Alarmed

Post-Mortem on Pretexting

The furor over HPs investigation into leaks from its board of directors raises a question: When should it be OK to lie?

By Sarah D. Scalet

September 28, 2006CSO — For the October issue of CSO magazine, I wrote a mini-profile of a company called Mitchell & Ness, which makes vintage sports jerseys that sell for hundreds of dollars. The company has a huge problem with counterfeit and diverted goodsso much so that it recently hired a consultant to visit some of its factories in Korea posing as a distributor who wanted to purchase any extra shirts the factory could produce.

You might call what the investigator did lying. You might call it going undercover. Or you might also call it what has become the latest dirty word in business: pretexting.

Pretexting has become a dirty word, of course, because of the revelation that Hewlett-Packard took it, along with other investigative techniques, way too far in trying to find the source of boardroom leaks. An outside attorney brought in by HP is examining four questionable methods in particular: obtaining telephone call and fax records by pretending to be individuals under investigation; using Social Security numbers to obtain those records; sending e-mail with a tracing mechanism as an attachment; and conducting physical surveillance of individuals, including a board member who was trailed at home in California and on a trip to Colorado.

HP screwed up this investigation and is now suffering the consequences. Several individuals have lost their jobs, among them Tony Gentilucci, a security manager who allegedly gave out the Social Security number of an HP employee. But another consequence may be a chilling effect on people who know how to (and bother to) conduct a by-the-book, ethical, effective investigation. Already, companies may be leery of doing a thorough investigation, for fear of being tainted by even remote association with HPs dirty tricks.

One longer-term outcome could be a notification law, in which persons under investigation are given warning. Also likely to come under increased scrutinyand for good reasonis the use of contractors and subcontractors to handle the less savory aspects of an investigation. But the biggest concern were hearing from CSOs is that pretexting as a wholein other words, any form of misrepresentationcould get thrown under the bus and made illegal.

Pretexting is a technique in every investigators toolbox, and it involves, at its very essence, lying. Lying, by itself, is not illegal. As Richard Horowitz, a New York attorney who helped formulate guidelines for a trade group of competitive intelligence professionals, once told me: Its not illegal to lie and say to someone, Yes, your daughter looks beautiful on her wedding day. Even if she doesnt. We call that a white lie.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors