HP pretexting scandal spurs a range of new state and federal laws that elevate the scrutiny of companies' investigations
The term ‘pretext’ is defined in Webster’s Dictionary as ‘that which is put forward to conceal a true purpose or object; an ostensible reason; the misleading appearance or behavior assumed with this intention.’ And although the word ‘pretexting’ does not officially exist, the use of the term has become commonplace in the business world, primarily from its extensive use in the media after the Hewlett-Packard scandal. The intense, and often bitter, infighting which took place in the H-P boardroom became one of the most public governance stories of 2007 when it emerged that members of the company management and the board employed private investigators to spy on each other and members of the media.
Despite all the – mostly negative – attention, one important question needs to be addressed: was (and is) pretexting actually illegal? The answer: not necessarily, and not always. While most people stopped thinking about pretexting after the H-P scandal died down, in the past year Congress and many states have passed new anti-pretexting laws in response to the public outcry against this perceived invasion of privacy. To inform on this new legislation, this article offers a broad overview of pretexting and some of the key statutes that regulate it.
What is pretexting?
In 2001 the Federal Trade Commission (FTC) issued a publication on pretexting and defined it as ‘the practice of getting your personal information under false pretenses.’ As described by the FTC definition, pretexting goes beyond simply obtaining someone else’s telephone records. Pretexters also seek to obtain bank records, credit card numbers, Social Security numbers, credit reports and a range of other sensitive personal information.
Typically, an investigator will pretend to be an individual (the target), using some personal information already gathered, to gain access to other information about a target held by a third party. A good example is set forth in the warrant supporting the charges in the H-P case.
Of course, there are many techniques that creative investigators use to gather personal information about a target. Some of those methods, such as pretexting, may be considered unethical, but whether they are illegal is another question.
The legality of pretexting
Prior to 2006 there was little law protecting individuals from pretexting practices. In fact, courts had found that there was no common law expectation of privacy in telephone records, or even bank records (See, KRL v. Womack, 2006 US Dist. Lexis, 8314). Thus, it is only through specific legislative action that obtaining an individual’s private information might be illegal.
Until recently, there was no federal law that applied to pretexting in the context of obtaining telephone records. In fact, the only federal law that clearly prohibited any type of pretexting was the Gramm-Leach-Bliley Act (GLBA); that law only applies to records from financial institutions.
The GLBA, enacted in 1999, prohibits obtaining customer information from a financial institution, such as a bank, credit card company or credit reporting agency, under false pretenses. An individual attempting to obtain any information about a bank customer, such as deposit or payment history, account numbers or balances, by making a false statement to the bank (such as pretending to be the customer) would be liable under this law. There are several exceptions to the Act, including investigations by law enforcement, internal investigations by the financial institution, investigations by insurance companies related to insurance fraud and investigations by private investigators related to child support. Although administration of the Act falls under the jurisdiction of the FTC, the Act provides for criminal penalties and imprisonment of up to five years.
However, there are no reported cases of any criminal actions under the GLBA for pretexting. Other federal laws, such as the Computer Fraud and Abuse Act (CFAA) or the Electronic Communications Privacy Act (ECPA), could theoretically be used to charge some forms of pretexting, but they would apply in only very narrow circumstances, if at all.
For example, the CFAA could potentially apply to pretexters who access a computer without authorization and then take certain personal data. However, the conduct would have to fall under some very specific categories, such as accessing a bank’s or the federal government’s computers, or accessing a computer through the internet without permission. In reality, the CFAA is more applicable to ‘hacking’ than it is to pretexting. The crux of the CFAA is that it concerns liability with respect to obtaining information through unauthorized access as opposed to obtaining that information under false pretenses.
Since almost all information sought by pretexters is stored on computer databases these days, theoretically one might imagine a charge under the CFAA where an individual using false pretenses tricks a third party (such as a bank) into accessing a computer database to provide information. For example, an investigator could trick a retail store into accessing its national computer database to give up someone’s stored credit card or other personal information. The legal issue in this instance would be whether the retailer’s access was unauthorized.
Similarly, the ECPA could be a basis for criminal charges for pretexting; however, the pretext would have to involve intercepting private information from email or another wire communication. Ultimately, the ECPA is more geared toward unauthorized wiretaps and access of email and other internet transmissions than traditional pretexting. It is unlikely to be easily applied to most pretexting scenarios, unless, like the CFAA, an individual uses false pretenses to trick a third party into helping him gain personal information through accessing a wire or another electronic form of communication.
