Lessons Learned: Issues Exposed in the Aftermath of the Hewlett-Packard Debacle

'What began as an investigation with the best intentions has ended up turning in a direction we could not possibly have anticipated.' Mark Hurd, CEO Hewlett-Packard.

On Sept. 5, 2006, Newsweek published a story about Hewlett-Packard's Chairman Patricia Dunn's use of a private investigation firm to locate the source of leaks of confidential corporate information. As the story unfolded, the public learned the following: After confidential information appeared in news publications in 2005, certain officers and certain members of the board of directors of Hewlett-Packard ('HP') authorized the launch of two investigations, the first in 2005, and the next in 2006, to locate the source of the information leaks. The basis for the investigations was that the information leaked to the press was known only to board members. Certain officers and directors collectively comprised the 'HP investigation team' in the secret investigation of the leaks to the media. In devising its plan, the HP investigation team sought the assistance of a top investigator, Ron DeLia, head of Security OutSourcing Solutions, Inc. ('SOS'), with whom Hewlett-Packard previously had worked on unrelated matters. DeLia allegedly encouraged the HP investigation team to use pretexting or 'social engineering' to obtain private cell phone and phone records of certain targeted individuals, among other things.

Pretexting is the act of creating and using an invented scenario to obtain information from or about a target, usually over the telephone. It usually involves some prior research and the use of pieces of known information (eg, mother's maiden name, birthday, Social Security Number) to convince the target company that the individual seeking the information is, in fact, the legitimate owner of the information. Misrepresenting anything about oneself in order to improperly obtain another's information is, by definition, pretexting.

According to reports, SOS asserted that the techniques being used in the investigation were legal. SOS's legal counsel apparently provided assurances in the form of a 'legal opinion' that the actions being taken were legal. Kevin Hunsaker, senior counsel at Hewlett-Packard, relying upon SOS's representations and the 'legal opinion,' relayed these assurances to general counsel and the HP investigation team, of which he was a member. Other members of the HP investigation team have said that they had the clear impression from DeLia that the records he intended to obtain could be obtained legally from publicly available sources. SOS's continuing investigation into the media leaks included the use of pretexting to gain personal and confidential information about certain of Hewlett-Packard's directors and employees, as well as unaffiliated members of the press.

In March 2006, SOS issued a draft report that identified the potential source of the leak and provided an outline of the techniques that had been used in conducting the investigation. That outline specifically identified pretexting as one of the techniques employed to obtain information. Other techniques included physical surveillance and other questionable techniques, including the deployment of an e-mail tracer program attached to a bogus e-mail delivered to a reporter. Had the reporter activated the tracer, it would have allowed the private investigator and the HP investigation team to trace his or her IP address. There was also discussion of sending a spyware/keystroke logger program as an e-mail attachment. Had that program been delivered and launched inadvertently by the re-porter, SOS and the HP investigation team would have been able to capture every keystroke on the reporter's computer. SOS's draft report also allegedly contains some assurances that all of the techniques utilized were legal.

The targets of the investigation included at least two Hewlett-Packard employees, several former and current members of the board of directors, several of those persons' family members, at least nine journalists at various news publications and, in some cases, those journalists' spouses and other family members. Several publications have reported that SOS or others under its direction attempted to obtain phone records for Hewlett-Packard's former CEO Carly Fiorina and Hewlett-Packard's outside counsel Larry Sonsini. It is not clear at this point whether those records were obtained or whether pretexting was utilized in the attempt to obtain the records.

Pretexting and the Law

Private investigators have used pretexting for years, often to trick a business into disclosing its customers' information. Private investigators thereby obtain telephone records, banking records, credit card records, and other confidential information from the company by posing as the owner of the account. Most U.S. companies still authenticate a client by asking for a Social Security Number, birthday, or mother's maiden name (think about the last time you opened an account with a password), all of which are easily obtained by a third party. This makes it extremely easy for a third party or private investigator to obtain personal information.

