<b>Online Exclusive:</b> Hewlett-Packard CEO Resigns over Possibly Illegal Investigation of Board Members, Reporters

The recent announcement that Patricia Dunn, CEO of Hewlett-Packard Co. ('HP'), will resign, effective January 2007, should remove any lingering doubt about the power of privacy issues to damage corporations and corporate executives. Dunn's resignation came little more than a week after HP noted in a Securities and Exchange Commission filing that investigators working for company executives had possibly used illegal means to identify which Board member was apparently providing information to news reporters. The investigators allegedly used pretexting ' pretending to be phone company customers ' to obtain phone records of reporters, which were then used to find out which HP Board member had contacted them.

'This is the scandal of the day,' said Mark Rasch, a computer security and privacy lawyer in Bethesda, MD, who works with corporations to develop privacy policies and to conduct internal leak investigations. 'What's unique is that it involves a high-profile Silicon Valley company, and that the corporate intrigue has become so public. But these types of disputes between boards and executives happen all the time.'

In this case, the corporation's internal difficulties could result in indictments. California Attorney General Bill Lockyer said that he is ready to bring indictments against HP Board members, as well as the investigators hired by the company. Lockyer told reporters that California's laws against ID theft were violated in the investigation.

Dunn allegedly authorized the leak investigation in 2005 to uncover what she termed 'persistent disclosure of confidential information from within [our] ranks.' But she denied that she encouraged an illegal breach of board members' or reporters' privacy in order to obtain information, and she tried to deflect the blame for the improper investigative techniques. In a public statement about her resignation, Dunn said, 'Unfortunately, the investigation, which was conducted with third parties, included certain inappropriate techniques. These went beyond what we understood them to be, and I apologize that they were employed.'

Those statements rang hollow for George Keyworth II, the Board member who was the source of the leaks. Keyworth resigned along with Dunn, though he, too, challenged the notion of his culpability in the scandal. 'The invasion of my privacy and that of others was ill-conceived and inconsistent with HP's values,' he said. 'I acknowledge that I was a source for a CNET article that appeared in January 2006. I was frequently asked by HP corporate communications officials to speak with reporters ' both on the record and on background ' in an effort to provide the perspective of a longstanding board member with continuity over much of the company's history.'

Legislative Fallout Possible

In addition to the possible lawsuit by California Attorney General Lockyer, HP's alleged actions have aroused the interest of the U.S. House's Committee on Energy and Commerce. On Sept. 11, Committee Chair Joe Barton (R-TX) sent a letter to Dunn, seeking, among other things:

• The names of the firms that conducted investigations of board members;
• What HP asked those firms to do;
• Who was investigated;
• Reports generated by the investigators; and
• Information about the role played by HP's counsel, Wilson Sonsini Goodrich & Rosati.

Barton's letter requested the information by Sept. 25, and indicated that the committee's staff will conduct follow-up interviews.

The Bigger Picture

Privacy attorney Rasch said that the controversy brings to light the same types of privacy issues that individuals face daily. 'All sorts of times there are people who want to find out something about another person, whether it's in a divorce, or a lawsuit, and so on,' he said. 'They hire lawyers, and the lawyers ' with a wink and a nod ' hire investigators to get the information. I believe that the law firm and the company that hires the law firm have a legal and moral obligation to know how the information is obtained, and to make sure it is through legal means.'

However, Rasch said that companies' willingness to work on the margins of the law is quite common in his experience. 'Let's say that somebody posts defamatory or confidential information about a company online, and they come to me to find out who it is,' he said. 'I tell them that the legal way to get the information is through a subpoena. But they respond that investigators have told them there are other ways ' Until lawyers start going to jail for not asking what their investigators are doing, this isn't going to stop.'

If he was advising HP, Rasch said he would have recommended the company begin by interviewing the Board members about the leak (which the company says it did at one point in the investigation). 'If you believe the leaks are actionable ' and in this case they could very well be, because Board members have a fiduciary duty not to disclose certain information ' then you do the interviews. After that, you subpoena phone records, if necessary,' said Rasch. 'If a Board member has lied in the investigation, then you can fire him for lying to you.'

Pretexting, which attorney general Lockyer asserts is illegal, can be difficult to prosecute, said Rasch. 'Is pretexting illegal?' he asked. 'If pretexting is fraud, then the answer is yes. Fraud is the misrepresentation to obtain something of value. But what about phone records? Are they your personal property? Courts have ruled that they are the phone companies' property ' but they are reluctant to [rule that] each individual bit of information about your calls is your property.'

