Saturday, September 9, 2006
In just a few short days, Hewlett-Packard Co. has gone from newly-christened market darling to the focus of intensifying state and federal investigations spawned by the company's disclosure of an internal investigation of leaks that included "pretexting" to obtain private records of board members. Oddly enough, the details of the investigation were first revealed by the company in an 8-K filing (here) disclosing the reason why a current board member would not be renominated because it was determined that he had leaked information to reporters during the period when its prior CEO was being ousted. That disclosure stated:
HP’s Nominating and Governance Committee thereafter engaged the outside counsel to conduct an inquiry into the conduct and processes employed with respect to HP’s investigation of leaks of confidential information (the outside counsel was not involved in the investigations of the leaks initiated by the Chairman or the internal HP group). The Committee was advised that HP had engaged an outside consulting firm with substantial experience in conducting internal investigations and that this firm had retained another party to obtain phone information concerning certain calls between HP directors and individuals outside of HP. The Committee was further advised that the Chairman and HP had instructed the outside consulting firm to conduct its investigation in accordance with applicable law and that the outside consulting firm and its counsel had confirmed to HP that its techniques were legal. After its review, the Committee determined that the third party retained by HP’s outside consulting firm had in some cases employed pretexting. The Committee was then advised by the Committee’s outside counsel that the use of pretexting at the time of the investigation was not generally unlawful (except with respect to financial institutions), but such counsel could not confirm that the techniques employed by the outside consulting firm and the party retained by that firm complied in all respects with applicable law.
It turns out that advice from outside counsel may not be entirely correct. The California Attorney General has announced that one or more persons may have committed a crime, and the fact that the work was undertaken by agents of Hewlett-Packard means that the company will be on the hook for any criminal violations. The SEC is also investigating the company's disclosure in May of the resignation of another director, Tom Perkins, who had objected to the pretexting, that did not give any reasons for his decision.
An interesting question will be whether the case turns into a federal criminal investigation. There are a few possibilities for a federal prosecution, aside from a possible securities disclosure violation, which would be enough to launch grand jury subpoenas. There is a federal identity theft statute, 18 U.S.C. Sec. 1028, but only section (a)(7) arguably seems to apply: "Whoever . . . knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law . . . ." It would require finding another violation of federal or state law related to the identity theft used in the pretexting, but that is certainly possible. The computer fraud statute, 18 U.S.C. Sec. 1030, in (a)(2)(C) has a broad provision reaching any person who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--information from any protected computer if the conduct involved an interstate or foreign communication . . . ." This crime does not require proof of any economic harm, and a "protected computer" is broadly defined to include a computer "which is used in interstate or foreign commerce or communication."
It's not clear whether the pretexting involved computer use, but if not, then there are the old, reliable friends of federal prosecutors everywhere: the mail and wire fraud statutes. While one would think that there was no fraud in pretexting in the sense of a theft from the victim, the Supreme Court's decision in Carpenter v. United States, 484 U.S. 19 (1987), could support a prosecution. The Court held that a scheme to deprive the Wall Street Journal of its confidential business information constituted a fraud designed to obtain "property" even though it was intangible and the victim lost nothing of monetary value. The pretexting to obtain a person's private telephone and internet communications records could conceivably fit into Carpenter's definition of property, and while it would be a stretch, that would not deter a federal prosecutor from initiating an investigation. I would not be surprised to hear in the next week or so that the U.S. Attorney's Office for the Northern District of California, which has taken an increasingly high-profile role in white collar investigations recently, issued grand jury subpoenas to the company and the various players in the case.
There is a second aspect of the case that is perhaps even more disturbing. The Wall Street Journal's Law Blog has reproduced a series of e-mails (here) between Larry Sonsini, perhaps the leading lawyer in Silicon Valley, and former board member Perkins, who raised questions about the legality of the internal investigation. The final e-mail is the most interesting, and potentially troubling for Sonsini. He wrote:
I looked into the conduct of the investigation and got a report from counsel at HP who was responsible for the effort. I confirmed his input by talking to Ann Baskins. Here is what I learned:
- There was no recording, review or monitoring or director e-mail.
- There was no electronic surveillance to monitor director communications.
- There was no phone recording or eavesdropping.
- The investigating team did not attempt to obtain the phone records of non-employee directors.
- The investigating team did obtain information regarding phone calls made and received by the cell or home phones of directors. This was done through a third party that made pretext calls to phone service providers. Apparently a common investigatory method which was confirmed with experts. The legal team also checked with outside counsel as to the legality of this methodology.
- There was no “secret spying” i.e. no electronic gear, listening devices, etc., were used.
It appears, therefore, that the process was well done and within legal limits. The concerns raised in your e-mail did not occur.
Let me know if you think I should proceed further.
This missive, giving Hewlett-Packard a clean bill of health, brings to mind a potentially analogous situation that occurred a few years ago. For those of you familiar with Mister Rogers' Neighborhood, "Can you say Vinson & Elkins?" This has all the hallmarks of a quick-and-dirty review based on limited consultations with in-house counsel and those with a stake in making sure that a potential whistleblower goes away quietly. Paragraph #5 is the key: was the outside counsel perhaps Mr. Sonsini's own firm, Wilson Sonsini, so that he would never question its conclusions? Does the fact that "everyone does it" really make it legal? While one might adopt such a view when dealing with financial professionals, wouldn't the fact that private investigators who might operate near the edge of the law require just a little bit more attention?
This is not Sonsini's first brush with a potential investigation involving his firm's role in advising corporations. He was a director at Brocade Communications and his firm helped draft that company's management compensation policy, including the award of bonuses. Recently, the company's former CEO and another executive were indicted for securities fraud related to options back-dating. Moreover, Wilson Sonsini advised a number of other companies caught up in the options-timing investigations by the SEC and federal prosecutors. It is certainly not always the case that where there's smoke there's fire, but this is a situation in which prosecutors, the SEC, and, inevitably, the shareholders -- through derivative suits that may already have been filed -- will demand answers from the board and Hewlett-Packard's outside counsel. Settle in, this one may last quite a while. (ph)