In 1999, the Gramm-Leach-Bliley Act ('GLB') was signed into law. 15 USC ”6821-827, Fraudulent Access to Financial Information. The GLB makes pretexting to obtain bank records an illegal act punishable under federal law. The GLB prohibits 'pretexting,' or the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers' personal financial information, such as bank balances. The GLB in part provides as follows:

Sec. 6821. Privacy protection for customer information of financial institutions.

(a) Prohibition on obtaining customer information by false pretenses.

(b) Prohibition on solicitation of a person to obtain customer information from financial institution under false pretenses.

(c) Non-applicability to law en-forcement agencies.

(d) Non-applicability to financial institutions in certain cases.

(e) Non-applicability to insurance institutions for investigation of insurance fraud.

(f) Non-applicability to certain types of customer information of financial institutions.

(g) Non-applicability to collection of child support judgments.

This law also prohibits the knowing solicitation of others to engage in pretexting for customer information of a financial institution. The Federal Trade Commission ('FTC') has been active in bringing actions against companies and individuals that practice pretexting and then sell consumers' financial information.

When a business entity, such as a private investigation firm, conducts any type of deception, it falls under the authority of the FTC. The FTC is both authorized and obligated to ensure that consumers are not subject to any unfair or deceptive business practices.

Section 5 of the Federal Trade Commission Act ('FTCA') states, in part:

Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect …

The statute provides that if one is securing any personal, nonpublic information from a financial institution or the consumer, that situation is covered by the statute and relates directly to the consumer's relationship with the financial institution. For example, if the pretexter is using false pretenses to obtain the consumer's address from the consumer's bank, that would be covered by the FTCA. Or, if the pretexter is going to the consumer and getting the name of his or her bank through false pretenses, that would be covered by the FTCA as well.

There currently is no federal legislation that bans pretexting generally, but Congress currently has five pieces of such legislation before it, each piece varying in scope. Under common law, however, the act of pretexting would likely lead to a claim in tort for invasion of privacy, given the information sought and methods used to obtain it. Some states have adopted criminal statutes that prohibit such practices. California Penal Code '538.5 specifically holds 'executing a scheme or artifice to obtain, from a public utility,' a customer's 'billing records' to be a crime. The California criminal statute further provides that it is not just the people who obtain the information who will be held liable but every person who transmits or causes the information to be transmitted.

Legal Concerns Leading to the Investigation

Hewlett-Packard knew that there was a leak somewhere within its board. Several articles appeared in the press regarding issues and matters that previously had been discussed only within the confines of a confidential board meeting. According to the HP investigation team, these and continuing leaks had the potential to significantly damage the company and the value of its shares in the market.

But every board member at any company has a fiduciary duty to the board and the company. That fiduciary duty includes a duty to maintain confidentiality. Many corporate codes of conduct have confidentiality restrictions as well. Hewlett-Packard's corporate code of conduct may have these restrictions. In addition, more often than not, board members are required to sign confidentiality restrictions. It is unclear at this point whether Hewlett-Packard's board members signed such a confidentiality restriction.

But every board member has a duty of loyalty not only to the company but also to the company shareholders. One can imagine a number of in-stances in which this duty of loyalty could conflict with confidentiality restrictions and the fiduciary duty to maintain confidential information. Certainly, a director could believe that the duty of loyalty would require disclosure of information prohibited by confidential restrictions in order to protect shareholders and the company.

Pursuant to Delaware corporate law, there are two fundamental fiduciary duties: that of care and that of loyalty. While there is no statutory duty of confidentiality, the duty of confidentiality is presumed to be part of the duty of loyalty to the company. The significant importance of board meeting confidentiality is generally recognized as a matter of corporate governance.

With regard to the Hewlett-Packard leaks, some have opined in hindsight that the information 'leaked' or disclosed to the press by a member of the board of directors did not qualify as confidential information such that the disclosure of such information would be in violation of that director's fiduciary duties. Therefore, these individuals opine, no confidential information was leaked, so there was no violation of any fiduciary duty and there was never any basis to initiate an investigation.

