Pretexting: The Legal Basics, Then and Now

By Joseph M. Burton, Esq. and Gregory G. Iskander, Esq.   

Webster’s defines the term “pretext” as “that which is put forward to conceal a true purpose or object; an ostensible reason; the misleading appearance or behavior assumed with this intention.”  Although the variation “pretexting” is not in the dictionary, the use of the term has become commonplace--primarily because of its extensive use in the media after the HP scandal in 2006, when investigators used questionable tactics to research leaks from HP’s board of directors. (See CSO’s in-depth coverage, “Five Things about Investigations That Won’t Change as a Result of the Hewlett-Packard Scandal” for details.)

Largely in response to the public outcry against the perceived invasion of privacy, in the last year Congress and many states have passed new anti-pretexting laws. This article provides an overview of pretexting and information about some of the key federal and state statutes that now regulate the access of private telephone records.

The Definition of Pretexting

In 2001, the Federal Trade Commission issued a publication on pretexting, defining it as “the practice of getting your personal information under false pretenses.” As described by the FTC definition, pretexting goes beyond obtaining telephone records. Pretexters also seek to obtain bank records, credit card numbers, Social Security numbers, credit reports and other personal information. 

Typically, an investigator will pretend to be an individual (the target), using some personal information already gathered, to gain access to other information about a target held by a third party. A good example is set forth in the warrant supporting the charges in the HP case:

First, an account can be created by the customer by using the telephone to which the account is tied. AT&T has an automated system that recognizes the customer’s telephone number (similar to caller I.D.) and will open an on-line account. “Pretexting” is accomplished by “spoofing” the telephone number. “Spoofing” is where the out-bound caller identity of a telephone (telephone number) is changed to reflect a different number. There are commercial “spoofing” services that allow a user to change their call out-bound caller identity. In this case the suspect would “spoof” the customer’s telephone number thereby tricking AT&T into believing that the customer’s telephone was being used to open the account.

Second, an account can be created by the customer on-line by providing the telephone number and the last four digits of the customer’s social security number. “Pretexting” is accomplished by using the legitimate customer’s information to gain access to the on-line account.

Finally, an account can also be created by using a multi-digit code that is found on the customer’s “paper” billing statement. “Pretexting” here involves tricking AT&T service representatives to reveal this code. A common tactic employed is to pretend to be the customer who lost their billing statement and who needs to make an on-line payment.

Of course, there are many techniques that creative investigators use to gather personal information about a target. Some of those methods, such as pretexting, may be considered unethical by many, but whether they are illegal (or were illegal at the time of HP’s investigation, for that matter) is another question. This gap between what many people perceived to be inethical, and what was actually illegal, has led to a proliferation of federal and state laws in the past two years.

Facts about the New Federal Law

Until recently, there were no federal or state laws that applied to pretexting in the context of obtaining telephone records. In fact, the only federal law that clearly prohibited any type of pretexting was the Gramm-Leach-Bliley Act (GLBA); that law applies only to records from financial institutions.

In the wake of the HP case, Congress passed the Telephone Records and Privacy Protection Act of 2006. The new law, effective January 2007, appears broad enough to cover most attempts by an individual to access another individual’s telephone records. Its scope, however, is limited to conduct involving interstate or foreign commerce. Although an analysis of what constitutes interstate or foreign commerce is beyond the scope of this article, any use of the telephone, mail, or Internet to obtain an individual’s phone records through false representations would likely be covered. Exceptions are made for investigations by law enforcement.

The law covers most scenarios that pretexters would use to obtain records, including making any false statement to an employee of the telecommunications provider or providing false documents. The law also prohibits making a false statement to a customer or accessing records through the Internet or through any means of hacking.

The law even goes beyond obtaining records through pretexting and prohibits the sale, transfer, purchase, or receipt of confidential phone records without the customer’s consent.

While virtually all information held by a telecommunications provider is covered, the new law covers only information held or furnished by a telecommunications provider, including any provider of IP-enabled voice service. The law does not cover personal information (even through use of the phones) from banks, credit card companies or other non-communications business. 

