The session will focus on fallout from the news that HP chairwoman Patricia Dunn launched a probe into boardroom leaks to news organizations that included authorizing a team of independent electronic-security experts to spy on the records of phone calls made from directors’ personal accounts, including home phone records. A Hewlett-Packard spokesman declined to comment on whether a meeting had been scheduled.
HP filed a document with the SEC before dawn Wednesday that confirmed it had hired an outside consultant to perform the data mining as part of a leak probe. HP also disclosed to the SEC that the California attorney general had begun an investigation into the probe and that the company had pledged its cooperation. On Thursday, HP also acknowledged that the company had also accessed the phone records of several reporters who cover the company. “We are absolutely horrified that the records of journalists were accessed without their authorization,” an HP spokesman said.
Dunn launched her probe after the online technology site CNET published an article in January about the long-term strategy at HP. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. Dunn told another director that she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005.
On May 18, at HP headquarters in Palo Alto, Calif., Dunn told the board she had found the leaker. According to Tom Perkins, an HP director who was present, Dunn laid out the surveillance scheme and pointed out the offending director, identified in HP’s SEC filing as George (Jay) Keyworth II. He acknowledged being the CNET leaker, apologized and told fellow board members, “I would have told you all about this. Why didn’t you just ask?” Keyworth was then asked to leave the boardroom, and did so, according to Perkins.
Close to 90 minutes of heated debate followed, but Perkins, a Silicon Valley venture capitalist, says he was the only director who rose to take Dunn on directly. Perkins says he was enraged at the surveillance, which he called illegal, unethical and a misplaced corporate priority on Dunn’s part. In an interview with NEWSWEEK, Perkins says he was particularly annoyed since he chaired the HP board’s Nominating and Governance Committee and had not been informed by Dunn of the surveillance, even though, he says, she had told him for months that she was attempting to discover the source of the leak.
After a divided board passed a motion asking Keyworth to resign, Perkins closed his briefcase, announced his own resignation and walked out of the room. In media mentions the next day, Perkins’s sudden resignation was noted but without explanation and without any indication that his departure was a form of protest. According to Perkins, Keyworth refused to resign, saying it was up to shareholders to make such a decision. HP said in its SEC filing on Wednesday that it would not nominate him for another term.
Any time a director resigns from a U.S. public corporation, federal law requires the company to disclose it to the SEC, in what’s called an 8-K filing. If the director resigned for reasons related to a “disagreement” with the company about “operations, policies or practices,” that, too, is now required. HP reported Perkins’s resignation to the SEC four days after it happened—back in May—but gave no reason for the resignation, instead including only a press release thanking Perkins for his years of service.
In early August, Perkins—represented by his own non-HP lawyer, Viet Dinh, a former Bush administration official—formally asked the SEC to force HP to publicly file his written explanation for resigning. After the dispute was reported on Newsweek.com on Sept. 5 and subsequently in other media outlets, HP made its filing with the SEC.
The entire episode—beyond its impact on the boardroom of a $100-billion company, Dunn’s ability to continue as chairwoman and the possibility of civil lawsuits claiming privacy invasions and fraudulent misrepresentations—raises questions about corporate surveillance in a digital age.
The HP case specifically also sheds another spotlight on “pretexting,” a questionable tactic used by security consultants to obtain personal information. That practice, according to the Federal Trade Commission, involves using “false pretenses” to get another individual’s personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security number, and the like. Pretexting is heavily marketed on the Web.
Typically—say in the case of a phone company—pretexters call up and falsely represent themselves as the customer; since companies rarely require passwords, a pretexter may need no more than a home address, account number and heartfelt plea to get the details of an account. According to the Federal Trade Commission’s Web site, pretexters sell the information to individuals who can range from otherwise legitimate private investigators, financial lenders, potential litigants and suspicious spouses to those who might attempt to steal assets or fraudulently obtain credit. Pretexting, the FTC site states, “is against the law.” The FTC and several state attorneys general have brought enforcement actions against pretexters for allegedly violating federal and state laws on fraud, misrepresentation and unfair competition. One of HP’s directors is Larry Babbio, the president of Verizon, which has filed various actions against pretexters.
In its SEC filing, HP said that its outside counsel had concluded that the use of pretexting “was not generally unlawful (except with respect to financial institutions),” but that counsel “could not confirm that the techniques” used by pretexters doing the HP investigation “complied in all respects with applicable law.” Legal experts vary in their views on the extent to which pretexting is a violation of criminal law. The Gramm-Leach-Billey Act of 1999 bars a range of fraudulent activity related to financial records, but its applicability to phone records is unclear. Experts agree that pretexting is often used to accomplish identity theft—to borrow money or buy merchandise—that clearly is criminal. But the pretexting itself may be harder to prosecute. Civil liability would seem to be much more a risk for pretexters as they obviously engage in an invasion of privacy, achieved through misrepresentation.