Post-investigation Disclosure and Events

First and foremost, the Hewlett-Packard directors and officers who were involved in initiating the investigation and those who were involved in monitoring its progress have, for the most part, claimed that they did not know that any extreme tactics were being used or that the tactics used were illegal. Former Chairman Dunn stated that she didn't hire SOS because it was already engaged generally by Hewlett-Packard. Dunn also stated that she assumed that the long-term engagement between the two companies meant that SOS would conduct its investigation in an aboveboard manner. Additionally, Dunn stated that she asked DeLia at every point of contact if what was being done was proper, legal, and in full compliance with Hewlett-Packard's previous practices. At a minimum though, it seems that the facts will show that the HP investigative team was aware that the investigation could raise ethical and privacy violation issues. Indeed, an e-mail allegedly exists that discloses one of the team member's concerns that the actions and techniques being used were, in fact, illegal.

The facts have revealed that there were indeed disclosures to the HP investigation team of intent to use spyware, intercept private communications, sift through personal trash, and obtain phone records as a few of many invasive techniques. Now, as the publicity about Hewlett-Packard's investigation grows and the congressional hearings proceed, certain of Hewlett-Packard's steps, or missteps, as the case may be, related to SOS's investigation have been revealed.

For example, Sonsini's law firm, Wilson Sonsini Goodrich & Rosati, was engaged after the fact to conduct an investigation into the legality of what took place. Wilson Sonsini's investigation found that the HP investigation team did seek a legal opinion as to the legality of using pretexting as a method to obtain an individual's phone records. The HP investigation team, however, did not engage Hewlett-Packard's counsel to investigate and render this opinion. Rather, the HP investigation team sought the legal opinion from SOS. SOS, in turn, engaged its law firm to render the legal opinion that the HP investigation team apparently relied upon. Wilson Sonsini's investigation revealed that the 'legal opinion' that the HP investigation team relied upon was prepared by a law clerk, not a lawyer, at a firm somehow affiliated or associated with SOS. This also raises a separate issue for SOS's legal counsel to the extent that the preparation of that 'legal opinion' constitutes the unauthorized practice of law by someone who is not a member of a state bar. In any event, apparently no one on the HP investigation team ever took it to the next level, questioning or investigating the source of the legal opinion.

Additionally, the subsequent inquiry into the HP investigation team's actions uncovered the fact that the HP investigation team had its private investigator intercept the Instant Messaging transmissions of an em-ployee with an outside reporter. While there long have been concerns about the security of Instant Messaging systems, this is one of the first highly publicized cases confirming the lack of security and interception of Instant Messages. It has been established that with proper policies and procedures in place, an employer may lawfully monitor anything its employee does when using the company's e-mail service and Internet service provider. The Instant Messaging arena, however, is murky. Yes, messages in this case were sent on company time, but it was a third-party communications system, not controlled by Hewlett-Packard, that was being utilized. It is unclear whether an employer can legally monitor those communications to the extent that the HP investigation team chose to monitor the Instant Messages.

The overall investigation into the HP investigation team's actions has also revealed that HP's global investigations manager, who was on the investigation team, obtained and provided a Hewlett-Packard's employee's Social Security Number to SOS.

Fallout from the HP Investigation Team's Actions

On Sept. 12, 2006, George Keyworth, the identified source of the leaks, resigned. Chairman of the Board Dunn initially petitioned to remain as Chairman of the Board until January 2007, which was approved. She since was asked to step down and has resigned. Current CEO Mark Hurd was asked to resign, but has refused to date. Hewlett-Packard's General Coun-sel, Ann Baskins, was asked to resign and did. Senior Counsel, Kevin Hunsaker, who sought and relied upon the 'legal opinion' refused to resign and was fired.

Verizon initiated a John Doe action against one or more of the private investigation firms that performed the pretexting.

