THE HEWLETT PACKARD SETTLEMENT: A HARD LESSON ABOUT THE NEED FOR CAREFUL INVESTIGATION
Dec. 1, 2006
The Hewlett Packard pretexting scandal received widespread publicity. While a criminal case is pending and there may be spin off litigation, the deal Hewlett Packard made with the California Attorney General is inked and done. In some ways it is a remarkable agreement. Hewlett Packard will pay fines of $14,500,000, with the lion's share going to fund future California law enforcement investigations of privacy violations and piracy. Hewlett Packard also agreed to a permanent injunction with many strong provisions. The injunction requires an Independent Director with responsibility for reviewing and authorizing all investigations related to the Board of Directors. The Independent Director is authorized to hire independent legal counsel without obtaining the approval of any executive of Hewlett Packard.
Perhaps the most surprising obligation of the Independent Director is a requirement - literally a court order - to report any violation of California law in the course of investigations directly to the California Attorney General. This means that Hewlett Packard must report violations of law in the course of investigations before it has analyzed and corrected them. There is no materiality threshold for this requirement. If an investigator working for Hewlett Packard gets a traffic ticket and the Independent Director learns of it, he must report it to the California Attorney General. Failure to report any violation of California law in the course of an investigation would violate the court's injunction, subject Hewlett Packard to contempt of court proceedings and "punishment" - an explicit provision.
Reporting to the Independent Director will be the new position of the Chief Ethics and Compliance Officer ("CECO"). That officer will be responsible for the management and supervision of ethics and compliance for the entire company. The CECO is to supervise all investigations, all investigative practices and is also authorized to hire legal counsel without the approval of any executive. The CECO supervises the person entitled the "Qualified Authority" (already hired by Hewlett Packard). That person is performing a comprehensive review of Hewlett Packard's compliance with legal requirements and ethical standards as those standards apply to Hewlett Packard's policies and practices regarding investigations. The Qualified Authority will report his or her comprehensive review to the CECO and the Independent Director and the Board of Directors. Hewlett Packard is also required to establish a Compliance Council. The Compliance Council will promulgate policies and procedures for the Hewlett Packard's ethics and compliance programs.
While Hewlett Packard is having to take some pretty stiff medicine, most companies may be inclined to perceive the whole situation as a bizarre aberration. After all, how many companies investigate members of their own Board of Directors? Probably very few. But the Hewlett Packard case does raise a red flag about the improper conduct of investigations. There are some very real dangers for any company which gathers and uses personal information - information such as the names, addresses and phone numbers of people who are not employees.
The proliferation of social groups on the Internet and concerns about the safety of members has put pressure on web hosts to implement procedures to protect their members. One approach is assemble and use data about criminal records and sex offenses and compare that to information about members. This would allow the site host to flag or banish members who are criminals or sexual predators.
As outlined, this program requires two steps: first, acquiring public record information about individuals (such as criminal records) and second, comparing that information to members. These two steps are not within the capability of most Internet social hosts - it is not their business. Accordingly, it would be expected that Internet social hosts would outsource this project. In a nutshell, the work being outsourced would be comparing public record information with the names of members, checking the integrity of members. California has strict requirements for exactly this work: it can only be done by licensed investigators. Business & Professions Code §§7521 (a), 7520. A company which conducts this type of an investigation without a license has committed a crime. Business & Professions Code §7523(b). While only the company doing the unauthorized investigation may be committing these crimes, at this point another prong of the Hewlett Packard case may into play.
A main statutory basis of the civil complaint filed by the California Attorney General against Hewlett Packard was Business and Profession Code §17200. This very broad statute prohibits unfair competition. Unfair competition is anything that is unlawful, unfair or a fraudulent business act. As interpreted by the courts, §17200 brings into its scope the violation of any other law. If one violates another statute as part of one's business then it becomes an unfair business practice. The approach of the California Attorney General was that Hewlett Packard hired investigators who conducted their business illegally and that Hewlett Packard must (literally) pay for this. That approach could also be used to bring the unauthorized investigative services to bear on the web host which outsourced the work. The reach of this approach is not just civil because Business and Profession Code §17100 makes violation of the unfair competition law a crime.
This lesson is not just for California companies. Most states, such as Florida and Texas, have similar private investigator licensing requirements.