5 Things About Corporate Investigations That Won’t Change
{As a Result of the Hewlett-Packard Scandal}
By Sarah D. Scalet

On May 24, 2006, Hewlett-Packard's director of ethics sent out an internal memo stamped "Attorney-Client Privileged" that contained 12 pages' worth of detective work that would make any sleuth stand proud.

The memo, sent by Kevin T. Hunsaker to the company's CEO, general counsel and board of directors (and made public after a congressional hearing this past September), summarized the work that a group of HP investigators had done to determine an unnamed source for an article published by CNET on Jan. 23, 2006. The article contained details about a board meeting that HP chairwoman Patricia Dunn did not want made public. In painstaking detail, the investigative team laid out its findings.

Investigators had analyzed 10,000 news articles about HP published over a six-year time frame and indexed 1,000 articles written by the CNET reporter, Dawn Kawamoto. They had reviewed all the documentation that the board of directors had generated and relied upon for the meeting, as well as information about the meeting that was available publicly or to other HP employees. They had conducted extensive searches of HP's e-mail and Internet servers, and interviewed employees and board members in grueling detail about specific information that had been leaked to CNET and other publications over the years.

By page 13 of the memo, the case seemed pretty well sealed up. Investigators picked apart the language and facts for which Kawamoto cited an unnamed HP source, with the pool of possible sources dwindling down to one. In 2002, the "source" knew details about a licensing agreement with Intel in 1993; only two current board members would know those details. In 2003, the "source" spoke in glowing terms of HP's portfolio of patents; this was a favorite talking point of one board member. In 2006, the "source" used the term lectures, "an academic term, rarely used in the business environment"; only one board member had an academic background. In 2001, one board member had cultivated a relationship with Kawamoto, at former CEO Carly Fiorina's request, to promote HP's merger with Compaq. And so it went. In each instance, that board member was George W. Keyworth II.

The evidence was largely circumstantial, but this wasn't a criminal case. This was an internal investigation meant to help chairwoman Dunn and CEO Mark Hurd plug the leaks.

The trouble began when investigators sought to put the final nails in Keyworth's coffin. "...[A]t 5:25 p.m. PST on January 18, 2006...a call was made from Kawamoto's cell phone to Keyworth's home in Piedmont, California," reads a sentence on page 13. "The call lasted approximately one minute."

There began a litany of details from private phone records that no scrupulous investigator would have been able to obtain without help from law enforcement. The 12 pages of material that would make any investigators stand tall were actually embedded in an 18-page document that also spoke of things more likely to make them slouch in their seats—covert intelligence gathering, video surveillance and "third-party phone information."

Yet it was an effective campaign. By page 17, Keyworth had admitted to investigators and the board that he was the source, explaining, in investigators' words, that "he thought it was in the best interests of HP for the information in the January 23 article to be made public." Keyworth would soon resign.

What followed is painfully well-known. Felony charges from the California Attorney General against five people who allegedly were involved with accessing private phone records under false pretenses. Several resignations, including Hunsaker, Dunn and Anthony Gentilucci, manager of global security investigations. Congressional hearings where some HP executives pleaded the Fifth Amendment and some lawmakers compared the scenario to Enron and Watergate. Salacious details of how investigators trailed a board member from California to Colorado, used e-mail tracing technology unknown outside of the marketing and investigations worlds, and even considered planting spies in newsrooms. Hurd's very public apology. A $14.5 million settlement HP reached with California to resolve civil claims in the case. (HP refused to comment for this story.)

The HP investigation was expensive, invasive, out of scale with the problem and largely unnecessary. In short, it is probably the stupidest thing HP has ever done. And that's exactly why, despite what some may hope, it is unlikely to have a lasting impact on how corporations run investigations.

To those who say that HP will change everything, we say, yeah right. Instead, we proffer five things that the HP investigation won't change—at least, not in the way one might expect.

Assumption #1 This is a wake-up call to corporate America about the risks of botched investigations.

As the scandal unfolded, Bill Wipprecht, CSO of Wells Fargo in San Francisco, worked on some elevator "talking points." In between floors 1 and 12, he says, "When other executives say, 'What do you think of that?' you have to be able to respond instead of just fumbling for your keys."

For his part, Wipprecht likes to say that because the media benefits from leaks, journalists didn't focus on what Keyworth did wrong. He also asserts that because Wells Fargo is in a highly regulated industry, his investigations group doesn't take any chances by using risky techniques that wouldn't, as he puts it, play well on the evening news. "We're already overregulated, and we think we're knowledgeable about all the laws," says Wipprecht, whose group typically investigates things such as cash shortages, mortgage fraud and expense abuse.

Likewise, the senior director of loss prevention at Luxottica Retail, who's a member of the ASIS Retail Loss Prevention Council, insisted that he hadn't experienced any extra scrutiny on the investigations his group runs, which are typically background checks on new employees or investigations into thefts from stores.

