“Pretexting” is the acquisition of customer records from telecommunications carriers by fraudulent means, most commonly by pretending to be the phone customer whose information is sought. The Hewlett-Packard (“HP”) scandal, which erupted this fall and grabbed national headlines, made pretexting famous, but the practice has been a problem for years.
The issue actually came to the attention of Congress, the Federal Trade Commission (“FTC”), the Federal Communications Commission (“FCC”) and state legislatures and regulators last year when the Electronic Privacy Information Center (“EPIC”) filed a report with the FCC pointing out the existence of numerous websites advertising the sale of personal phone records.
During 2006, fifteen states, including California, passed laws banning pretexting to obtain phone records; the FTC brought enforcement actions under its unfair and deceptive trade practice authority against five online data brokers that were selling phone records; numerous state Attorneys General took action against data brokers under “little FTC Act” laws; and the FCC proposed new rules (discussed below) applicable to telecommunications carriers designed to further safeguard consumer phone records. At the beginning of the year, nearly a dozen bills addressing pretexting were introduced in Congress. The House unanimously passed H.R. 4709, the Telephone Records and Privacy Protection Act of 2006, in April, but the bill languished in the Senate throughout most of the rest of the year, gaining new life after the public revelation of HP’s pretexting in connection with its investigation of media leaks.
On December 9, 2006, the Senate approved H.R. 4709 by unanimous consent. Among other things, the statute imposes criminal liability for those who intentionally purchase or receive, or attempt to purchase or receive, customer phone records, with knowledge or reason to know that the information was obtained fraudulently. Despite criticisms of H.R. 4709 by consumer groups who object to the exception for law enforcement and who prefer the approach in other bills requiring extensive new safeguarding requirements for telecommunications carriers, the President is expected to sign the bill.
H.R. 4709 makes it a crime for anyone, in interstate commerce, to knowingly and intentionally obtain, or attempt to obtain, a customer’s “confidential phone records information” from a “covered entity” by 1) making false or fraudulent statements or representations to an employee of a covered entity; 2) making such false or fraudulent statements or representations to a customer of a covered entity; 3) providing a document to a covered entity knowing that such document is false or fraudulent; or 4) accessing customer accounts of a covered entity via the Internet, or through computer fraud, without prior authorization from the customer to whom the records relate. The law also imposes criminal penalties for recipients, purchasers, and transferors of such customer information who know, or should know, that the information was obtained fraudulently. These provisions are subject to the exceptions listed in 47 U.S.C. § 222(d), covering use of customer information by phone companies for billing, fraud prevention and to provide customer service on an inbound telephone call.
“Covered entities” are defined as entities that qualify as “telecommunication carriers” under the Communications Act of 1934, 47 U.S.C. § 153, and providers of IP-enabled voice services. For purposes of the statute, “confidential phone records information” means information that
1) relates to the quantity, technical configuration, type, destination, location, or amount of use of a service offered by a covered entity, subscribed to by any customer of that covered entity, and kept by or on behalf of that covered entity solely by virtue of the relationship between that covered entity and the customer;
2) is made available to a covered entity by a customer solely by virtue of the relationship between that covered entity and the customer; or
3) is contained in any bill, itemization or account statement provided to a customer by or on behalf of a covered entity solely by virtue of the relationship between that covered entity and the customer.
Because the term “service” is not defined, there is some ambiguity as to the scope of information meant to be covered by the legislation. Although the definition of “covered entities” is synonymous with “telecommunications carriers,” “confidential phone records information” apparently is not limited to “telecommunications” as defined in 47 U.S.C. § 153(43).
By contrast, the California pretexting statute, passed in September, specifically defines “telephone calling pattern record or list” as “information retained by a telephone company that relates to the telephone number dialed by the subscriber, or other person using the subscriber’s telephone with permission, or the incoming number of a call directed to the subscriber, or other data related to such calls typically contained on a subscriber telephone bill such as the time the call started and ended, the duration of the call, any charges applied, and any information described in subdivision (a) of Section 2891 of the Public Utilities Code whether the call was made from or to a telephone connected to the public switched telephone network, a cordless telephone, as defined in Section 632.6, a telephony device operating over the Internet utilizing voice over Internet protocol, a satellite telephone, or commercially available interconnected mobile phone service that provides access to the public switched telephone network via a mobile communication device employing radiowave technology to transmit calls, including cellular radiotelephone, broadband Personal Communications Services, and digital Specialized Mobile Radio.” “Telephone company” under the California statute means “a telephone corporation as defined in Section 234 of the Public Utilities Code or any other person that provides residential or commercial telephone service to a subscriber utilizing any of the technologies or methods enumerated” above.