Cingular Wireless filed suit against the CAS Agency and its registered agent as well as 100 other 'John Doe' defendants. The basis of that lawsuit is the alleged unlawful taking of the telephone records of Dawn Kawamoto, a reporter for CNET News.com.

AT&T has confirmed that its customers' records were improperly obtained. AT&T has not yet filed a legal action to recover its customers' information or enjoin further dissemination of that information.

The California Attorney General's office filed criminal charges against five individuals including former Chairman Dunn and former Senior Counsel Hunsacker. Each of these criminal defendants faces four felony charges: 1) fraudulently obtaining private information from a public utility; 2) accessing computer data without permission; 3) identity theft; and 4) conspiracy to commit the preceding three crimes.

The litigation that has been filed to date is likely just the tip of the iceberg. The individuals who were the victims of pretexting are waiting in the shadows, but could pursue actions against: 1) SOS and the additional private investigators engaged by SOS to assist in the investigation, 2) the companies that released the confidential information, and 3) HP and the officers and directors in-volved in the scandal.

Hewlett-Packard has now appointed a former U.S. Prosecutor to independently review what steps were taken in the investigation and the company's existing Best Practices Standards.

Alternative Actions to Those Taken By the HP Investigation Team

The developments associated with the Hewlett-Packard incident raise an important question for all businesses: What should a company do when it suspects that one or more board members might be leaking confidential information to the press? Because hindsight is often 20/20, published reports about the HP case give rise to some obvious steps a company in a similar situation could take from the outset.

First, the company could request that each member of the board of directors turn over telephone and e-mail records to an unbiased third-party investigator. Logically, if any of the directors refuses to turn over the requested records, the investigation team would have a lead on the source of the leaks.

Next, to the extent that an investigation is required, the investigation team should clearly set forth the terms of engagement in a retention letter or contract with the private investigator. The team also should require the private investigator to disclose in writing what methods it intends to use. As part of the engagement, the investigation team should require that the private investigator not violate any federal or state laws in obtaining such information. In fact, Robert Ryan, one of HP's members of the board conceded recently: 'When you hire firms that are experts at something, you not only have to lay out all things have to be legal, you have to understand what those firms do on your behalf. You have to make the point that it has to be legal, ethical, and respectful of people's privacy and those are things we didn't do.'

The logical next step should be a review of the terms of engagement and proposed investigation methods by independent counsel, which would render a legal opinion as to the techniques the team, intended to undertake. The HP investigation team recognized the need for such an opinion. Its mistake, however, was in seeking that opinion from SOS. This led to the improper reliance on a law clerk's opinion, the scope of which is not currently known. The legal analysis in the HP case should have also included the legality of what was being done on a state-by-state as well as federal basis instead of relying on SOS's law firm's representations.

Certainly, Human Resources personnel should be included in any internal investigation process to confirm that an investigation team is not exposing the company to liability for employment practices violations.

It is unclear at this point what analysis the HP investigation team may have performed regarding whether its actions violated Hewlett-Packard's employment handbook.

Finally, a company should consider the potential public relations fallout from its direct investigation and engage a public relations consultant to handle damage control in case news of the investigation and the techniques utilized hit the press. Such engagement may have helped limit the media frenzy in the HP case.

Conclusion

Dozens of legal and ethical corporate issues have been created by the HP investigation team's actions, as well as the private investigation firm's actions, and the counsel of their various law firms. There will likely be a significant amount of criminal and civil legal proceedings in the coming months and years from this HP investigation. We should expect Hewlett-Packard to remain in the headlines for many months to come.

Marguerite “Becky” Patrick is a partner at Morris, Manning & Martin, LLP. Her practice focuses on intellectual property and technology litigation, including disputes regarding copyrights, trademarks, trade dress, trade secrets, Internet and e-commerce, intellectual property and technology licenses, co-development of technology, software development and implementation, non-competition, false advertising, contractual relationships, and insurance coverage for intellectual property disputes. She may be reached at [email protected].

