Two days ago, on September 12, Hewlett-Packard's ("HP") non-executive Chair, Patricia Dunn, resigned -- amid news stories claiming she used subterfuge to gain access to the phone records of board members and journalists, in an effort to root out a suspected boardroom snitch.
How did Dunn obtain the records? It seems likely that she employed the services of a private consulting firm, which may, in turn, have used "subcontractors" or private investigators. The PIs may then have gained access to the phone records via a deceptive practice known as "pretexting" -- impersonating someone else as a means of getting access to confidential customer data.
Phone records are only one kind of records "pretexters" seek; they may also be after other customer account information and Social Security numbers. And their clients' motives vary - as the Dunn example shows. Some of those who hire pretexters seek to catch cheating spouses, but others have very different goals. (While "pretexting" has been around as long as PIs have been, it has been making headlines lately due to scandals like HP's.)
Fortunately, in these days of increasing privacy concerns, lawmakers and businesses are cracking down on pretexting.
In this column, I will briefly explore possible federal and state-law remedies against Dunn and/or her private investigators - and possibly against HP itself, insofar as she was acting on the company's behalf.
As I will explain, though such remedies do exist, the HP incident emphasizes the need (which I also noted in a prior column) for a clear federal statute which outlaws pretexting for phone records, in particular. Such a law should also permit private civil suits to be brought seeking money damages for the harms pretexting causes.
The Basic Facts Admitted or Unearthed So Far
Last week, HP admitted that Dunn had hired private investigators to ferret out directors leaking confidential corporate information to the press, and that those investigators had posed as board members to gain access to their personal phone records.
HP also acknowledged that it had used the same practice to gain access to journalists' records (in an effort to uncover to whom leaks were being made). HP's targets reportedly included, among others, journalists from the New York Times, the Wall Street Journal, CNET and other media outlets. In acknowledging that journalists' records had also been obtained, the HP noted that it would apologize to each one. "HP is dismayed that the phone records of journalists were accessed without their knowledge," a company spokesman, Michael Moeller, said in public reports.
A senior HP official indicated earlier this week that the effort to obtain phone records commenced in January 2006, after an article appeared on CNET that provided an insider account of an HP management meeting. Those revelations prompted Dunn to order an investigation of the leak.
HP has refused to divulge the names of the consultants it retained or any subcontractor that was used to "pretext" for records. The company has said, however, that the outside consulting firm was asked to conduct its investigation using legal means. In response, the firm reportedly told HP that its methods were legal.
Were Any Laws Broken In the HP Scandal? And Who Can Enforce Them?
Since 1999, federal law prohibits pretexting in order to gain access to bank and financial records.
In addition, under federal law, the act of pretexting over the phone or via fax may constitute the crime of wire fraud. The subcontractor may be the immediate perpetrator. However; if HP or Dunn knew of the crime, it is possible they committed the crime of aiding and abetting, or engaged in a criminal conspiracy.
What about state law? Most states' laws do not render the act of "pretexting" itself illegal. (Maryland and a few other states have recently passed laws specifically prohibited pretexting to gain access to phone records). But some state laws may nevertheless be triggered by the HP scandal.
For instance, the California Attorney General is investigating possible violations by HP and/or Dunn and/or the subcontractor of the state's identity theft statute, and/ or its statute criminalizing unauthorized access to a computer database. Both of these statutes have been used to prosecute data brokers who have illegally obtained phone records; both may also apply in the HP situation.
The Federal Trade Commission (FTC) also has the authority to go after pretexting as an unfair or deceptive trade practice; surely, pretexting - which involves outright lies - is deceptive! During the past few months, for instance, the FTC has pursued five data brokers for allegedly selling phone records to alleged pretexters. But as of yet, the FTC agency has not fully outlined what types of pretexting it will target. Some state attorneys general have pursued similar state law claims against data brokers that engage in pretexting.
Other Cases Also Show How Easy It Is to Get Unauthorized Access to Phone Records
It's not just the HP case, moreover, that shows how easy it is to get unauthorized access to phone records. The pretexting typically takes place on the phone, or via access to a phone company website. All the pretexter typically needs to know, besides a customer's name and phone number, is the last four digits of his or her Social Security Number.
In May, AT&T discovered that hackers had obtained access to customers' accounts via its website. It recently filed suit in federal court in San Francisco, identifying defendants by tracing their IP addresses. The hackers apparently proceeded by providing AT&T customers' telephone numbers, plus either the last four digits of their Social Security Number, or their three-digit AT&T customer code.
The hackers then registered e-mail addresses (in the named of existing customers) to establish online AT&T billing accounts. Using such online accounts, they could then access a real customer's billing records, including all numbers called.
Meanwhile, Verizon Wireless and Cingular have also filed lawsuits in their own attempt to curb pretexting. These lawsuits have included causes of action for fraud, conversion of property, unfair and deceptive acts, and authorized access of a computer without authorization in violation of the federal Computer Fraud and Abuse Act.
It is clear that there are multiple options for pursuing pretexters.
It's Time for Congress to Pass An Anti-Pretexting Law With Civil Remedies
At the moment, the FTC and telephone companies have an incentive to fight prextexting: The practice has made major headlines, and they would like to follow bad publicity with good publicity. Will this zealousness continue? It is difficult to tell.
Recently, Congress has considered enacting several laws that deal specifically with pretexting for phone records. Some of the pending legislation would establish that pretexting is not only a crime, but would also create a private cause of action so that individuals whose privacy has been violated can sue the culprits directly. For this reason, the Act should be passed - to provide a remedy for those whose private records have been revealed by acts of deception.
Anita Ramasastry, a FindLaw columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.