United States: Pretexting: Another Landmine In The Field of Internal Investigations

Deborah S. Birnbach, Agnes Bundy Scanlan and David J. Goldstone

Investigations are a necessary component of prudent corporate oversight. But if not handled properly, investigations can themselves become a source of liability to those authorizing the investigation. The recent indictment alleging misconduct in the course of investigations conducted for Hewlett-Packard demonstrates the potential for legal consequences and negative publicity that can result from increased public scrutiny on investigative practices relating to privacy and data security. Companies have long recognized that investigations can be a minefield of ethical and legal considerations. The increased interest in prosecuting directors for privacy law violations should continue to be expected. Knowing the lay of the land in privacy and data security regulation, therefore, is essential to withstanding the increased scrutiny that decisions made during an investigation will likely receive.

For most board members and senior executives, responsibility for internal investigations should be considered part of the job description. Such investigations can address a broad range of issues, including options practices or other audit committee matters, potential insider trading questions, theft of trade secrets or confidential information, or other allegations of corporate wrongdoing. Investigations may encompass gathering market intelligence on competitors or conducting due diligence in advance of potential business transactions. To ensure compliance with Sarbanes-Oxley and court-imposed obligations requiring that accurate reporting systems and sufficient controls be in place, directors and executives must affirmatively monitor those controls and investigate problems that arise.

For directors and executives operating in this environment of prevalent identity theft and increased electronic data, every decision made overseeing such investigations should be done with heightened sensitivity to privacy and data security concerns. That sensitivity may run counter to the obligation to investigate at times, and even professionals hired to assist in investigations can be a source of liability if they don’t comply with the maze of applicable privacy and data security laws.

To much notoriety, the conduct of an investigation recently resulted not merely in the collection of helpful information but also in the highly publicized resignations by the chairwoman, general counsel and senior counsel of Hewlett-Packard – along with felony indictments against the former chairwoman, senior counsel and three outside consultants to HP.

In the HP matter, the California Attorney General alleges that in early 2005, former Chairwoman Patricia Dunn initiated an investigation into leaks of confidential HP information to members of the media, conduct described by Dunn in a statement as a serious violation of HP’s code of conduct. No doubt with the protection of HP’s assets as the primary goal, the company set out to find the leak by investigating. The AG alleges, however, that investigators acting on HP’s behalf used false pretenses, or "pretexting," to obtain telephone records of members of the HP Board as well as members of the media, without those individuals’ knowledge. The AG further alleges that the HP Legal Department directed a resumption of the investigation in early 2006 into additional leaks of confidential HP information, and that pretexting techniques were used to obtain mobile, fax and home telephone records from telephone companies without the individual subscribers’ knowledge. The AG’s allegations describe how the individuals involved allegedly obtained personal identifying information, including names, phone numbers and Social Security numbers, of 13 HP Board members, journalists and family members, and then used that information for an unlawful purpose, namely for obtaining telephone records.

The landmine for Hewlett-Packard was the investigative technique known as pretexting. Pretexting is generally defined as the practice of obtaining personal information under false pretenses. While investigators masking their identity is not always wrongful under the law, the California AG takes the position that pretending to be the rightful owner of data, and misusing personally sensitive information in that exercise, runs afoul of existing laws. As exemplified by the Hewlett-Packard case, law enforcement officials recently have stepped up the enforcement of existing laws to apply to cases of pretexting. Civil litigants have followed suit. Moreover, legislatures around the nation have enacted new laws specifically to address such practices.

Whether these trends embody a heightened attention to ethics and lawfulness in corporate investigations and corporate governance generally, or an increased sensitivity to the value of personally identifiable information reflecting the values of the "Information Economy," the lesson is the same: companies must protect private information entrusted to them at all times, even in the conduct of investigations. Due to the fact that many legal, ethical and even public relations considerations come into play while conducting an investigation, it is more important than ever to take steps to ensure that all phases of an investigation are conducted properly.