'What began as an investigation with the best intentions has ended up turning in a direction we could not possibly have anticipated.' Mark Hurd, CEO Hewlett-Packard.

On Sept. 5, 2006, Newsweek published a story about Hewlett-Packard's Chairman Patricia Dunn's use of a private investigation firm to locate the source of leaks of confidential corporate information. As the story unfolded, the public learned the following: After confidential information appeared in news publications in 2005, certain officers and certain members of the board of directors of Hewlett-Packard ('HP') authorized the launch of two investigations, the first in 2005, and the next in 2006, to locate the source of the information leaks. The basis for the investigations was that the information leaked to the press was known only to board members. Certain officers and directors collectively comprised the 'HP investigation team' in the secret investigation of the leaks to the media. In devising its plan, the HP investigation team sought the assistance of a top investigator, Ron DeLia, head of Security OutSourcing Solutions, Inc. ('SOS'), with whom Hewlett-Packard previously had worked on unrelated matters. DeLia allegedly encouraged the HP investigation team to use pretexting or 'social engineering' to obtain private cell phone and phone records of certain targeted individuals, among other things.

Pretexting is the act of creating and using an invented scenario to obtain information from or about a target, usually over the telephone. It usually involves some prior research and the use of pieces of known information (eg, mother's maiden name, birthday, Social Security Number) to convince the target company that the individual seeking the information is, in fact, the legitimate owner of the information. Misrepresenting anything about oneself in order to improperly obtain another's information is, by definition, pretexting.

According to reports, SOS asserted that the techniques being used in the investigation were legal. SOS's legal counsel apparently provided assurances in the form of a 'legal opinion' that the actions being taken were legal. Kevin Hunsaker, senior counsel at Hewlett-Packard, relying upon SOS's representations and the 'legal opinion,' relayed these assurances to general counsel and the HP investigation team, of which he was a member. Other members of the HP investigation team have said that they had the clear impression from DeLia that the records he intended to obtain could be obtained legally from publicly available sources. SOS's continuing investigation into the media leaks included the use of pretexting to gain personal and confidential information about certain of Hewlett-Packard's directors and employees, as well as unaffiliated members of the press.

In March 2006, SOS issued a draft report that identified the potential source of the leak and provided an outline of the techniques that had been used in conducting the investigation. That outline specifically identified pretexting as one of the techniques employed to obtain information. Other techniques included physical surveillance and other questionable techniques, including the deployment of an e-mail tracer program attached to a bogus e-mail delivered to a reporter. Had the reporter activated the tracer, it would have allowed the private investigator and the HP investigation team to trace his or her IP address. There was also discussion of sending a spyware/keystroke logger program as an e-mail attachment. Had that program been delivered and launched inadvertently by the re-porter, SOS and the HP investigation team would have been able to capture every keystroke on the reporter's computer. SOS's draft report also allegedly contains some assurances that all of the techniques utilized were legal.

The targets of the investigation included at least two Hewlett-Packard employees, several former and current members of the board of directors, several of those persons' family members, at least nine journalists at various news publications and, in some cases, those journalists' spouses and other family members. Several publications have reported that SOS or others under its direction attempted to obtain phone records for Hewlett-Packard's former CEO Carly Fiorina and Hewlett-Packard's outside counsel Larry Sonsini. It is not clear at this point whether those records were obtained or whether pretexting was utilized in the attempt to obtain the records.

Pretexting and the Law

Private investigators have used pretexting for years, often to trick a business into disclosing its customers' information. Private investigators thereby obtain telephone records, banking records, credit card records, and other confidential information from the company by posing as the owner of the account. Most U.S. companies still authenticate a client by asking for a Social Security Number, birthday, or mother's maiden name (think about the last time you opened an account with a password), all of which are easily obtained by a third party. This makes it extremely easy for a third party or private investigator to obtain personal information.

