On September 5, 2006, Newsweek revealed that Hewlett-Packard's general counsel, at the behest of HP chairwoman Patricia Dunn, had contracted a team of independent security experts to investigate board members and several journalists in order to identify the source of an information leak. In turn, those security experts recruited private investigators who used a spying technique known as pretexting. The pretexting involved investigators impersonating HP board members and nine journalists (including reporters for CNET, the New York Times and the Wall Street Journal) in order to obtain their phone records. The information leaked related to HP's long-term strategy and was published as part of a CNET article in January 2006.
Dunn claimed she did not know beforehand the methods the investigators used to try to determine the source of the leak.Board member George Keyworth was ultimately accused of being the source and on September 12, 2006, he resigned, although he continued to deny making unauthorized disclosures of confidential information to journalists and was thanked by Mark Hurd for his board service.It was also announced at that time that Dunn would continue as chairwoman until January 18, 2007, at which point HP CEO Mark Hurd would succeed her. Then, on September 22, 2006 HP announced that Dunn had resigned as chairwoman because of the "distraction her presence on our board" created. On September 28, 2006, Ann Baskins, HP's general counsel, resigned hours before she was to appear as a witness before the House Committee on Energy and Commerce, where she would ultimately invoke the Fifth Amendment to refuse to answer questions.
Investigation by the House Committee on Energy and Commerce
On September 11, 2006, CNET News.com publicly released a five-page letter written by the United States House Committee on Energy and Commerce to Patricia Dunn stating that they had, for the past seven months, been conducting an investigation on Internet-based data brokers who allegedly use "lies, fraud and deception" to acquire personal information, and allow anyone who pay a "modest fee" to acquire "itemized incoming and outgoing call logs", not only for cell phone numbers but also for VoIP numbers, landline numbers, and unpublished phone numbers. Additional data that could be obtained included addresses and other personal data, obtained without the consent or prior notice to the owner of the number. The committee had learned about HP's use of pretexting through their September 6 SEC filing and through their own inquiry of HP's Nominating and Governance Committee, stating they are "troubled" by the information, "particularly that it involves HP—one of America's corporate icons."
The committee requested, under Rules X and XI of the United States House of Representatives, the following information from HP by September 18, 2006:
1. The name and identity of the outside consulting firm cited in HP's September 6th, 2006, filing with the SEC (the outside consulting firm), and of any other outside consultants who were hired by HP to assist in conducting the Leak Investigation.
2. Copies of any contracts, letters of engagement and investigative plans related to the Leak Investigation that was conducted by the outside consulting firm or by any other party.
3. The names and identities of all third parties, whether hired directly by HP or by HP's outside consulting firm, who were used during the leak investigation to procure, or to attempt to procure telephone records and other personal consumer information of any targets or subjects of the Leak Investigation
4. A list of all individuals or entities that were targets or subjects, or designated as targets or subjects, of the Leak Investigation.
5. A list of all individuals, including HP employees, who were involved with conducting the Leak Investigation or who had contemporaneous knowledge of the Leak Investigation.
6. A list of all individuals or entities whose telephone records or other personal consumer information were procured or attempted to be procured by the outside consulting firm or by any party during the period January 1, 2005, to the present.
7. A list of all individuals whose telephone records or other personal consumer information were procured by the outside consulting firm or by any party during the period January 1, 2005, to the present. For each individual, describe the types of records that were procured.
8. Copies of all reports prepared for the Leak Investigation by the outside consulting firm or by any other party, including any and all analysis or opinions regarding the appropriateness or legality of pretexting.
9. A copy of the letter of engagement with the law firm Wilson Sonsini Goodrich & Rosati regarding the Committee Inquiry.
10. Copies of all reports prepared for the Committee Inquiry, including any report prepared by the firm Wilson Sonsini Goodrich & Rosati.
11. Copies of all draft and final Board minutes that either relate to either the Leak Investigation or the Committee Inquiry.In addition to the above mentioned information, the Committee on Energy and Commerce also requested the following information from HP by September 25, 2006:
12. All records relating either the Leak Investigation or Committee Inquiry, including but not limited to communications to or from the outside consulting firm, communications by or between HP employees or Board Members, and communications to or from the outside counsel. Please do not provide any copies of the actual telephone records or any other records procured.
At the September 28, 2006 hearing, Dunn and Hurd both testified extensively about the investigation. Dunn testified that until June or July 2006, she did not realize that "pretexting" could involve identity misrepresentation. Dunn repeatedly insisted that she had believed that personal phone records could be obtained through legal methods.
Other witnesses, including Ann Baskins, HP's former General Counsel, Kevin Hunsaker, a six-year HP employee who was a former HP Senior Counsel and "Director of Ethics and Standards of Business Conduct," Anthony Gentilucci, former HP/Compaq/DEC chief of global investigations, and several private investigators invoked the Fifth Amendment, refusing to answer questions due to the ongoing criminal investigations.
Baskins' attorney's letter to the committee contains several documents describing the investigatory methods, who was pretexted, and whether there were any illegal acts committed, including memoranda prepared by HP's outside law firm Wilson, Sonsini, Goodrich & Rosati (Larry Sonsini was among the witnesses at the hearing.)
Hunsaker's May 24 confidential "attorney-client privileged" final report, which gives full details of the investigation, is also available.
California criminal case
On October 4, 2006, California Attorney General Bill Lockyer filed criminal charges and arrest warrants against Dunn, HP's former chief ethics officer Kevin Hunsaker, and three outside investigators.The complaint alleged the following four felony violations of the California Penal Code:
Conspiracy to commit crime in violation of Sections 182
Fraudulent use of wire, radio, or television transmissions in violation of Section 538.5
Taking, copying, and using computer data in violation of Section 502
Using personal identifying information without authorization in violation of Section 530.5(a)
The criminal complaint can be found here.
On March 14, 2007, the judge in Patricia Dunn's criminal case dismissed all charges. Hunsaker and the two investigators pled no contest to the wire fraud count; those charges were dismissed pending their completion of 96 hours of community service.The court also dismissed its case against the third investigator, Bryan Wagner, who had pleaded guilty in federal jurisdiction.
Federal criminal charges
On January 11, 2007, Bryan Wagner (a private investigator who was engaged by Hewlett-Packard who had already been charged in the California case) was charged by the federal government with conspiracy and identity theft for allegedly obtaining the Social Security Number of an unidentified journalist to obtain the journalist's phone records.Wagner pled guilty to the charges. On August 12, 2009, his sentencing hearing was postponed.
Legal ramifications
Before this case, pretexting was a bit of a legal grey area. California had some laws that loosely applied to pretexting, but there were not really any federal laws specific to pretexting.Partially as a result of the case, however, congress passed a law specifically prohibiting pretexting.Since then, at least two other people have been prosecuted under the new law:November 2008 - Nicholas Shaun Bunch was charged with using a victim's name and the last four digits of his Social Security number to obtain confidential phone records from T-Mobile.December 2008 - Vaden Anderson was indicted for using pretexting to obtain confidential phone records from Sprint/Nextel.
0 comments:
Post a Comment