As illustrated by recent legal actions by the California Attorney General, the Federal Trade Commission and other enforcement entities, prosecutors, regulators and private litigants are making a concerted effort to combat pretexting and other privacy law violations. In these cases, long-established laws are being asserted in a new way, with a position that pretexting is just another form of fraud. A shift of priorities is taking place, with law enforcement and civil litigants bringing data privacy and data security cases – despite no economic loss by the victims.

HP Allegations. While two of the felony counts brought in the HP case arise from alleged violations of "new" laws enacted as part of California’s response to more modern, electronic wrongdoing (wrongful use of computer data and identity theft), the other two counts arise from laws that have long been on the books and have counterparts in every state: fraudulent wire communications and conspiracy. The criminal charges sought could result in up to nine years imprisonment and a fine of up to $75,000 for each defendant.

Civil Lawsuits. Already, civil suits have been filed in New Jersey and Georgia against HP’s outside contractors by Verizon Wireless and Cingular Wireless. The civil suits allege that the investigators’ obtaining of phone records under false pretenses was illegal under federal and state laws. The Georgia suit also alleges violations of the Racketeer Influenced and Corrupt Organizations Act – the civil RICO law. The plaintiffs are seeking disgorgement of profits; for these non-monetary claims, the return or destruction of the data may be the most likely outcome.

Indeed, in an unrelated case decided on October 3, 2006, a federal court in Arkansas dismissed a class action case against Acxiom, a data warehouser, which suffered a data security breach by a computer hacker. The company’s CEO had provided public assurances that the data was secure, but, after the hacking incident, a class action was filed alleging that Acxiom did not properly safeguard the sensitive information it stored. The court dismissed the class action because the plaintiffs could not show any "concrete damages" from the security breach. In that case, the judge was careful to note that the lead plaintiff had not been a victim of identity theft nor received any unsolicited mail solicitations as a result of the security breach – and she did not even know if her information was among the data that was stolen. The implication is that liability is an open issue for other privacy-related breaches, even where the victim suffers no actual monetary harm, such as divulging information for purposes other than identity theft.

Recent FTC Actions Relating to Pretexting. The Federal Trade Commission recently announced its first settlement of a lawsuit alleging illegal pretexting used to obtain telephone records. On October 5, 2006, the FTC announced a settlement with a private investigation firm, Integrity Security & Investigation Services (Integrity Security), on charges that the company improperly sought consumer telephone records. Under the agreement, Integrity Security agreed to disgorgement of profits made by selling the records. Some have found it remarkable that the FTC brought a case where ill-gotten profits amounted to only $2,700. This prosecutorial enthusiasm underscores the heightened scrutiny law enforcement officials are placing on proper investigative practices. As part of the settlement, Integrity Security also agreed to a ban from obtaining or selling non-public telephone records and credit data without a specific court order.

The FTC has also previously prosecuted pretexting activities where financial records are sought. In such cases, the FTC pursued pretexters under its traditional "unfair or deceptive practices" authority pursuant to Section 5 of the Federal Trade Commission Act, as well as its authority under the more recently enacted Gramm-Leach-Bliley Act. The prosecution of those seeking non-financial (telephone) records signals that the federal government has opened a new front in combating pretexting by investigators.

While the FTC has focused on identity theft for the past few years, other regulators like the SEC are now also turning to this front. For example, on October 5, 2006, John Walsh, the Associate Director and Chief Counsel of the SEC Office of Compliance Inspections and Examinations, announced in a speech that the SEC recently initiated a new sweep examination program to review the policies and procedures that the largest broker-dealers and fund complexes have in place to address the problem of preventing identity theft. This kind of pro-active regulatory effort demonstrates the heightened scrutiny that regulators are placing on privacy.

Although the enforcement actions described above demonstrate that long-standing laws can be applied against practices that implicate data security, Congress and state legislatures coast-to-coast have recently enacted laws specifically aimed at this area. These legislative efforts are no doubt spawned by a desire of politicians to be seen as protecting personal information of their constituents, and provide encouragement to law enforcement officials and other litigants to bring cases aggressively.

