine.
Would HP Chairman Patricia Dunn, who initiated the investigation, be subject to the penalties?
It depends how the facts play out. If she specifically authorized the pretexting, she could be, but if she can prove she had no specific knowledge of such acts, she probably wouldn't be prosecuted, according to several lawyers.
Could my employer do this to me?
Not without violating the FTC Act or any specific state laws concerning pretexting. But this episode has demonstrated how very easy it can be to obtain phone records with personal information that every employer maintains, like a Social Security number and a home telephone number.
What can I do to prevent someone from obtaining my telephone records?
Other than encouraging your U.S. representative to vote in favor of stricter privacy laws? Or going back to smoke signals and carrier pigeons?
Phone companies like AT&T are already barred from selling or distributing your customer proprietary network information (CPNI), or the basic-calling information that appears on your bill every month. Pretexting involves the use of duplicitous or sly techniques to obtain that information by individuals pretending to be you, and slick telephone shysters are probably here to stay.
Many believe that the phone companies must do more to protect the disclosure of personal information by strengthening the requirements for the disclosure of that information.
"AT&T has an obligation to put procedures in place to ensure that customer phone information is not disclosed to a third party," said Jason Oxman, a telecommunications lawyer. For example, it could move away from using Social Security numbers as identification numbers, or ask for permission a second time through e-mail every time someone requests CPNI.
In the meantime, ask your phone company to put a password on your account. And don't store the password in your voice mail.