“Pretexting” is the acquisition of customer records from telecommunications carriers by fraudulent means, most commonly by pretending to be the phone customer whose information is sought. The Hewlett-Packard (“HP”) scandal, which erupted this fall and grabbed national headlines, made pretexting famous, but the practice has been a problem for years.
The issue actually came to the attention of Congress, the Federal Trade Commission (“FTC”), the Federal Communications Commission (“FCC”) and state legislatures and regulators last year when the Electronic Privacy Information Center (“EPIC”) filed a report with the FCC pointing out the existence of numerous websites advertising the sale of personal phone records.
During 2006, fifteen states, including California, passed laws banning pretexting to obtain phone records; the FTC brought enforcement actions under its unfair and deceptive trade practice authority against five online data brokers that were selling phone records; numerous state Attorneys General took action against data brokers under “little FTC Act” laws; and the FCC proposed new rules (discussed below) applicable to telecommunications carriers designed to further safeguard consumer phone records. At the beginning of the year, nearly a dozen bills addressing pretexting were introduced in Congress. The House unanimously passed H.R. 4709, the Telephone Records and Privacy Protection Act of 2006, in April, but the bill languished in the Senate throughout most of the rest of the year, gaining new life after the public revelation of HP’s pretexting in connection with its investigation of media leaks.
On December 9, 2006, the Senate approved H.R. 4709 by unanimous consent. Among other things, the statute imposes criminal liability for those who intentionally purchase or receive, or attempt to purchase or receive, customer phone records, with knowledge or reason to know that the information was obtained fraudulently. Despite criticisms of H.R. 4709 by consumer groups who object to the exception for law enforcement and who prefer the approach in other bills requiring extensive new safeguarding requirements for telecommunications carriers, the President is expected to sign the bill.