(Text for those without flash or javascript) Fulcrum's professionals are experienced CPAs, MBAs, ASAs, CFAs, affiliated professors and industry specialists Our expertise encompasses damages analysis, lost profit studies, business and intangible asset valuations, appraisals, fraud investigations, statistics, forensic economic analysis, royalty audits, strategic and market assessments, computer forensics, electronic discovery and analysis of computer data.
Fulcrum Inquiry

Lawful Alternatives To HP’s Investigation

November 2006
Library Sections:

In today’s environment, investigations are a required part of being a corporate director.  Investigations arise in a wide range of contexts, including alleged inappropriate accounting, violations of personnel practices, thefts of trade secrets, insider trading, M&A due diligence, and all sorts of potential corporate wrongdoing.  But, as demonstrated by HP’s recent troubles, corporate investigations must be performed properly.

In his felony indictment, the California Attorney General alleged that investigators acting on HP’s behalf used false pretenses to obtain telephone company records of thirteen HP Board members, and the media, all without those individuals’ knowledge.  The HP investigator pretended to be the owner of the information, and then requested duplicate copies of the desired records.  The phone vendors requested identifying information (like the last four digits of the social security number), which the HP investigator either had by virtue of the employment relationship with each of the directors, or had obtained separately.

Although not the basis for the HP indictment, California just passed SB 202, which is specifically directed at telephone records.  The new California law, which takes effect on January 1, 2007, outlaws releasing or using "any telephone calling pattern, record or list, without the written consent of the subscriber".  Similarly, New York just enacted the Consumer Communication Records Privacy Act (S. 6723) which became effective immediately. This law outlaws unauthorized acquisition of consumer telephone records.

How to Avoid HP’s Problems in Your Investigation

Written corporate security policies and related acknowledgments should clearly address the company’s rightful ability to monitor all communications that use the company’s telephone, computer, and other systems.  This allows the monitoring of email, internet use, and telephone use at the office.  Most companies already have such policies.

A greater challenge exists when personally owned computers, phones and other electronics are used for business-related purposes.  Such business use of personally owned devices is now common, especially among executives and professionals.  When this happens, the individuals being investigated need to know that the investigation is occurring, and separately consent to the use of the personal information.  In HP’s case, the investigators made no such disclosure, and obtained personal information by lying about their identity.

Creating pretexts, or the use of false pretenses to obtain information, is commonly use in investigations.  Masking one’s identity is not always unlawful.  However, in HP’s case, problems could have been easily avoided without any pretexts at all.

HP’s problems occurred because the wrong people and methods were employed.  Here are some alternative investigatory steps that HP could have used in this situation:

  1. The directors should have been approached directly with an explanation that leaks had occurred.  Directors should be educated regarding their obligation to keep information confidential.  (HP actually took this step, but then stopped when no director acknowledged that he was the leak source.)
  2. Each director should be asked to sign an affidavit stating that he (i) has not leaked any company information, and (ii) will resign if any portion of the affidavit is not true.
  3. If the above steps do not resolve the issue, the directors should then be asked to voluntarily produce the desired phone and email records.  Our experience is that the vast majority of potential investigation targets produce the desired records when in a business setting.
  4. Computer usage can be tracked by creating a forensic or mirror image of the information contained on a hard disc, and then analyzing the information contained on the copy.

Surveillance is generally lawful (and was used in HP’s case), but these tactics are generally unnecessary in an internal business setting.  Surveillance is usually more expensive, more time consuming, and causes greater reputation risks once the surveillance methods become public.

Fulcrum Inquiry is a licensed CPA firm that performs financial investigations and computer forensics.