Hewlett Packard has acknowledged investigating its own directors to determine who was leaking company information, after HP Chairman Patricia Dunn was angered by a News Story about HP’s long-term strategic plans.
However, the outside firm used by HP in its investigation appears to have used a controversial tactic called “pretexting” to gain access to its directors’ phone records. Pretexting–misrepresenting your identity to gain access to privileged information–is illegal under federal law with regards to financial records, but the law is murkier when it comes to telephone records.
HP claims that pretexting is “not generally unlawful,” but that it can’t conclusively say that the agencies it employed to track down the source of the leak stayed within the bounds of the law. So what did HP do? What is the law? What penalties might HP face? Here are some answers that help explain the current situation.
In a filing with the Securities and Exchange Commission on Wednesday, HP acknowledged that it investigated its own board of directors to discover who leaked information that led to a News.com story about HP’s future strategic plans. HP also said that the outside firms used to obtain the identity of the source of the leak might have used a technique called pretexting to obtain telephone records of calls made by HP directors from their home phones and cell phones.
Pretexting involves posing as someone you are not to get information from a company. An individual will call up the phone company, or visit its Web site and attempt to bluff his or her way into obtaining confidential information by pretending to be a certain customer.
In a letter to HP’s board, Tom Perkins said his accounts were “hacked,” and attached a letter from AT&T explaining how the breach occurred. Records of calls made from Perkins’ home phone were obtained simply with his home phone number and the last four digits of his Social Security number. His long-distance account records were obtained when someone called AT&T and pretended to be Perkins, according to the letter from AT&T.
While there is no specific federal law prohibiting pretexting for telephone records, there are some general civil prohibitions that probably apply. When it comes to financial records, pretexting is clearly illegal. Legislation is pending in both the House of Representatives and the Senate that would make pretexting for telephone records a criminal offense, but after a flurry of activity earlier this year concerning companies selling phone records on the Web, not much has happened.
The Federal Trade Commission has tried to prohibit telephone pretexting under Section 5 of the FTC Act, which bars “unfair or deceptive acts” in business practices. It has filed several lawsuits this year against companies that sell phone records on the Internet.
But things are different in California. The state is investigating HP’s actions under two statutes: one concerning identity theft and one covering obtaining information illegally from a computer system
It’s usually a misdemeanor in California, but it can be a felony in certain situations. Under one statute, the misdemeanor can be punishable by up to six months in prison or a $2,500 fine.
Phone companies like AT&T are already barred from selling or distributing your customer proprietary network information (CPNI), or the basic-calling information that appears on your bill every month. Pretexting involves the use of duplicitous or sly techniques to obtain that information by individuals pretending to be someone else , and slick telephone shysters are probably here to stay.