Pretexting Legislation May Move Ahead in Congress

Legislation that would allow the U.S. Federal Trade Commission (FTC) to seek civil penalties against businesses that obtain personal data under false pretenses may soon get a vote in the U.S. House of Representatives.

The full House could vote on the Prevention of Fraudulent Access to Phone Records Act as soon as Friday or Saturday, Rep. Joe Barton, chairman of the House Energy and Commerce Committee, said Friday. Barton, a Texas Republican, asked the House leadership to move forward with the bill after lawmakers ripped into Hewlett-Packard (HP) officials Thursday for allowing the practice during an investigation into board leaks.

HP President and Chief Executive Officer Mark Hurd and former HP Chairwoman Patricia Dunn both testified Thursday that they did not know the details of how the leak investigation was conducted.

The pretexting legislation has been stalled since the House Energy and Commerce Committee unanimously approved it in March. The bill would allow the FTC to seek civil penalties against so-called pretexters, those who masquerade as a customer to gain access to phone records or other personal information.

Representatives of five mobile phone service carriers raised no objections to the bill during Friday’s hearing.

Lawmakers questioned if more businesses besides HP have used pretexting or other questionable investigative methods. “How do we, and how does corporate America, break this ethos that, if someone thinks that illegal or unethical activity … is acceptable, everybody else in a corporation goes along with it?” said Rep. Diana DeGette, a Colorado Democrat.

DeGette will explore ways to add new requirements to the Sarbanes-Oxley financial reporting law, she said.

Christopher Bryon, a columnist for the New York Post, told lawmakers Friday that he was a victim of pretexting four years ago, long before the HP investigation came to light. A facial-recognition software company hired a pretexter to gain access to his sources after he wrote a column about the company, Bryon said.

Pretexting appears to be a widespread practice among U.S. businesses, Bryon said. “This is not something I wanted my family to grow up with … wondering if your mail is being read, if your phone is tapped, if there’s a bug in your bedroom,” he said.

The FTC has filed five lawsuits against alleged pretexters, but the agency lacks the legal authority to seek civil damages, said Joel Winston, associate director of privacy and identity protection at the FTC. The FTC sought to recover pretexting-related profits in those cases, but additional civil penalties would give the agency an additional tool to use against identity thieves, he said.

A second pretexting bill, the Telephone Records and Privacy Protection Act, has passed the House, but the measure is hung up in the Senate over disagreements over the best approach. The House bill would make pretexting a crime, with a penalty of up to 10 years in prison.

Congress is scheduled to adjourn by early next week until after the Nov. 7 general election. Congress may come back into session late in the year to address unfinished business.

-Grant Gross, IDG News Service (Washington Bureau)

Keep checking in at our HP Spying Scandal page for more CIO.com coverage of this unfolding story.

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.