"I have no intention of scaling back, because I know our investigations are done under guidelines and the law," says Alan Greggo, whose company operates 4,600 retail locations including LensCrafters, Pearl Vision and Sunglass Hut. Checks and balances are key, he says. Any use of the company's camera system, for instance, must be approved by a senior director and the legal department; results of investigations must be reviewed by a director-level loss prevention associate to make sure evidence is used properly.

Elsewhere, CSOs were looking at their policies and largely concluding that they had appropriate guidelines in place. Recruiter Kathy Lavinder, executive director of Security and Investigative Placement Consultants in Bethesda, Md., says some of her clients were dusting off their policies, pushing them out to their chains of command, and emphasizing that certain tactics—such as pretexting to obtain private telephone records—were not allowed. She adds that no one she talked to had indicated they ever permitted such activities. But she didn't seem convinced that the HP investigation would necessarily result in any seismic changes.

"I think there'll be a lot of talk," Lavinder predicts. "In some cases it will be genuine, and in some cases it will be window dressing. A certain number of senior executives want to do what they've always done, which is to some extent turn a blind eye, particularly if an investigation is outsourced. Don't ask, don't tell. That's a risky strategy, but I think we'll see some of that as well."

What makes this easy to do, given the circumstances, is that the HP case appears to be an outlier—something so outlandishly awful that the industry can shrug its collective shoulders and simply disregard it. Companies can say, "It won't happen to us," because it probably won't. Furthermore, if people with lots of money and power are committed to a project that constitutes an epic lapse in judgment, it's very difficult to stop them. Sad, but true. Reality check: For better or worse, HP is a talking point, not an industry-changing event.

Assumption #2 Companies will quit exposing themselves to the risks of third-party investigators, who themselves may outsource some investigations work.

If the execution of the HP investigation was an outlier, it was also an extremely unusual operation from the get-go. After all, an investigation involving board members is not an everyday job even for the most seasoned internal fraud examiner or loss prevention specialist. In fact, it's the very kind of specialized task that probably ought to be outsourced.

"Third-party investigators are an important part of the process that corporate America and retailers use," says Joe LaRocca, VP of loss prevention for the National Retail Federation, a lobbying group in Washington, D.C. If you want to find out if a potential hire has a criminal history, for instance, you might hire a firm with expertise in researching public records. "You're going to go to a third party because they're the experts in getting the information."

"I don't think of it as outsourcing," says Regis Becker, director of global security and compliance at PPG Industries, the Pittsburgh-based industrial manufacturer. "We use what we call 'stringers'"—highly competent retired agents from the military, FBI and Secret Service who set up small investigative shops. "They have the training, they understand the law and they don't have to be briefed on every detail. Everybody is working from the same page."

Most often, this large stable of seasoned investigators available for contract work makes the use of third-party investigators simply a good business practice. If HP had had only its internal investigators working the case, rather than turning to third parties, people would be questioning that decision, too.

"A good outside law firm would say, Why do you have your loss-prevention and anti-piracy guys doing this? What do they know about it?" says David Caruso, founder of the Dominion Advisory Group, who was brought in as executive vice president of compliance and security at Riggs Bank after the Augusto Pinochet money laundering scandal in 2003.

Of course, people in the security world have always known that sometimes this method is used to keep less savory investigative techniques at arm's length. Just think back to the infamous P&G Dumpster diving case in 2001. The consumer goods company paid Unilever $10 million after being caught hiring a competitive intelligence firm to conduct an investigation that involved going through its rival's trash.

It's up to CSOs to make sure that their companies choose firms carefully and monitor them well. "If you have to hire a contractor to run investigations," Caruso warns, "you have to actively manage what you're doing." But that's nothing new, either. Reality check: Companies should monitor their third-party investigators, but it would take a lot more than HP's black eye to make them move investigations in-house.

Assumption #3 Congress will pass an antipretexting law because of the revelation that HP investigators obtained phone records using false identities.

"Are you familiar with the term 'pretexting?'" Rep. Joe Barton (R-Texas) asked one of the witnesses who had been called to testify before a House Energy and Commerce subcommittee, not about the HP investigation but about consumer privacy. "There are companies now," he continued, "that are in existence to proactively invade your privacy and sell the results of their ill-gotten gains to anybody with 100 bucks."

Rep. Barton should know. After extensive hearings on pretexting, he and 29 cosponsors—both Republican and Democrat—already had introduced legislation, H.R. 4943, to "prohibit fraudulent access to telephone records." The bill had passed Barton's committee unanimously. Several competing pretexting bills had been introduced. A bipartisan Senate bill, S. 2178, would "make the stealing and selling of telephone records a criminal offense." Another House bill, H.R. 4709, set criminal penalties for obtaining phone records under false pretenses.