The recent announcement that Patricia Dunn, CEO of Hewlett-Packard Co. ('HP'), will resign, effective January 2007, should remove any lingering doubt about the power of privacy issues to damage corporations and corporate executives. Dunn's resignation came little more than a week after HP noted in a Securities and Exchange Commission filing that investigators working for company executives had possibly used illegal means to identify which Board member was apparently providing information to news reporters. The investigators allegedly used pretexting ' pretending to be phone company customers ' to obtain phone records of reporters, which were then used to find out which HP Board member had contacted them.

'This is the scandal of the day,' said Mark Rasch, a computer security and privacy lawyer in Bethesda, MD, who works with corporations to develop privacy policies and to conduct internal leak investigations. 'What's unique is that it involves a high-profile Silicon Valley company, and that the corporate intrigue has become so public. But these types of disputes between boards and executives happen all the time.'

In this case, the corporation's internal difficulties could result in indictments. California Attorney General Bill Lockyer said that he is ready to bring indictments against HP Board members, as well as the investigators hired by the company. Lockyer told reporters that California's laws against ID theft were violated in the investigation.

Dunn allegedly authorized the leak investigation in 2005 to uncover what she termed 'persistent disclosure of confidential information from within [our] ranks.' But she denied that she encouraged an illegal breach of board members' or reporters' privacy in order to obtain information, and she tried to deflect the blame for the improper investigative techniques. In a public statement about her resignation, Dunn said, 'Unfortunately, the investigation, which was conducted with third parties, included certain inappropriate techniques. These went beyond what we understood them to be, and I apologize that they were employed.'

Those statements rang hollow for George Keyworth II, the Board member who was the source of the leaks. Keyworth resigned along with Dunn, though he, too, challenged the notion of his culpability in the scandal. 'The invasion of my privacy and that of others was ill-conceived and inconsistent with HP's values,' he said. 'I acknowledge that I was a source for a CNET article that appeared in January 2006. I was frequently asked by HP corporate communications officials to speak with reporters ' both on the record and on background ' in an effort to provide the perspective of a longstanding board member with continuity over much of the company's history.'

Legislative Fallout Possible

In addition to the possible lawsuit by California Attorney General Lockyer, HP's alleged actions have aroused the interest of the U.S. House's Committee on Energy and Commerce. On Sept. 11, Committee Chair Joe Barton (R-TX) sent a letter to Dunn, seeking, among other things:

• The names of the firms that conducted investigations of board members;
• What HP asked those firms to do;
• Who was investigated;
• Reports generated by the investigators; and
• Information about the role played by HP's counsel, Wilson Sonsini Goodrich & Rosati.

Barton's letter requested the information by Sept. 25, and indicated that the committee's staff will conduct follow-up interviews.

The Bigger Picture

Privacy attorney Rasch said that the controversy brings to light the same types of privacy issues that individuals face daily. 'All sorts of times there are people who want to find out something about another person, whether it's in a divorce, or a lawsuit, and so on,' he said. 'They hire lawyers, and the lawyers ' with a wink and a nod ' hire investigators to get the information. I believe that the law firm and the company that hires the law firm have a legal and moral obligation to know how the information is obtained, and to make sure it is through legal means.'

However, Rasch said that companies' willingness to work on the margins of the law is quite common in his experience. 'Let's say that somebody posts defamatory or confidential information about a company online, and they come to me to find out who it is,' he said. 'I tell them that the legal way to get the information is through a subpoena. But they respond that investigators have told them there are other ways ' Until lawyers start going to jail for not asking what their investigators are doing, this isn't going to stop.'

If he was advising HP, Rasch said he would have recommended the company begin by interviewing the Board members about the leak (which the company says it did at one point in the investigation). 'If you believe the leaks are actionable ' and in this case they could very well be, because Board members have a fiduciary duty not to disclose certain information ' then you do the interviews. After that, you subpoena phone records, if necessary,' said Rasch. 'If a Board member has lied in the investigation, then you can fire him for lying to you.'

Pretexting, which attorney general Lockyer asserts is illegal, can be difficult to prosecute, said Rasch. 'Is pretexting illegal?' he asked. 'If pretexting is fraud, then the answer is yes. Fraud is the misrepresentation to obtain something of value. But what about phone records? Are they your personal property? Courts have ruled that they are the phone companies' property ' but they are reluctant to [rule that] each individual bit of information about your calls is your property.'