5 Things About Corporate Investigations That Won't Change...

...as a result of the Hewlett-Packard pretexting scandal. Corporate investigations will be tweaked but not fundamentally altered.

Corporate investigations got a shock to the system last year.

On May 24, 2006, Hewlett-Packard's director of ethics sent out an internal memo stamped "Attorney-Client Privileged" that contained 12 pages' worth of detective work that would make any sleuth stand proud.

The memo, sent by Kevin T. Hunsaker to the company's CEO, general counsel and board of directors (and made public after a congressional hearing this past September), summarized the work that a group of HP internal investigators had done to determine an unnamed source for an article published by CNET on Jan. 23, 2006. The article contained details about a board meeting that HP chairwoman Patricia Dunn did not want made public. In painstaking detail, the investigative team laid out its findings.

Corporate and internal investigations

By page 13 of the memo, the case seemed pretty well sealed up. Investigators picked apart the language and facts for which Kawamoto cited an unnamed HP source, with the pool of possible sources dwindling down to one. In 2002, the "source" knew details about a licensing agreement with Intel in 1993; only two current board members would know those details. In 2003, the "source" spoke in glowing terms of HP's portfolio of patents; this was a favorite talking point of one board member. In 2006, the "source" used the term lectures, "an academic term, rarely used in the business environment"; only one board member had an academic background. In 2001, one board member had cultivated a relationship with Kawamoto, at former CEO Carly Fiorina's request, to promote HP's merger with Compaq. And so it went. In each instance, that board member was George W. Keyworth II.

The evidence was largely circumstantial, but this wasn't a criminal case. This was an internal investigation meant to help chairwoman Dunn and CEO Mark Hurd plug the leaks.

The trouble began when investigators sought to put the final nails in Keyworth's coffin. "...[A]t 5:25 p.m. PST on January 18, 2006...a call was made from Kawamoto's cell phone to Keyworth's home in Piedmont, California," reads a sentence on page 13. "The call lasted approximately one minute."

There began a litany of details from private phone records that no scrupulous investigator would have been able to obtain without help from law enforcement. The 12 pages of material that would make any investigators stand tall were actually embedded in an 18-page document that also spoke of things more likely to make them slouch in their seats—covert intelligence gathering, video surveillance and "third-party phone information."

Yet it was an effective campaign. By page 17, Keyworth had admitted to investigators and the board that he was the source, explaining, in investigators' words, that "he thought it was in the best interests of HP for the information in the January 23 article to be made public." Keyworth would soon resign.

What followed is painfully well-known. Felony charges from the California Attorney General against five people who allegedly were involved with accessing private phone records under false pretenses. Several resignations, including Hunsaker, Dunn and Anthony Gentilucci, manager of global security investigations. Congressional hearings where some HP executives pleaded the Fifth Amendment and some lawmakers compared the scenario to Enron and Watergate. Salacious details of how investigators trailed a board member from California to Colorado, used e-mail tracing technology unknown outside of the marketing and investigations worlds, and even considered planting spies in newsrooms. Hurd's very public apology. A $14.5 million settlement HP reached with California to resolve civil claims in the case. (HP refused to comment for this story.)

The HP investigation was expensive, invasive, out of scale with the problem and largely unnecessary. In short, it is probably the stupidest thing HP has ever done. And that's exactly why, despite what some may hope, it is unlikely to have a lasting impact on how corporations run investigations.

To those who say that HP will change everything, we say, yeah right. Instead, we proffer five things that the HP investigation won't change—at least, not in the way one might expect.

Assumption #1 This is a wake-up call to corporate America about the risks of botched investigations.

Also see Internal Investigations: The Basics

As the scandal unfolded, Bill Wipprecht, CSO of Wells Fargo in San Francisco, worked on some elevator "talking points."

In between floors 1 and 12, he says, "When other executives say, 'What do you think of that?' you have to be able to respond instead of just fumbling for your keys."

For his part, Wipprecht likes to say that because the media benefits from leaks, journalists didn't focus on what Keyworth did wrong. He also asserts that because Wells Fargo is in a highly regulated industry, his investigations group doesn't take any chances by using risky techniques that wouldn't, as he puts it, play well on the evening news. "We're already overregulated, and we think we're knowledgeable about all the laws," says Wipprecht, whose group typically investigates things such as cash shortages, mortgage fraud and expense abuse.

Likewise, the senior director of loss prevention at Luxottica Retail, who's a member of the ASIS Retail Loss Prevention Council, insisted that he hadn't experienced any extra scrutiny on the investigations his group runs, which are typically background checks on new employees or investigations into thefts from stores.

"I have no intention of scaling back, because I know our investigations are done under guidelines and the law," says Alan Greggo, whose company operates 4,600 retail locations including LensCrafters, Pearl Vision and Sunglass Hut. Checks and balances are key, he says. Any use of the company's camera system, for instance, must be approved by a senior director and the legal department; results of investigations must be reviewed by a director-level loss prevention associate to make sure evidence is used properly.

Elsewhere, CSOs were looking at their policies and largely concluding that they had appropriate guidelines in place. Recruiter Kathy Lavinder, executive director of Security and Investigative Placement Consultants in Bethesda, Md., says some of her clients were dusting off their policies, pushing them out to their chains of command, and emphasizing that certain tactics—such as pretexting to obtain private telephone records—were not allowed. She adds that no one she talked to had indicated they ever permitted such activities. But she didn't seem convinced that the HP investigation would necessarily result in any seismic changes.