The date of this particular hearing at which Barton brought up pretexting was June 20, 2006—a full three months before HP executives would again find themselves on the stand at another hearing that involved telephone pretexting. Rep. Barton had introduced his legislation back in March 2006; competing bills were introduced even earlier, and H.R. 4709 won unanimous House approval in April 2006.

Although he wasn't questioned about pretexting, Scott Taylor, the chief privacy officer of HP, spoke that day of his company's commitment to protecting the personal information it collects about customers. "[P]rivacy is actually a core value at HP," he said.

The HP investigation scandal brought new awareness to pretexting for telephone records, but the fact is that Congress was already well aware of the practice and was taking steps to criminalize it. Indeed, as far back as 2000, a committee had investigated why pretexting—yes, they used that exact word—for personal banking records was still proving successful despite the passage of privacy provisions in the Gramm-Leach-Bliley Act.

The federal telephone pretexting bills stalled, however, and even the HP hearings in September didn't budge them. It wasn't until after the elections, on Dec. 8, 2006, that the Senate passed H.R. 4709, advancing the bill to the White House. What HP did make clear was that everyone agrees on the need for a federal law clarifying who can and cannot access phone records. Enforcing it will be another story.

Reality check: Federal law protecting the privacy of customer phone records is likely, but it was already in the works. Assumption #4 Investigators will stop using telephone call records to build cases. Let's be clear here. Telephone records are a routine part of investigations, and no single law is going to change that. Company phone records, for instance, are routinely used for internal investigations, and no one blinks an eye. Employees simply don't have a reasonable expectation of privacy about calls they make and receive on company phone systems.

Likewise, phone records are also routinely used for investigations done by law enforcement, especially after the passage of the USA Patriot Act. Sometimes records are obtained with subpoenas; other times they're released as a courtesy. Large telecommunications companies even have staffs in charge of responding to these requests for telephone and ISP records.

A law protecting private phone records would make it more difficult to obtain records outside of those two circumstances. But no one thinks it will stop the practice. It'll just change how individuals weigh the risks and possible rewards of accessing such records.

"I think the HP case will turn people away from phone records, but in a cheating spouse situation or with a business partner gone bad, I think people are going to take that upon themselves to hunt around for that information," the National Retail Federation's LaRocca says.

"There are always people out there who can get you any kind of information, anytime, anywhere, and if you hire those people they'll get it for you," Wells Fargo's Wipprecht says. "The question is, do you really want to know?" Reality check: There are legitimate ways to obtain private phone records, and the illegitimate ways won't disappear overnight.

Assumption #5 Companies will hire law firms, not investigations firms, so that investigations are done by the book.

Investigative firms aren't the only ones hired to do investigations. There's a booming business right now for law firms that do investigations—and that's not going to change.

"A lot of investigations that would have been handed out to a small investigative boutique will instead go to a reputable law firm," predicts Lavinder of Security and Investigative Placement Consultants, noting that this is a trend she's been observing for a while.

These are firms such as the New York City-based Debevoise & Plimpton, which did an internal investigation into whether Merck executives knew about dangers of the arthritis drug Vioxx; and WilmerHale, the firm based in Washington, D.C., that was recently in the news for its investigation into how stock options were granted at UnitedHealth. Firms like these use different methods than investigations firms.

"We have a lot of clients who turn to us to do investigations, but they're not going to go out and find somebody's phone records," says one attorney who works on white-collar investigations for a large law firm, who spoke on condition that he not be identified. "Normally, the heart of the internal investigation work we do is, the company is giving you access to e-mail systems and documents and access to employees as well, usually who are required to cooperate with you on the pain of being fired if they don't." By their very nature, law firms collect evidence to be used in court. Investigations firms, on the other hand, may want information merely to put them on the right trail, whether it's permissible as evidence or not. Either way, though, there's a huge gray area of things that can be done legally but are widely considered unethical—and neither group has the monopoly on ethics. "Being an attorney makes you no more ethical than anybody else in the investigations business," Wipprecht quips.

There is one big difference, however. Investigations done by law firms are decidedly more expensive than ones done by investigative firms. Debevoise & Plimpton's investigation into Vioxx reportedly took 20 months and cost $21 million. If companies do turn increasingly to law firms, it will be because they have other ways to justify the cost.

And what would that be? "Law firms have always been used principally to make sure the information gathered is covered by attorney-client privilege," Becker says.

It's not a foolproof strategy, though. That HP memo we recounted earlier? Each and every page of it carried a stern warning: "Attorney-Client Privileged."

Reality check: Investigations done by law firms are too expensive to justify just for the investigation's sake. Reach Senior Editor Sarah D. Scalet at sscalet@cxo.com.

[Read Other News]