Sorting Out the State Laws

Similarly, many states responded to the HP scandal by passing their own anti-pretexting laws aimed at protecting telephone records. Here are some highlights:

California:

California, which is considered at the forefront of privacy and consumer protection legislation, enacted a new anti-pretexting law effective January 2007. The California law, like the federal law, applies to the use of pretexting to obtain telephone records only; it does not apply to other forms of private information. Nevertheless, the prohibited methods used to obtain telephone records are broad and would seem to cover almost any attempt to access this information.

It is illegal in California for any person to purchase, sell or offer to buy or sell any telephone record or list, without the written consent of the subscriber. It is also illegal for any person to obtain through fraud or deceit any telephone record or list. California also makes any personal information contained in a telephone record inadmissible as evidence if it is obtained illegally.

Also, in California, an employer of, or entity contracting with, a person who violates the state’s anti-pretexting law is subject to prosecution if the employer or contracting entity knowingly allowed the employee or contractor to engage in conduct that violated the statute.

Although California’s law appears to be the most comprehensive, all the states that have passed anti-pretexting statutes prohibit obtaining or selling telephone records through the use of fraudulent representations.

New York:

New York’s Consumer Communication Records Privacy Act makes it illegal to knowingly and intentionally procure, solicit, sell, or fraudulently transfer or use telephone record information from a telephone company, without written authorization from the customer.

Florida:

Florida similarly prohibits any attempt to obtain the calling record of another person (or sell such a record) without the permission of that person by making a false representation or providing a false document to either an employee or customer of a telephone company.

Washington:

Washington state makes it illegal for anyone to intentionally sell, fraudulently obtain knowingly purchase, or knowingly receive a telephone record without the authorization of the customer.

Other Legislation:

Other states to pass anti-pretexting laws are: Arizona, Colorado, Connecticut, Georgia, Illinois, Maryland, Michigan, Montana, North Carolina, North Dakota, Oklahoma, Rhode Island, Texas, Virginia and Wisconsin. Although worded slightly differently, each of these state statutes makes pretexting for telephone records illegal.

The Implications for Corporate Investigators

The new anti-pretexting laws have yet to produce any published cases. But one thing is clear--investigators must be wary of old habits. Many investigators use pretexting as a means of gathering information, including for arguably legitimate purposes such as determining whether unlawful conduct has been committed or whether company policy has been violated. Prior law did not prohibit pretexting for benign purposes such as legitimate investigations. Moreover, its prior use, even if improper, resulted in only civil penalties, not criminal sanctions.

But the new anti-pretexting laws do not distinguish between benign and malicious uses of pretexting. While investigators may continue to use customary methods of obtaining information, this era’s new privacy laws render it crucial that a company or an individual insist that any investigation is done with legal supervision. This is necessary so that the company or the individual hiring the investigator may thoroughly evaluate the legal consequences of the investigator’s actions, and protect their own interests.

A discussion with any investigator will reveal that although hampered by the new laws, there are still plenty of methods investigators will use to attempt to gather information. At the heart of many investigations is the need to obtain personal information. Many of these investigators, unfortunately, will violate the law, whether knowingly or unknowingly. But not all investigations need be dispensed with. Investigations, within the bounds of the law, can still be effective. The law is constantly changing, and knowing the current bounds of the law is the key.

Joseph M. Burton is the managing partner of Duane Morris’ San Francisco office, where he advises and represents individuals and corporations regarding their rights and responsibilities in maintaining the security of digital information. Gregory G. Iskander is a trial lawyer with Duane Morris LLP and has conducted and supervised many investigations for private and public companies as well as municipalities. Send feedback to csoletters@cxo.com.

--

Editor’s note: The comment field below does not work. Please send your feedback to csoletters@cxo.com.

Copyright © 2007 IDG Communications, Inc.

8 pitfalls that undermine security program success