HP board flap raises wider privacy issues

This week's top-level shake-up at the computer firm Hewlett-Packard has focused new attention on privacy breaches involving consumer phone records, and could jump-start new government efforts to protect the public.

Hewlett-Packard's chairwoman Patricia Dunn resigned Tuesday amid a furor over the board's effort to trace leaks to the media from among its members. Security firms hired by Hewlett-Packard had apparently used a dubious technique known as "pre-texting" – posing under false pretenses to obtain phone records of board members and news reporters – and are now being investigated by state and federal officials and by Congress.

The moral of the story goes beyond Hewlett-Packard: If such an intrusion of privacy can happen to millionaire Silicon Valley power brokers, it might happen to you.

"It's about every consumer ... who gets a monthly billing statement," says Marc Rotenberg, who heads the Electronic Privacy Information Center in Washington. "Policymakers need to address this challenge."

In the Hewlett-Packard case, the pre-texting was done not by HP but by private investigators or other contractors who used Social Security numbers to impersonate the company's directors and a handful of journalists.

Boardroom leaks are a serious matter, often prosecutable, given the financial responsibilities of corporate directors to shareholders. But in this case, the phone-record furor has overshadowed the legal question of the leaks themselves, which date back to a time in 2005 when the board decided to oust then-CEO Carly Fiorina.

The alleged leaker, board member and former White House Science Adviser George Keyworth, resigned Tuesday, even as Dunn said she would step down as chairwoman in January. Mark Hurd, the current CEO, will add the title of chairman, and one board member will take the title of lead independent director.

The affair comes as HP stages an impressive corporate comeback while launching important new products. Among the key questions that linger over the affair: How much did board members know of the methods that investigators employed in tracking the leaks?

California Attorney General Bill Lockyer said Tuesday that he has enough evidence to indict HP officials and outside contractors.

Despite Mr. Lockyer's certainty, some experts say pretexting falls into a legal gray area that may require new laws and rules to effectively suppress its use.

"For us it's certainly rising to the top of the list" of urgent privacy issues, says Mr. Rotenberg, whose organization petitioned the Federal Communications Commission (FCC) for new mandates on phone companies to protect customer information. "There's just very little regulation."

Consumer advocates say two steps are needed: A law that clearly bans the practice and creates tough penalties, and requirements that phone companies have strict safeguards in place in their customer service departments.

Although many believe that pretexting is already illegal, prosecution is not necessarily easy. A 1999 ban on pretexting to obtain financial records does not explicitly ban pretexting for other information such as phone bills. To prosecute HP board members, Lockyer is expected to apply existing laws, including a California measure on identity theft.

In a busy election season, it's unclear whether legislation that Congress has been considering this year will move forward. But regulators at the Federal Communications Commission hope to lay out new rules for the telecommunications industry by the end of the year – a move the FCC has been considering for several months. And states could pass their own bans. The California legislature has already passed a bill, which now needs only the governor's signature to go into effect.

"If this was not a gray area, ... then there wouldn't have been all these bills" moving onto the congressional agenda this year, says Bruce Hulme, legislative director of the National Council of Investigation and Security Services, which represents private investigators.

The organization supports legislation to establish severe penalties for pretexting that gains access to phone records, but argues the practice should not be banned outright as an investigation tool.

Current federal laws could be used to prosecute the Hewlett-Packard case, Mr. Hulme adds, depending on the facts involved. "A lot is going to depend on the manner in which the pretext was used and the manner in which computers were used."

Many consumer advocates and industry officials say that when phone records are needed, such as for a legal proceeding, they can be accessed through channels such as a subpoena or warrant.

Phone companies say they have been trying to curb pretexting through litigation and other measures.

"The four national carriers, Verizon Wireless, Cingular, Sprint-Nextel and T-Mobile, have all filed complaints and obtained injunctions across the country to shut down these data thieves," cellular industry official Steve Largent told a congressional hearing in February. "The fact that data brokers apparently have been able to break and enter carrier customer- service operations to obtain call records has given our industry a black eye."

At the February hearing, Robert Douglas of PrivacyToday.com referred to attorneys as "the elephant in the room here that nobody's talking about." In many cases, he says, it is lawyers and their demand for information that allows murky data- gathering businesses to spring up. But methods that are defended for, say, tracking down deadbeats can also end up being used in bad ways.

Consumers can take several steps to safeguard their phone records:

•Ask that records only be sent to their home address.

•Ask that your Social Security number not be used as the main way for customer service representatives to verify your identity on the phone.

•Passwords are most effective when they are complex and changed regularly.