"I think there'll be a lot of talk," Lavinder predicts. "In some cases it will be genuine, and in some cases it will be window dressing. A certain number of senior executives want to do what they've always done, which is to some extent turn a blind eye, particularly if an investigation is outsourced. Don't ask, don't tell. That's a risky strategy, but I think we'll see some of that as well."

What makes this easy to do, given the circumstances, is that the HP case appears to be an outlier—something so outlandishly awful that the industry can shrug its collective shoulders and simply disregard it. Companies can say, "It won't happen to us," because it probably won't. Furthermore, if people with lots of money and power are committed to a project that constitutes an epic lapse in judgment, it's very difficult to stop them. Sad, but true.

Reality check: For better or worse, HP is a talking point, not an industry-changing event.

Assumption #2 Companies will quit exposing themselves to the risks of third-party investigators, who themselves may outsource some investigations work.

If the execution of the HP investigation was an outlier, it was also an extremely unusual operation from the get-go. After all, an investigation involving board members is not an everyday job even for the most seasoned internal fraud examiner or loss prevention specialist. In fact, it's the very kind of specialized task that probably ought to be outsourced.

"Third-party investigators are an important part of the process that corporate America and retailers use," says Joe LaRocca, VP of loss prevention for the National Retail Federation, a lobbying group in Washington, D.C. If you want to find out if a potential hire has a criminal history, for instance, you might hire a firm with expertise in researching public records. "You're going to go to a third party because they're the experts in getting the information."

"I don't think of it as outsourcing," says Regis Becker, director of global security and compliance at PPG Industries, the Pittsburgh-based industrial manufacturer. "We use what we call 'stringers'"—highly competent retired agents from the military, FBI and Secret Service who set up small investigative shops. "They have the training, they understand the law and they don't have to be briefed on every detail. Everybody is working from the same page."

Most often, this large stable of seasoned investigators available for contract work makes the use of third-party investigators simply a good business practice.

If HP had had only its internal investigators working the case, rather than turning to third parties, people would be questioning that decision, too.

"A good outside law firm would say, Why do you have your loss-prevention and anti-piracy guys doing this? What do they know about it?" says David Caruso, founder of the Dominion Advisory Group, who was brought in as executive vice president of compliance and security at Riggs Bank after the Augusto Pinochet money laundering scandal in 2003.

Of course, people in the security world have always known that sometimes this method is used to keep less savory investigative techniques at arm's length. Just think back to the infamous P&G Dumpster diving case in 2001. The consumer goods company paid Unilever $10 million after being caught hiring a competitive intelligence firm to conduct an investigation that involved going through its rival's trash.

It's up to CSOs to make sure that their companies choose firms carefully and monitor them well. "If you have to hire a contractor to run investigations," Caruso warns, "you have to actively manage what you're doing." But that's nothing new, either.

Reality check: Companies should monitor their third-party investigators, but it would take a lot more than HP's black eye to make them move investigations in-house.

Assumption #3 Congress will pass an antipretexting law because of the revelation that HP investigators obtained phone records using false identities.

"Are you familiar with the term 'pretexting?'" Rep. Joe Barton (R-Texas) asked one of the witnesses who had been called to testify before a House Energy and Commerce subcommittee, not about the HP investigation but about consumer privacy. "There are companies now," he continued, "that are in existence to proactively invade your privacy and sell the results of their ill-gotten gains to anybody with 100 bucks."

Rep. Barton should know. After extensive hearings on pretexting, he and 29 cosponsors—both Republican and Democrat—already had introduced legislation, H.R. 4943, to "prohibit fraudulent access to telephone records." The bill had passed Barton's committee unanimously. Several competing pretexting bills had been introduced. A bipartisan Senate bill, S. 2178, would "make the stealing and selling of telephone records a criminal offense." Another House bill, H.R. 4709, set criminal penalties for obtaining phone records under false pretenses.

The date of this particular hearing at which Barton brought up pretexting was June 20, 2006—a full three months before HP executives would again find themselves on the stand at another hearing that involved telephone pretexting. Rep. Barton had introduced his legislation back in March 2006; competing bills were introduced even earlier, and H.R. 4709 won unanimous House approval in April 2006.

Although he wasn't questioned about pretexting, Scott Taylor, the chief privacy officer of HP, spoke that day of his company's commitment to protecting the personal information it collects about customers. "[P]rivacy is actually a core value at HP," he said.

The HP investigation scandal brought new awareness to pretexting for telephone records, but the fact is that Congress was already well aware of the practice and was taking steps to criminalize it. Indeed, as far back as 2000, a committee had investigated why pretexting—yes, they used that exact word—for personal banking records was still proving successful despite the passage of privacy provisions in the Gramm-Leach-Bliley Act.

The federal telephone pretexting bills stalled, however, and even the HP hearings in September didn't budge them. It wasn't until after the elections, on Dec. 8, 2006, that the Senate passed H.R. 4709, advancing the bill to the White House.

What HP did make clear was that everyone agrees on the need for a federal law clarifying who can and cannot access phone records. Enforcing it will be another story.

Reality check: Federal law protecting the privacy of customer phone records is likely, but it was already in the works.

Assumption #4 Investigators will stop using telephone call records to build cases.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)