In 1999, the Gramm-Leach-Bliley Act ('GLB') was signed into law. 15 USC ”6821-827, Fraudulent Access to Financial Information. The GLB makes pretexting to obtain bank records an illegal act punishable under federal law. The GLB prohibits 'pretexting,' or the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers' personal financial information, such as bank balances. The GLB in part provides as follows:

Sec. 6821. Privacy protection for customer information of financial institutions.

(a) Prohibition on obtaining customer information by false pretenses.

(b) Prohibition on solicitation of a person to obtain customer information from financial institution under false pretenses.

(c) Non-applicability to law en-forcement agencies.

(d) Non-applicability to financial institutions in certain cases.

(e) Non-applicability to insurance institutions for investigation of insurance fraud.

(f) Non-applicability to certain types of customer information of financial institutions.

(g) Non-applicability to collection of child support judgments.

This law also prohibits the knowing solicitation of others to engage in pretexting for customer information of a financial institution. The Federal Trade Commission ('FTC') has been active in bringing actions against companies and individuals that practice pretexting and then sell consumers' financial information.

When a business entity, such as a private investigation firm, conducts any type of deception, it falls under the authority of the FTC. The FTC is both authorized and obligated to ensure that consumers are not subject to any unfair or deceptive business practices.

Section 5 of the Federal Trade Commission Act ('FTCA') states, in part:

Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect …

The statute provides that if one is securing any personal, nonpublic information from a financial institution or the consumer, that situation is covered by the statute and relates directly to the consumer's relationship with the financial institution. For example, if the pretexter is using false pretenses to obtain the consumer's address from the consumer's bank, that would be covered by the FTCA. Or, if the pretexter is going to the consumer and getting the name of his or her bank through false pretenses, that would be covered by the FTCA as well.

There currently is no federal legislation that bans pretexting generally, but Congress currently has five pieces of such legislation before it, each piece varying in scope. Under common law, however, the act of pretexting would likely lead to a claim in tort for invasion of privacy, given the information sought and methods used to obtain it. Some states have adopted criminal statutes that prohibit such practices. California Penal Code '538.5 specifically holds 'executing a scheme or artifice to obtain, from a public utility,' a customer's 'billing records' to be a crime. The California criminal statute further provides that it is not just the people who obtain the information who will be held liable but every person who transmits or causes the information to be transmitted.

Legal Concerns Leading to the Investigation

Hewlett-Packard knew that there was a leak somewhere within its board. Several articles appeared in the press regarding issues and matters that previously had been discussed only within the confines of a confidential board meeting. According to the HP investigation team, these and continuing leaks had the potential to significantly damage the company and the value of its shares in the market.

But every board member at any company has a fiduciary duty to the board and the company. That fiduciary duty includes a duty to maintain confidentiality. Many corporate codes of conduct have confidentiality restrictions as well. Hewlett-Packard's corporate code of conduct may have these restrictions. In addition, more often than not, board members are required to sign confidentiality restrictions. It is unclear at this point whether Hewlett-Packard's board members signed such a confidentiality restriction.

But every board member has a duty of loyalty not only to the company but also to the company shareholders. One can imagine a number of in-stances in which this duty of loyalty could conflict with confidentiality restrictions and the fiduciary duty to maintain confidential information. Certainly, a director could believe that the duty of loyalty would require disclosure of information prohibited by confidential restrictions in order to protect shareholders and the company.

Pursuant to Delaware corporate law, there are two fundamental fiduciary duties: that of care and that of loyalty. While there is no statutory duty of confidentiality, the duty of confidentiality is presumed to be part of the duty of loyalty to the company. The significant importance of board meeting confidentiality is generally recognized as a matter of corporate governance.

With regard to the Hewlett-Packard leaks, some have opined in hindsight that the information 'leaked' or disclosed to the press by a member of the board of directors did not qualify as confidential information such that the disclosure of such information would be in violation of that director's fiduciary duties. Therefore, these individuals opine, no confidential information was leaked, so there was no violation of any fiduciary duty and there was never any basis to initiate an investigation.

