In one telling moment during the recent Congressional hearings on the Hewlett-Packard Co. board scandal, ousted chairman Patricia Dunn offered the "everybody does it" defense.
Asked by one legislator about HP’s hiring private investigators who obtained phone records under false pretenses, a practice called pretexting, to identify who’d leaked confidential information, Dunn replied, "I believe these [pretexting] methods may be quite common at companies around the country."
If so, that is chilling to business ethicist Kirk Hanson.
"As an ethicist I’m horrified that HP’s managers relied on the assertion that it was borderline, but legal, and never asked whether it was ethical," says Hanson, executive director of the Markkula Center for Applied Ethics at Santa Clara University, in Santa Clara, California.
If HP adopted what Hanson called "black ops" as standard investigative practices, he wonders how many other companies have done it.
HP, some of its employees and companies it hired to investigate boardroom leaks to news media still face potential civil and criminal liability for their actions. Other companies find themselves in a dilemma over how to control information within the law.
Companies may have a moral or legal responsibility to respect people’s privacy, but they also have a legal and fiduciary responsibility to protect confidential business information. And under the federal Sarbanes-Oxley Act in effect the last four years, they have obligations to investigate certain leaks, Hanson says.
Companies have a right to investigate their own employees if they’re suspected of leaking information. Employees should presume no right to privacy in their use of company computers, e-mail programs or telephones.
One commonly used tactic to probe security breaches doesn’t even involve electronic snooping. Companies exclusively give suspected leakers seemingly important but relatively benign information. If it turns up in the media, the company has identified the leaker.
But Hanson sees a bright line separating how a company can investigate its own employees and how it can investigate outsiders.
The HP reaction to leaks to reporters contrasts with the recent practice of Apple Computer Inc. when proprietary information got out.
Although Apple is known for its devotion to secrecy, it went to court rather than to private eyes when confidential information leaked in 2004. Apple, of Cupertino, California, sued in state court to force two Web sites to reveal sources for stories they posted about a possible new Apple product. A state appellate court ruled May 26 that the writers on those Web sites enjoy the same First Amendment rights as mainstream journalists and, thus, were protected by California’s shield law from having to reveal their sources. Apple dropped the case. It did not reply to a request for comment on this story.
The Sarbanes-Oxley Act requires companies to develop a whistle-blowing reporting system so employees can raise issues about improper behavior within the company, said Hanson. That has prompted companies to develop an investigative capability in the event improper or illegal activity is alleged. "So (under SOX), companies have developed much enhanced investigative capability," he said.