For example, California enacted the nation’s first data breach notification law in 2002. Since then, over 30 states have enacted data breach notification laws. These laws require companies to notify customers when there has been a breach, and can trigger highprofile public awareness of security breaches. Congress is currently considering a handful of additional bills to expand the scope of protections for improperly accessed data.

Some laws at the state and federal level have been enacted specifically targeting the practice of pretexting. Most notably, the use of pretexting to obtain customer records from financial institutions was specifically outlawed by the Gramm-Leach-Bliley Act in 1999. This statute specifically prohibits obtaining "customer information" of a financial institution by (i) making a fraudulent statement to an employee of a financial institution, (ii) making a fraudulent statement to a customer of a financial institution, or (iii) providing any document to an employee of a financial institution, knowing that the document is forged, counterfeit or contains a fraudulent statement.

States such as California and New York, both of which have been very active in promoting data privacy and security and prohibiting identity theft, recently enacted even more finely targeted laws directed at telephone records. For example, on September 29, 2006, the week before the California Attorney General brought indictments in the HP matter, California Governor Arnold Schwarzenegger signed a law specifically making pretexting a crime. The legislation, S.B. 202, is directed at telephone records. It outlaws the purchase, sale or attempted or conspired purchase or sale of "any telephone calling pattern record or list, without the written consent of the subscriber" or through fraud or deceit. This new law takes effect on January 1, 2007 and will allow penalties of up to one year’s imprisonment and fines of up to $2,500.

The same week, on the East Coast, New York Governor George Pataki signed a pretexting law as well. On September 26, 2006, Governor Pataki signed the New York Consumer Communication Records Privacy Act, S. 6723, which became effective immediately. This law also seeks to prevent unauthorized acquisition of consumer telephone records. Unlike the California law, the CCRPA does not provide for criminal penalties. The CCRPA prohibits any person or entity from attempting to obtain, sell or transfer a telephone subscriber’s "telephone record" without the written consent of the subscriber, except as otherwise permitted by law. The definition of "telephone record" excludes caller ID information. The CCRPA authorizes the New York Attorney General to bring an action to enjoin a violation and seek a civil penalty of up to $1,000 per violation. It also permits the court to award costs incurred by victims whose telephone records are improperly transferred because of the violation.

In light of this expanding set of legal requirements and heightened scrutiny on investigative practices, companies and directors should be vigilant before embarking on investigations. Whether or not any harm is caused, a slip-up can have dramatic negative repercussions and lead to a PR disaster. Even where external investigators do the work, directors, officers and counsel need to adequately supervise the outsiders and manage them to ensure that the investigation itself does not create new legal, ethical or public relations issues for the company. In order to minimize exposure from investigations, companies should consider the following questions, and should review appropriate corporate policies in light of the array of potential answers:

• What is the scope of the investigation?
• Who authorizes the investigation?

• What sensitive information is being collected or used?
• How is that information being collected and to whom is it being disclosed?
• How is that information being managed and stored?

• What is communicated about the investigation?

• What documents result from the investigation?

• What is being done with these documents?

• Is a written report of the investigation prepared?

• What information does the company gather from or about its employees, executives and directors?

• What confidentiality policies cover each of those groups?

• Have background checks been authorized?

• Do any contractual provisions cover the information and its protection or use?

• What privacy and data security policies are implicated by the investigation?

• Are vendors adequately supervised and have they been vetted for privacy law expertise?

• How do directors communicate and receive board materials?

Most companies will need to conduct internal investigations at some point, and these are part and parcel of any diligent director’s responsibilities. Steps should be taken – e.g., being prepared to answer the questions above – so that companies are best positioned for investigations in advance. The facts precipitating an investigation often arise in rapid fire. In view of the potentially catastrophic consequences of improper handling of investigations, directors, officers and counsel should ensure that employees and outside consultants who conduct investigations receive proper training, adhere to sound ethical and legal policies, and are subject to appropriate supervision.

Goodwin Procter LLP is one of the nation's leading law firms, with a team of 700 attorneys and offices in Boston, Los Angeles, New York, San Diego, San Francisco and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.