By Ellen Nakashima
Washington Post Staff Writer
Friday, September 8, 2006
Hewlett-Packard Co. said yesterday that private investigators it hired to find out who leaked confidential corporate information to the media had accessed private phone records of nine journalists who covered the company, without obtaining their permission.
HP would not disclose the reporters' names or identify their publications. The Wall Street Journal said one of its reporters, Pui-Wing Tam, was alerted by the California attorney general's office that her records may have been disclosed to HP. The New York Times reported that its reporter John Markoff also was a target. Technology news service Cnet reported yesterday that a Cnet reporter, Dawn Kawamoto, was notified that her phone records had been accessed.
"HP is dismayed that the phone records of journalists were accessed without their knowledge, and we are fully cooperating with the attorney general's investigation," Hewlett-Packard spokesman Ryan Donovan said.
California Attorney General Bill Lockyer said yesterday that "people in high positions" at Hewlett-Packard "could be involved in illegal activity."
"Do we think a crime occurred?" Lockyer said. "Yes."
But he said the attorney general's office was still trying to figure out "who did what, when."
Lockyer disclosed this week that he had begun a criminal investigation of methods used by HP's contractor to determine the source of a January leak to the media. The leak involved confidential board discussions about potential acquisitions and other corporate business. George A. Keyworth II, the board member who HP determined had leaked the information, resigned, as did another board member, who protested the methods used to determine the leaker's identity.
Unauthorized access to and use of personal records through computers violates California laws, Lockyer said.
"There's kind of been an admission of guilt by Hewlett-Packard," Lockyer said. He cited the company's disclosures in a filing with the Securities and Exchange Commission that it had obtained personal phone records of its own directors. Those records were obtained by a subcontractor and in some cases involved "pretexting," in which people pose as someone else.
Lockyer said HP's defense has been to say, "Well, we didn't know they were going to do it that way." That means "you have to understand more of who said what to whom, what were the expectations, what was the actual or imputed knowledge -- a lot of things we don't know yet."
Lockyer previously called the breach of phone records "colossally stupid." Yesterday he called the accessing of journalists' phone records "stupid cubed."
Privacy and consumer advocates said the controversy demonstrates the need for comprehensive laws that protect personal information from unauthorized access. The practice of faking identities to obtain personal information is escalating, as is the scope of the records being breached, privacy experts said.
"Congress has been myopic at looking at this as a phone records issue," said Robert Douglas, a privacy consultant. "It's much broader: It's utility records, bank records, medical records, cable and satellite TV records -- all of American consumers' records."
At least four bills have emerged in Congress dealing specifically with unauthorized access to private phone records. But none has passed, despite lawmakers' vows early this year to have a bill on President Bush's desk by late spring.
In the absence of federal laws, states have taken the lead in enacting tough consumer protection and privacy statutes. California, where Hewlett-Packard is based, has some of the toughest, outlawing unauthorized access to computer records or computer systems to wrongly control or copy data. Another California law makes it a crime to obtain personal identifying information, such as a Social Security number, and use it for an unlawful purpose.
The Hewlett-Packard case could spur Congress to act before its current session ends, some consumer advocates said.
The House Energy and Commerce investigations subcommittee is expected to hold a hearing this month on what phone companies are doing to protect customers' records.
"All pretexting should be prohibited," said Jeannine Kenney, senior policy analyst at Consumers Union. "Equally important, however, is that Congress take steps to prevent the violations from occurring in the first place by requiring the carriers or anyone who is entrusted with consumer data to better safeguard that information."
Viet Dinh, a former assistant U.S. attorney general who represents a Hewlett-Packard board member, said criminal laws regarding wire, computer and identity fraud are not comprehensive enough to protect consumers. "The current controversy highlights in a very dramatic manner a pervasive problem with respect to the illegal access and trading of personal records," he said.
Douglas, a former private investigator, said he thinks the case could provide momentum to stalled legislation.
But, then, he thought that before.
"One would have thought that the HP matter would be enough in the waning days of the session to push legislation through," he said. "If not, I think Congress owes the American public an explanation of how, in the course of a full year, they have not got a very simple bill to the president's desk to protect Americans' phone records."