The H-P case
In October 2006 the California attorney general filed a felony complaint against several individuals at H-P, including its chairwoman, who were involved in an investigation of H-P board members and reporters. They had obtained telephone records through pretexting. Although the attorney general was quick to declaim that pretexting was illegal, no federal or state anti-pretexting laws had been passed at that time.
Because California had yet to pass its anti-pretexting statute at that time, the attorney general had to rely on the existing privacy laws in pursuing charges against H-P. For example, the attorney general charged a violation of the California Penal Code for fraudulent use of radio wire or television. This California code is extremely limited in its application in that it not only requires the use of wire, radio or television to effectuate a scheme to obtain certain information from public entities, it also only applies to information from public utilities.
The California AG also charged a violation of California Penal Code for taking, copying and using computer data. This section of the penal code is limited to taking computer data. Since most records are now stored on computers, it could potentially apply to some pretexting scenarios. Ultimately, the California AG charged a violation of the Penal Code for using personal identifying information without authorization. This section of the penal code is broad in the type of information covered, but it is also very narrow in its application. The law only applies when personal information is used unlawfully – such as to steal an individual’s money or to obtain other means of financial gain. It does not, on its face, apply to simply gathering the information exclusively for investigative purposes.
Ultimately, the felony charges against the defendants in the H-P case were dismissed, so it is uncertain whether the government’s creative use of existing privacy laws would have succeeded. Nonetheless, it is clear that future attempts by companies or investigators to use pretexting practices will draw potential criminal charges, particularly in light of the new laws that have been passed.
New anti-pretexting laws
In the wake of the H-P case, Congress passed the Telephone Records and Privacy Protection Act of 2006. The new law, effective January 12, 2007, appears broad enough to cover most attempts by an individual to access another individual’s telephone records. Its scope, however, is limited to conduct involving interstate or foreign commerce. Although an analysis of what constitutes interstate or foreign commerce is beyond the scope of this article, any use of the telephone, mail or internet to obtain an individual’s phone records through false representations would likely be covered. Exceptions are made for investigations by law enforcement.
The law covers most scenarios that pretexters would use to obtain records, including making any false statement to an employee of the telecommunications provider or providing false documents. The law also prohibits making a false statement to a customer or accessing records through the internet or through any means of hacking.
The law even goes beyond obtaining records through pretexting and prohibits the sale, transfer, purchase or receipt of confidential phone records without the customer’s consent.
While virtually all information held by a telecommunications provider is covered, the new law only covers information held or furnished by a telecommunications provider, including any provider of IP-enabled voice service. The law does not cover personal information (even through use of the phones) from banks, credit card companies or other non-communications business.
Similarly, most states responded to the H-P scandal by passing their own anti-pretexting laws aimed at protecting telephone records. For example, California, which is considered at the forefront of privacy and consumer protection legislation, enacted Cal. Penal Code § 638, a new anti-pretexting law that is used by many states as a model.
The new California law, like the federal law, applies to the use of pretexting to obtain telephone records only; it does not apply to other forms of private information. Nevertheless, the prohibited methods used to obtain telephone records are broad and seem to cover most attempts to access the information.
Also, in California, an employer of, or entity contracting with, a person who violates the state’s anti-pretexting law is also subject to prosecution if the employer or contracting entity knowingly allowed the employee or contractor to engage in conduct that violated the statute.
The future of investigations
The new anti-pretexting laws have yet to produce any published cases. But one thing is clear: investigators must be wary of old habits. Many pretexters, such as investigators, use pretexting as a means of gathering information, including for arguably legitimate purposes such as determining whether unlawful conduct has been committed or whether company policy has been violated. Previous federal law did not prohibit pretexting for benign purposes such as legitimate investigations. Moreover, its prior use, even if improper, had resulted in only civil penalties, not criminal sanctions.
But the new anti-pretexting laws do not distinguish between benign and malicious uses of pretexting. While investigators may continue to use customary methods of obtaining information, this era’s new privacy laws render it crucial that a company or an individual insist that any investigation is done with legal supervision. This is necessary so that the company or the individual hiring the investigator may thoroughly evaluate the legal consequences of the investigator’s actions, and protect their own interests.
A discussion with any investigator will reveal that although hampered by the new laws, there are still plenty of methods investigators will use to attempt to gather information. At the heart of many investigations is the need to obtain personal information. Many of these investigators, unfortunately, will violate the law, whether knowingly or unknowingly. But not all investigations need be dispensed with. Investigations within the bounds of the law can still be effective. The law is constantly changing, and knowing the current bounds of the law is key.