The federal bill as passed is silent as to preemption.
Those prosecuted under the new law face a maximum fine of $500,000, imprisonment of up to ten years, or both. However, the law provides for enhanced penalties for those who either violate the new law in the course of committing another federal crime, or whose pretexting involves over $100,000 or 50 customers of a covered entity over a twelve month period. In such instances, the potential fine will be doubled and the prison term extended by up to five years. Also, the law provides enhanced penalties for those who knew that the information would be used in furtherance of a crime of domestic violence, other violent crimes, or the intimidation of law enforcement officers or witnesses.
The Hewlett-Packard Pretexting Settlement
The HP scandal blossomed after the company admitted in a September 6, 2006 Securities and Exchange Commission filing that outside investigators used pretexting to obtain phone records of journalists and HP directors. Beyond the damage to HP’s reputation, the unveiling of the investigators’ unscrupulous tactics resulted in an investigation by the California Attorney General and congressional hearings, ultimately leading to criminal charges against former HP Chairwoman Patricia Dunn, chief ethics attorney Kevin Hunsaker, and three outside investigators. Ms. Dunn and three HP executives, including former general counsel Ann Baskins and Mr. Hunsaker, lost their jobs.
On December 7, 2006, the California A.G.’s Office announced that it had entered into a settlement with HP resolving its investigation. The settlement does not resolve the pending criminal charges, but will cost the company $14.5 million.
The settlement contains two major components. First, HP must pay $13.5 million to establish in the Attorney General’s Office a new “Privacy and Piracy Fund” as well as $650,000 in civil penalties and $350,000 to cover the cost of the Attorney General’s investigation and related expenses. Second, HP agreed to permanently refrain from engaging in certain unlawful investigatory practices and to implement, for five years, corporate governance reforms that will improve in-house monitoring and oversight of any HP investigations. HP did not admit to wrongdoing under the settlement.
Privacy and Piracy Fund
The California Attorney General’s Office Privacy and Piracy Fund may be used by the Attorney General and other authorized prosecutors (primarily city and district attorneys) to combat violations of the public’s privacy and intellectual property rights. Up to $1 million of the original $13.5 million may be disbursed annually. Half of the annual disbursement ($500,000) is automatically allocated to the Attorney General’s Office to support law enforcement activities related to privacy and intellectual property rights.
Any unused funds may be carried over for use in subsequent years. The other $500,000 may be allocated to any authorized prosecutor to augment the prosecutor’s budget for investigating and prosecuting privacy and intellectual property rights violations. Funds that are not expended by the authorized prosecutor must be returned to the Fund.
Corporate Governance Reforms
In addition to permanently enjoining HP from engaging in certain unlawful information-gathering practices, the settlement requires HP to institute corporate governance reforms that will help ensure that the company complies with legal and ethical standards when it conducts investigations. These reforms include: appointing an independent director to oversee compliance issues; expanding the duties and responsibilities of the Chief Ethics and Compliance Officer (“CECO”) and the Chief Privacy Officer (“CPO”); creating a new Compliance Council chaired by the CECO; and strengthening the Company’s ethics and conflict-ofinterest training programs.
New FCC Rules Mandating New Safeguards for Telecommunications Providers Likely
Telecommunications carriers are already subject to extensive requirements to protect “customer proprietary network information” (“CPNI”), which is another term for phone records, under Section 222 of the Communications Act and longstanding FCC rules. As a result of the revelations by EPIC, however, the FCC began exploring how telecommunications providers could improve their security practices to better protect their customers’ phone records. On February 14, 2006, the FCC released a Notice of Proposed Rulemaking (“NPRM”) seeking comments on existing and new rules for protecting customers’ telephone records from unauthorized access. The NPRM requested information from telecommunications providers regarding their customary security practices, the inadequacies in those practices that allowed third parties to access customer records, and the kinds of security measures that would better protect customers’ information. The NPRM also sought comment on specific security proposals that EPIC urged the FCC to impose on telecommunications carriers, including:
initiation of consumer-set passwords;
establishment of audit trails;
encryption of stored data;
limitations on unnecessary data retention; and
notification to customers of any breach of their information.
The commenting period is over and the FCC has indicated it would like to adopt new rules before the end of the year. Consumer and privacy advocates are strongly urging the FCC to act given the lack of new requirements on carriers in H.R. 4709. Any new rules likely will be extended to voice over Internet protocol (“VoIP”) providers and have farreaching impact on the data security practices of telecommunications carriers.
Companies engaged in investigations should be mindful of the new state and federal legislation and regulations, particularly in dealing with outside investigators.