Corporate Leak Probes Tread Fine Line

In one telling moment during the recent congressional hearings on the Hewlett-Packard board scandal, ousted Chairwoman Patricia Dunn offered the “everybody does it” defense.

Asked by one legislator about HP’s hiring of private investigators who obtained phone records under false pretenses, a practice called pretexting, to identify who’d leaked confidential information, Dunn replied, “I believe these [pretexting] methods may be quite common at companies around the country.”

If so, that is chilling to business ethicist Kirk Hanson.

“As an ethicist, I’m horrified that HP’s managers relied on the assertion that it was borderline, but legal, and never asked whether it was ethical,” says Hanson, executive director of the Markkula Center for Applied Ethics at Santa Clara University in Santa Clara, Calif.

If HP adopted what Hanson called “black ops” as standard investigative practices, he wonders how many other companies have done it.

HP, some of its employees and companies it hired to investigate boardroom leaks to news media still face potential civil and criminal liability for their actions. Other companies find themselves in a dilemma over how to control information within the law.

Companies may have a moral or legal responsibility to respect people’s privacy, but they also have a legal and fiduciary responsibility to protect confidential business information. And under the federal Sarbanes-Oxley Act in effect the last four years, they have obligations to investigate certain leaks, Hanson says.

Companies have a right to investigate their own employees if they’re suspected of leaking information. Employees should presume no right to privacy in their use of company computers, e-mail programs or telephones.

One commonly used tactic to probe security breaches doesn’t even involve electronic snooping. Companies exclusively give suspected leakers seemingly important but relatively benign information. If it turns up in the media, the company has identified the leaker.

But Hanson sees a bright line separating how a company can investigate its own employees and how it can investigate outsiders.

The HP reaction to leaks to reporters contrasts with the recent practice of Apple Computer when proprietary information got out.

Although Apple is known for its devotion to secrecy, it went to court rather than to private eyes when confidential information leaked in 2004. Apple, of Cupertino, Calif., sued in state court to force two websites to reveal sources for stories they posted about a possible new Apple product. A state appellate court ruled May 26 that the writers on those websites enjoy the same First Amendment rights as mainstream journalists and, thus, were protected by California’s shield law from having to reveal their sources. Apple dropped the case. It did not reply to a request for comment on this story.

The Sarbanes-Oxley Act requires companies to develop a whistle-blowing reporting system so employees can raise issues about improper behavior within the company, said Hanson. That has prompted companies to develop an investigative capability in the event improper or illegal activity is alleged. “So [under SOX], companies have developed much enhanced investigative capability,” he said.

Companies also have to keep confidential information safe because disclosure could be a criminal act or a breach of fiduciary responsibility, said Rob Enderle, senior analyst at Enderle Group, a technology market research firm.

If word leaks that a board is contemplating an acquisition, for instance, the company or people in it could be prosecuted for insider trading if people used that knowledge to make stock trades.

Given the potential liabilities, corporate investigations of leaks are “common,” said Enderle. “The stuff with the pretexting goes to the extreme, but looking at company phone records or e-mails, that is very common. Hiring an outside contractor is also common.”

In fact, leak investigations enjoy broad support among corporate directors.

In a September telephone survey of 226 board members at publicly traded companies in the United States, 73 percent said a company’s chairman should be empowered to use any legally available means to identify a board-level leaker, according to Ponemon Institute.

About 71 percent of the respondents said it would be OK for a board chairman to review the e-mail messages of other members, in addition to other types of confidential data stored on company computers. Fifty percent said that reviewing telephone records of individuals obtained via pretexting is proper as long as that approach hasn’t been outlawed.

But HP’s tactics of tailing reporters, attempting to install a tracer on a reporter’s e-mail program, pretexting numbers of people outside the company and even considering planting spies in newsrooms as janitors or clerical workers is “bizarre” to Rick Belluzzo.

“The reaction by HP was totally out of proportion with the situation,” said Belluzzo, chairman and CEO of Quantum, a network storage equipment maker. His resume includes president of Microsoft and a 23-year stint at HP, where he rose to the position of executive vice president of its computer division.

While he understands the importance of keeping certain information confidential and making employees and directors sign confidentiality agreements, HP overreacted to information leaks that are sometimes going to happen anyway.

“It’s an impossible task to control information flow. Some leaks are inevitable,” Belluzzo said.

-Robert Mullins, IDG News Service (San Francisco Bureau)

Keep checking in at our HP Spying Scandal page for more CIO.com coverage of this unfolding story.

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.