Post-Mortem on Pretexting

The furor over HPs investigation into leaks from its board of directors raises a question: When should it be OK to lie?

For the October issue of CSO magazine, I wrote a mini-profile of a company called Mitchell & Ness, which makes vintage sports jerseys that sell for hundreds of dollars. The company has a huge problem with counterfeit and diverted goods

so much so that it recently hired a consultant to visit some of its factories in Korea posing as a distributor who wanted to purchase any extra shirts the factory could produce.

You might call what the investigator did lying. You might call it going undercover. Or you might also call it what has become the latest dirty word in business: pretexting.

Pretexting has become a dirty word, of course, because of the revelation that Hewlett-Packard took it, along with other investigative techniques, way too far in trying to find the source of boardroom leaks. An outside attorney brought in by HP is examining four questionable methods in particular: obtaining telephone call and fax records by pretending to be individuals under investigation; using Social Security numbers to obtain those records; sending e-mail with a tracing mechanism as an attachment; and conducting physical surveillance of individuals, including a board member who was trailed at home in California and on a trip to Colorado.

HP screwed up this investigation and is now suffering the consequences. Several individuals have lost their jobs, among them Tony Gentilucci, a security manager who allegedly gave out the Social Security number of an HP employee. But another consequence may be a chilling effect on people who know how to (and bother to) conduct a by-the-book, ethical, effective investigation. Already, companies may be leery of doing a thorough investigation, for fear of being tainted by even remote association with HPs dirty tricks.

One longer-term outcome could be a notification law, in which persons under investigation are given warning. Also likely to come under increased scrutinyand for good reasonis the use of contractors and subcontractors to handle the less savory aspects of an investigation. But the biggest concern were hearing from CSOs is that pretexting as a wholein other words, any form of misrepresentationcould get thrown under the bus and made illegal.

Pretexting is a technique in every investigators toolbox, and it involves, at its very essence, lying. Lying, by itself, is not illegal. As Richard Horowitz, a New York attorney who helped formulate guidelines for a trade group of competitive intelligence professionals, once told me: Its not illegal to lie and say to someone, Yes, your daughter looks beautiful on her wedding day. Even if she doesnt. We call that a white lie.

At some point, however, a white lieone that most people consider acceptable, like going into your factories pretending to be someone else perhapscrosses the line into a gray area that many people consider unacceptablelike conducting a secret investigation that involves a stakeout at a board members house. And at some further point still, a lie crosses from the gray area to a black onelike pretending to be a very specific person, with a very specific Social Security number, who wants records of his recent phone calls. This black area consists of behavior that is illegal. In violation of privacy, wire-tapping or employee protection laws. Fraud.

Perhaps nowhere in the business world is the gray area, ethics, larger than in matters of investigations. Just think back to the infamous P&G dumpster diving case in 2001. The consumer goods company paid Unilever $10 million after being caught conducting an investigation that involved going through its rivals trashone of several techniques that were not exactly illegal but that violated internal P&G policies, as well as the boundaries of what many people consider ethical business practices.

Clearly, the investigation at HP crossed the line into the gray, if not black. Mark Hurd, HPs chief executive, acknowledged as much last week in his first comments to the press since the scandal broke. Some of the findings about the investigation are very disturbing to me, he said, and do not reflect the values of HP.

But the question before us now is not only to what extent the HP investigation crossed into gray and black areas. Its to what extent our current laws have created a bigger gray zone than we as a society are comfortable with. Our challenge going forward will be to carefully reshape and limit that gray zone, without creating a world in which a company like Mitchell & Ness cant hire private investigators to see whats really going on in its factories.

Will the furor over HPs investigative methods change the way your company approaches investigations? E-mail columnist Sarah D. Scalet at sscalet@cxo.com.

Copyright © 2006 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.