Ethical Guidelines   For Protecting Company Secrets

The Hewlett-Packard boardroom scandal that has unfolded over the past several weeks has raised important questions about the controversial practice of pretexting to gather intelligence and has sparked discussions about the boundaries a company should employ when protecting its secrets. Equally as important, the incident has sparked a national debate regarding what constitutes appropriate boardroom governance in similar situations.

These questions have grown in importance in recent years. Not only has new technology made it easier to uncover information about companies and individuals, but it has also made it easier

"What began as a proper and serious inquiry of leaks to the press of sensitive company information became a rogue investigation that violated our own principles and values. It's an age-old story. The ends came to justify the means. The investigators became so focused on finding the source of the leaks that they lost sight ... of the values that this company has always represented. — Mark Hurd, HP Chair and CEO, testifying 9/28/06 at Congressional hearings on pretexting and corporate governance

Protect Yourself From Pretexting     Pretexting is the practice of creating a false pretext to secure private information such as an individual’s Social Security number, bank records and credit card numbers. It is a common practice employed by identity thieves and also by some investigators who then sell the information to interested parties — as in the case of the HP scandal.     There are two federal laws that protect consumers from pretexting. The Identity Theft and Assumption Deterrence Act makes it a crime to secure private information and utilize it to commit, aid or abet any unlawful activity. And the Gramm-Leach-Bliley Act prohibits the use of false statements or forged documents to secure private information.     The Federal Trade Commission works on behalf of the consumer to prevent fraudulent and deceptive business practices in the marketplace. If you are a victim of pretexting, you can report it to the FTC and it will be recorded in the Consumer Sentinel, a secure online database that is available to civil and criminal law enforcement agencies in the U.S. and internationally.     Finally, never give out personal information to anyone who contacts you by phone, Internet or mail. Pretexters often pose as representatives of financial institutions, the government, an Internet Service Provider or any number of other places in order to secure information.     Click here for more information on pretexting from the FTC.

to discover when such information has been illegally or unethically obtained. Take, for example, the software that allows companies to help detect when an employee is transferring large files containing trade secrets to outsiders via e-mail.

At the same time, the knowledge-based economy has made protecting intellectual property much more important to a company’s market value.

So when leaks from confidential HP boardroom discussions began to appear in the press, board Chair Patricia Dunn was understandably alarmed. However, the way she and other corporate officials proceeded made a bad situation turn far worse.

Dunn promptly hired private investigators to track down the informant. The investigators later engaged in pretexting — posing as board members and journalists to gain access to private phone documents. While the practice was ultimately successful in identifying the source of the leaks, board members were rightfully outraged when they learned of the tactics employed to identify the person responsible.

The investigators also used other methods to spy on board members and journalists. This involved surveillance of individuals, including following an HP board member on a business trip to Colorado.

In addition, investigators sent a fictitious e-mail message with "tracer" technology to a journalist in the hopes it would be forwarded to the HP informant.

Legal Ramifications

While Dunn says she was not aware investigators utilized illegal pretexting tactics, she resigned in the wake of the scandal, as well as two other members of the board and an HP attorney. Meanwhile, the investigations have resulted in Congressional hearings and legal ramifications since California laws prohibit obtaining phone records without consent.

In accordance with those laws, California Attorney General Bill Lockyer filed criminal charges against Dunn as well as the HP attorney — who was instrumental in green lighting the investigation — and three private investigators. The felony charges include: identity theft, fraudulent wire communications, wrongful use of computer data and conspiracy to commit these crimes. Each of the four charges holds a maximum jail sentence of three years.

Additional legal consequences include a lawsuit filed by Verizon Wireless in Federal District Court in New Jersey suing the investigators who obtained phone records through pretexting. The suit, which asks for unspecified monetary damages, states the "defendants used fraud, trickery and deceit to access confidential information."

Ethical Guidelines for Protecting Confidentiality

While board members bear a fiduciary responsibility to protect company trade secrets, a board must also have a high level of trust among its members to operate effectively. Leaking confidential company information is understandably unacceptable but efforts to trace a leak must be handled within a framework of appropriate corporate governance. Below are some general guidelines companies can follow to assure a proper balance between protecting secrets and respecting the rights of board members.

1

 Establish Firm Confidentiality Standards – Remind board members on a regular basis of the level of confidentiality they must retain in all situations. Leaking conversations held within the boardroom to outside sources jeopardizes the company and its shareholders, as well as the ability of the board to function in an atmosphere of openness and trust.

2

Encourage Open Boardroom Discussions of Minority Viewpoints – A board member may be most likely to break confidentiality when that member feels that his or her viewpoint is not being heard. Confidentiality may be breached in an effort to get that perspective across to a broader audience. This transgression is less likely if the group engenders loyalty and board members feel their viewpoints are valued and justly considered in discussions.

3

Follow the Letter of the Law – Unless board members have waived their rights, they are entitled to the same privacy as other citizens. Full disclosure is required, and permission necessary, to access private information or personal records of a board member.

Strive to Take The High Ground

It has been reported that when a member of HP’s Oversight Committee learned of the pretexting tactics, he warned HP’s Chief Ethics Officer in an e-mail: “I have serious reservations about what we are doing ... it leaves me with the opinion that it is unethical and probably illegal.” He implored HP ethical leadership to “refocus our strategy and proceed on the high ground course.”

Sadly, these warnings went unheeded but they remain a cautionary tale as well as a guideline for the future. When confidentiality is breached, a board has every right to act to protect company secrets provided that the privacy rights of board members and others are not violated.