Former Hewlett-Packard Chairwoman Patricia Dunn was assured that methods used by investigators to find the source of leaks from the company's board of directors were legal, she told a U.S. Congress subcommittee Thursday.
Dunn also told lawmakers she believed any investigative techniques used during the 2006 portion of the investigation had to be approved by HP President and Chief Executive Officer Mark Hurd.
Hurd told lawmakers he did not know the methods of an internal HP team investigating the board leaks. He did not read a March report from the team describing its use of pretexting, a practice in which someone poses as a customer in order to gain access to personal records such as telephone logs.
"I pick my spots when I dive for details," he said. "This [investigation] was not a priority for me."
Dunn trusted HP employees and lawyers who told her the investigation complied with HP's high standards of conduct, she told the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee. HP has disclosed that the year-old investigation included pretexting to gain the personal records of reporters, HP board members and employees.
When questions about the investigative techniques surfaced recently, Dunn passed concerns about the investigation's techniques to Hurd, she said. Before then, HP's internal lawyers assured her the investigative techniques were being done "legally and properly," she said.
"I deeply regret that so many people, including myself, were let down" by trusted HP advisors, she said.
Dunn, who was forced to resign Sept. 21, told lawmakers she authorized the investigation but did not oversee its operation. That task fell to the HP legal team, and two of its members declined to testify. "At no time in the investigation did I authorize its methods," Dunn said. "I asked this to be done in the HP standard way."
But lawmakers pointed to three documents, including the handwritten notes of former HP general counsel Ann Baskins, saying Dunn was told of pretexting methods as early as June 2005. Dunn said she was unaware that investigators were misrepresenting themselves in order to get personal records until July of this year.
Dunn said she doesn't remember the June 2005 conversation referenced in Baskins' note. "I had no reason to think anything illegal was going on," she said. "I had batteries of experts telling me that wasn't the case."
Representative Cliff Stearns asked Dunn if she should take any blame for the questionable investigatory methods. "If I knew then what I know now, I would have done things differently," she said.
Stearns asked again if she had any culpability. "I do not accept personal responsibility for what happened," Dunn answered.
With HP officials telling her the investigation methods were legal, Dunn said she had no ethical concerns, she said. "I believed these [investigations] may be in fact quite common, not just at Hewlett-Packard, but at companies across the country," she said.
HP security investigator Fred Adler said he was not aware of any other times when HP has used pretexting, but he believes the HP has used e-mail tracing technology a "dozen to two dozen" times for internal investigation in the three years he's worked there.
Some subcommittee members said Congress needs to pass a new law making clear that the practice of pretexting is illegal. But several lawmakers suggested the practice is already illegal under a handful of federal laws as well as a California law prohibiting the use of false information to get customer information from utilities.
Members of the subcommittee asked how HP, long recognized as a corporate leader in protecting consumer privacy, could embrace questionable legal practices such as pretexting.
"It's pretending to be someone you're not, to get something you probably shouldn't have, to use in a way that's probably wrong," said Representative Joe Barton, chairman of the Energy and Commerce Committee.
Barton asked Dunn if she'd give him her phone records if he just called and asked for them without a subpoena.
"In your position, I would give you my phone records," Dunn said.
"Well, praise the Lord," Barton said to laughter in the audience. "I wouldn't give you mine."
Ann Baskins, who resigned earlier Thursday as HP's senior vice president and general counsel, and Kevin Hunsaker, the company's senior legal counsel, both asserted their rights not to testify under the Fifth Amendment of the U.S. Constitution during the hearing.
Eight outside investigators who allegedly worked with HP to identify the board leaks also declined to testify.
HP also considered putting spyware on reporters' computers, digging through trash, and putting spies into the newsrooms of news organizations reporting board details, subcommittee members said.
The actions taken by HP were "not the act of one rogue employee," said Representative Jay Inslee, indicating that at least some of the politicians might not accept the characterization of the events at HP that its chief is set to offer before the subcommittee. In a written version of his testimony made available earlier, President and Chief Executive Officer Mark Hurd called the scandal the result of a "rogue investigation."
Inslee and Representative Marsha Blackburn have co-authored legislation that would prohibit the obtaining of customer information from telecommunications carriers by false pretenses, and the sale or disclosure of such records obtained by false pretenses. Subcommittee Democrats questioned why the House hasn't voted on the bill, which the committee approved unanimously in early May.
In her opening remarks, Blackburn called pretexting a purposeful effort to deceive and defraud in order to get information one is not entitled to have. "How prevalent is it in the corporate boardroom?" she asked.
Criminalization of pretexting needs to extend to all forms of telecommunications, said Representative Tammy Baldwin, adding that legislation must address records ranging from conventional telecom through mobile and Internet telephony. She called for a "comprehensive legislative approach" to cover all sectors where pretexting could occur.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.