Post-investigation Disclosure and Events

First and foremost, the Hewlett-Packard directors and officers who were involved in initiating the investigation and those who were involved in monitoring its progress have, for the most part, claimed that they did not know that any extreme tactics were being used or that the tactics used were illegal. Former Chairman Dunn stated that she didn't hire SOS because it was already engaged generally by Hewlett-Packard. Dunn also stated that she assumed that the long-term engagement between the two companies meant that SOS would conduct its investigation in an aboveboard manner. Additionally, Dunn stated that she asked DeLia at every point of contact if what was being done was proper, legal, and in full compliance with Hewlett-Packard's previous practices. At a minimum though, it seems that the facts will show that the HP investigative team was aware that the investigation could raise ethical and privacy violation issues. Indeed, an e-mail allegedly exists that discloses one of the team member's concerns that the actions and techniques being used were, in fact, illegal.

The facts have revealed that there were indeed disclosures to the HP investigation team of intent to use spyware, intercept private communications, sift through personal trash, and obtain phone records as a few of many invasive techniques. Now, as the publicity about Hewlett-Packard's investigation grows and the congressional hearings proceed, certain of Hewlett-Packard's steps, or missteps, as the case may be, related to SOS's investigation have been revealed.

For example, Sonsini's law firm, Wilson Sonsini Goodrich & Rosati, was engaged after the fact to conduct an investigation into the legality of what took place. Wilson Sonsini's investigation found that the HP investigation team did seek a legal opinion as to the legality of using pretexting as a method to obtain an individual's phone records. The HP investigation team, however, did not engage Hewlett-Packard's counsel to investigate and render this opinion. Rather, the HP investigation team sought the legal opinion from SOS. SOS, in turn, engaged its law firm to render the legal opinion that the HP investigation team apparently relied upon. Wilson Sonsini's investigation revealed that the 'legal opinion' that the HP investigation team relied upon was prepared by a law clerk, not a lawyer, at a firm somehow affiliated or associated with SOS. This also raises a separate issue for SOS's legal counsel to the extent that the preparation of that 'legal opinion' constitutes the unauthorized practice of law by someone who is not a member of a state bar. In any event, apparently no one on the HP investigation team ever took it to the next level, questioning or investigating the source of the legal opinion.

Additionally, the subsequent inquiry into the HP investigation team's actions uncovered the fact that the HP investigation team had its private investigator intercept the Instant Messaging transmissions of an em-ployee with an outside reporter. While there long have been concerns about the security of Instant Messaging systems, this is one of the first highly publicized cases confirming the lack of security and interception of Instant Messages. It has been established that with proper policies and procedures in place, an employer may lawfully monitor anything its employee does when using the company's e-mail service and Internet service provider. The Instant Messaging arena, however, is murky. Yes, messages in this case were sent on company time, but it was a third-party communications system, not controlled by Hewlett-Packard, that was being utilized. It is unclear whether an employer can legally monitor those communications to the extent that the HP investigation team chose to monitor the Instant Messages.

The overall investigation into the HP investigation team's actions has also revealed that HP's global investigations manager, who was on the investigation team, obtained and provided a Hewlett-Packard's employee's Social Security Number to SOS.

Fallout from the HP Investigation Team's Actions

On Sept. 12, 2006, George Keyworth, the identified source of the leaks, resigned. Chairman of the Board Dunn initially petitioned to remain as Chairman of the Board until January 2007, which was approved. She since was asked to step down and has resigned. Current CEO Mark Hurd was asked to resign, but has refused to date. Hewlett-Packard's General Coun-sel, Ann Baskins, was asked to resign and did. Senior Counsel, Kevin Hunsaker, who sought and relied upon the 'legal opinion' refused to resign and was fired.

Verizon initiated a John Doe action against one or more of the private investigation firms that performed the pretexting.

