Last week, Hewlett-Packard announced it will settle a lawsuit arising out of the alleged pretexting practices used in an internal investigation into leaks of confidential HP information. The $14.5 million settlement with the California Attorney General includes $650,000 for civil penalties, $350,000 for investigation and prosecution costs incurred by the AG’s office, and a $13.5 million "Privacy and Piracy Fund" for California state and local governments to conduct investigations into and prosecute privacy and intellectual property violations.
Without any admission or finding of liability, HP also agreed to a court-ordered injunction with a specific ethics and compliance oversight scheme that enumerates various corporate governance and training provisions. The injunction goes so far as to mandate direct line reporting of violations to the California AG’s office if a designated ethics and compliance Independent Director concludes that HP is violating California law or the agreed-to injunction in conducting investigations. This agreement between HP and the California AG’s office is instructive for all companies struggling with striking the appropriate balance between legal and ethics compliance and the need to conduct internal investigations. [See Goodwin Procter’s October 25, 2006 Client Alert "Pretexting: Another Landmine in the Field of Internal Investigations."]
The injunction, dated December 7, 2006 and filed with the Santa Clara Superior Court (the "Injunction"), focuses intently on HP’s corporate governance efforts, e.g., mandating audit committee charter changes, creating new executive positions and expanding others, mandating reports to the board and the audit committee, creating lines of reporting for the new functions, creating an expanded training program for all employees, creating a new compliance council within HP and mandating an outside authoritative expert for investigative practices. While noting HP’s cooperation and the responsive, voluntary corporate governance reforms it has already undertaken, the Injunction sets out a number of additional internal processes and controls that HP announced it had determined in consultation with the Attorney General and will maintain for five years. Among these are:
- designation of an independent director (the "Independent Director") to review and report to the board and the audit committee on HP’s compliance with legal and ethical requirements related to the conduct of investigations, and to review and approve the training program specified in the Injunction;
- appointment of a chief ethics and compliance officer ("CECO") whose job description is defined in the Injunction and will include oversight of compliance with legal requirements and ethical standards in HP’s investigative practices;
- retention of an expert in the field of investigative practices, designated as a "Qualified Authority" in the Injunction, to conduct a comprehensive review of HP’s investigative practices and to assist the CECO in making improvements where appropriate;
- expansion of the role of HP’s chief privacy officer to include review of HP’s investigation practices to ensure that they address matters related to privacy and ethics;
- expansion of HP’s employee and vendor codes of conduct to ensure that they include legal and ethical standards applicable to the conduct of investigations;
- creation of a Compliance Council, and details of its composition, within HP that will be responsible for developing, initiating, maintaining and revising policies and procedures for the general operation of HP’s ethics and compliance programs consistent with applicable laws and regulations; and
- redesign of HP’s annual training requirement to ensure that business ethics plays a more prominent role, and the provision of additional training to employees engaged in the conduct of investigations for HP.
The complaint of the California AG against HP, filed in court simultaneously with the announcement of the settlement, contains a claim for unfair competition under Section 17200 of the California Business and Professions Code, and mentions that the allegedly unlawful scheme of HP to spy on its own employees, directors, third parties and their family members also allegedly violated the California Penal Code sections prohibiting obtaining confidential information under false pretenses and using computers to execute a scheme to defraud in order to obtain wrongfully confidential data. The Injunction prohibits similar conduct going forward in connection with investigations, including conduct that would violate California’s new pretexting law to take effect on January 1, 2007. The prohibited behavior includes:
- using false pretenses or misrepresentations to obtain confidential or proprietary information, including customer or billing records, from a public utility;
- unlawfully obtaining or using personal identifying information, including social security numbers;
- knowingly accessing and without permission using any data from a computer, computer system or network to execute a scheme to defraud or to wrongfully obtain property;
- knowingly accessing or without permission using any data from a computer, computer system or network or taking or copying any supporting documentation, whether in electronic or paper form, in violation of the California Penal Code; and
- violating the new pretexting law, California Penal Code Section 638, which prohibits the purchasing, offering to purchase, or conspiring to purchase any telephone "calling pattern record or list" without the written consent of the subscriber or, through fraud or deceit, attempting to procure or obtain any "calling pattern record or list."
The settlement allows HP to put this high profile incident behind it, and, significantly, the settlement also serves as a cap, cutting off any further payments for civil liability to the California AG, in statutory damages or penalties. While private plaintiffs and the FTC may proceed with their own claims, the California AG agreed in the Injunction that, in addition to no finding of liability, as part of the settlement, the office will not pursue civil claims against HP or against its current and former directors, officers and employees. The settlement benefits both sides: the company’s directors, officers and employees can move forward and run the company without further distraction from this suit; the AG secures punishment against HP and deterrence generally in the privacy law arena; and, in an unusual result, the California prosecutors obtain a windfall funding source for their cases. To the extent the Privacy and Piracy Fund is utilized for the more run-of-the-mill piracy cases, it encourages additional prosecutions of intellectual property violations, which provides a benefit to intellectual property holders generally, including HP.
While only time will tell whether other regulators adopt the view that such corporate governance improvements will be the "gold standard," HP, by agreeing to the settlement and putting the reforms in place, has made a statement that it wants to be the model for the highest standard in legal and ethical compliance. The sweeping, detailed provisions of the Injunction are instructive, in any event, to understand, from a regulator’s perspective, the type of structure and measures designed to ensure compliance with privacy laws and ethics standards in the conduct of investigations.
Goodwin Procter LLP is one of the nation's leading law firms, with a team of 700 attorneys and offices in Boston, Los Angeles, New York, San Diego, San Francisco and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.
This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. © 2006 Goodwin Procter LLP. All rights reserved.