Cingular Wireless filed suit against the CAS Agency and its registered agent as well as 100 other 'John Doe' defendants. The basis of that lawsuit is the alleged unlawful taking of the telephone records of Dawn Kawamoto, a reporter for CNET News.com.

AT&T has confirmed that its customers' records were improperly obtained. AT&T has not yet filed a legal action to recover its customers' information or enjoin further dissemination of that information.

The California Attorney General's office filed criminal charges against five individuals including former Chairman Dunn and former Senior Counsel Hunsacker. Each of these criminal defendants faces four felony charges: 1) fraudulently obtaining private information from a public utility; 2) accessing computer data without permission; 3) identity theft; and 4) conspiracy to commit the preceding three crimes.

The litigation that has been filed to date is likely just the tip of the iceberg. The individuals who were the victims of pretexting are waiting in the shadows, but could pursue actions against: 1) SOS and the additional private investigators engaged by SOS to assist in the investigation, 2) the companies that released the confidential information, and 3) HP and the officers and directors in-volved in the scandal.

Hewlett-Packard has now appointed a former U.S. Prosecutor to independently review what steps were taken in the investigation and the company's existing Best Practices Standards.

Alternative Actions to Those Taken By the HP Investigation Team

The developments associated with the Hewlett-Packard incident raise an important question for all businesses: What should a company do when it suspects that one or more board members might be leaking confidential information to the press? Because hindsight is often 20/20, published reports about the HP case give rise to some obvious steps a company in a similar situation could take from the outset.

First, the company could request that each member of the board of directors turn over telephone and e-mail records to an unbiased third-party investigator. Logically, if any of the directors refuses to turn over the requested records, the investigation team would have a lead on the source of the leaks.

Next, to the extent that an investigation is required, the investigation team should clearly set forth the terms of engagement in a retention letter or contract with the private investigator. The team also should require the private investigator to disclose in writing what methods it intends to use. As part of the engagement, the investigation team should require that the private investigator not violate any federal or state laws in obtaining such information. In fact, Robert Ryan, one of HP's members of the board conceded recently: 'When you hire firms that are experts at something, you not only have to lay out all things have to be legal, you have to understand what those firms do on your behalf. You have to make the point that it has to be legal, ethical, and respectful of people's privacy and those are things we didn't do.'

The logical next step should be a review of the terms of engagement and proposed investigation methods by independent counsel, which would render a legal opinion as to the techniques the team, intended to undertake. The HP investigation team recognized the need for such an opinion. Its mistake, however, was in seeking that opinion from SOS. This led to the improper reliance on a law clerk's opinion, the scope of which is not currently known. The legal analysis in the HP case should have also included the legality of what was being done on a state-by-state as well as federal basis instead of relying on SOS's law firm's representations.

Certainly, Human Resources personnel should be included in any internal investigation process to confirm that an investigation team is not exposing the company to liability for employment practices violations.

It is unclear at this point what analysis the HP investigation team may have performed regarding whether its actions violated Hewlett-Packard's employment handbook.

Finally, a company should consider the potential public relations fallout from its direct investigation and engage a public relations consultant to handle damage control in case news of the investigation and the techniques utilized hit the press. Such engagement may have helped limit the media frenzy in the HP case.

Conclusion

Dozens of legal and ethical corporate issues have been created by the HP investigation team's actions, as well as the private investigation firm's actions, and the counsel of their various law firms. There will likely be a significant amount of criminal and civil legal proceedings in the coming months and years from this HP investigation. We should expect Hewlett-Packard to remain in the headlines for many months to come.

Marguerite “Becky” Patrick is a partner at Morris, Manning & Martin, LLP. Her practice focuses on intellectual property and technology litigation, including disputes regarding copyrights, trademarks, trade dress, trade secrets, Internet and e-commerce, intellectual property and technology licenses, co-development of technology, software development and implementation, non-competition, false advertising, contractual relationships, and insurance coverage for intellectual property disputes. She may be reached at [email protected].