Pretexting: What You Need to Know
Print Issue: June 2010
KATHY LAWLOR WAS A TOP SALESWOMAN at North American Corporation in Chicago in 2005. By that time, she had been employed for seven years in the company’s printing division, and in 2004 alone, she had earned more than $200,000. She was about to land the company a five-year account with Map Quest, a major client that would bring in several million dollars, when she was called into a meeting with the company’s owner. The executive told Lawlor that her normal commission of 30 percent would not be applied to the new account. Lawlor was told to sign a document consenting to the new arrangement. The owner warned that if Lawlor did not sign the document, she would not be paid. Instead of signing, Lawlor resigned.
The next week, Lawlor received a letter from her former employer demanding more than $20,000 it said she was overpaid in commissions. Lawlor found this surprising since she believed the company owed her commissions on accounts she had finalized before she resigned. Lawlor hired a lawyer and sued North American seeking thousands of dollars in compensation.
North American, meanwhile, was concerned that Lawlor was trying to steal the MapQuest account away from the company and might have disclosed confidential information during a job interview with a competitor in 2004. The company hired a private investigations firm to ascertain whether these suspicions were true. The private investigator hired a third-party researcher to gather information. This third party obtained Lawlor’s telephone records without her consent and turned the data over to North American.
Lawlor found out about the investigation and expanded her lawsuit to include invasion of privacy. The company filed a separate claim against Lawlor for anticompetitive conduct. The judge in the company’s suit found that Lawlor had behaved inappropriately and ordered her to pay North American more than $630,000 in commissions and punitive damages. The jury deliberating Lawlor’s claim, however, found that the company did invade her privacy and awarded her $1.8 million. Both parties plan to appeal.
The complex case is the latest to address pretexting—the practice of obtaining information under false pretenses—and it shows how engaging in pretexting can expose companies to liability. Security experts need to understand when pretexting is clearly illegal under federal and state statute, how the courts have interpreted pretexting, which practices may be legal but inadvisable, and how to protect against pretexting liability when outsourcing.
Federal statute explicitly outlaws pretexting to obtain financial information or telephone records. Prosecutors also use other federal laws to stop pretexting used for criminal purposes.
Financial data. Perhaps the most valuable type of personal information is financial data. The Gramm-Leach-Bliley Act of 1999 makes it illegal to obtain another person’s financial information using pretexting. Specifically, the law makes it illegal to use false, fictitious, or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution. It is also unlawful to use forged, counterfeit, lost, or stolen documents to obtain such information.
Telephone data. In 2006, in a well publicized case involving pretexting, Hewlett-Packard Chairwoman Patricia Dunn asked the company’s general counsel to investigate board members to find out which of them was leaking sensitive information to the press. Hewlett-Packard’s counsel hired a team of security experts who in turn hired private investigators to gather information on the board members.
When it was discovered that three of the investigators had used pretexting to gain the telephone records of the board members, the federal government and the state of California filed criminal conspiracy and identity theft charges against Dunn, the company’s ethics chief, and the three investigators. State charges were brought against the ethics chief and two of the investigators but were dropped after the accused pled no contest and agreed to complete 96 hours of community service.
The third investigator faced federal charges for obtaining a journalist’s Social Security number and using it to obtain a phone number. This investigator ultimately pled guilty to federal charges in 2007, but his penalty has yet to be decided. In August 2009, his sentencing date was postponed.
The incident led the Telephone Records and Privacy Protection Act of 2006. The law and related regulations promulgated by the Federal Trade Commission (FTC) make it illegal to obtain a person’s telephone records using false representation. It is also illegal to make false statements to an employee of a telecommunications provider or provide false documents in an attempt to gain a person’s phone records.
False statements to a customer, accessing records via the Internet, and any means of hacking are also prohibited. If confidential phone records are obtained, the law makes it illegal to sell, transfer, purchase, or receive that information. The law has been used to bring charges against pretexters. An Ohio man was indicted in December for using a counterfeit subpoena to obtain phone records from Sprint.
Other laws. Other federal laws, including those outlawing identity theft, are also used to prosecute pretexters. For example, in November 2009, an Alabama man pled guilty under the federal telephone records privacy law after stealing another person’s Social Security number and using it to obtain telephone records from T-Mobile. He was also charged with aggravated identity theft.
In another case, in 2008, a couple pled guilty to conspiracy, wire fraud, and aggravated identity theft. The couple led a group of 10 private investigators who illegally obtained confidential information and then sold it. They posed as government officials from state and federal agencies to obtain tax, medical, and employment data on thousands of people. During the government’s year-long investigation, the pretexters did a brisk business, selling information to attorneys, insurance companies, and collection agencies.
State statutes. States have also passed laws that specifically apply to pretexting. Utah has passed a law that makes it illegal to obtain any sensitive personal information through pretexting. Additionally, 19 states have passed laws making it illegal to obtain telephone records through pretexting. While many of these laws were preempted by the federal legislation, some contain specific provisions that companies should heed. California, for instance, has a law regarding telephone records that is similar to the federal statute. However, under the law, the employer or the person contracting with the pretexter can be prosecuted for knowingly allowing the employee or contractor to violate the law.
Not all pretexting is illegal. In the broadest sense of the word, pretexting can refer to any time a person uses subterfuge to gain any type of information. Roger Schmedlen, CPP, of Loss Prevention Concepts in Fenton, Michigan, notes that he is often hired to conduct undercover investigations in factories. In these cases, the company needs to know if misconduct is occurring, so the investigator must pretend to be another employee. “Such investigative tools are not only legal and ethical, they are also valuable,” says Schmedlen.
It is, however, illegal for investigators to present themselves in the guise of someone in authority, such as a law enforcement officer or a fire marshal. In almost every state, it is illegal for investigators to represent themselves as anyone who is licensed in a particular trade. In some states, this means that it is illegal to pretend to be a mortician or a computer forensics specialist, for example. Some jurisdictions also make it illegal to impersonate a real person or to pretend to represent a real company.
According to Donald deKieffer, principal in the Washington D.C. law firm of deKieffer & Horgan, investigators should not assume the identity of a contemporary person or company even if they live in a jurisdiction where this is not explicitly outlawed. Using the logo of a legitimate utility company on a truck or posing as the manager of an existing bank would, thus, be inadvisable. Also, it is illegal for investigators to use any alias or pretext to persuade a target to commit any illegal act.
Courts around the country have addressed pretexting either as the central issue of a case or as part of a larger incident. In some cases, the private investigation firm is the target of the lawsuit, while in other instances, the company that hired the investigators faces charges.
For example, in 2005, William Berkeyheiser was shot and killed by a former co-worker. The assailant obtained Berkeyheiser’s home address through a detective firm. Berkeyheiser’s widow sued the private investigators, alleging they should have known that providing such data was likely to lead to criminal activities such as fraud, harassment, or stalking. The suit was settled out of court for $550,000.
In another instance, the plaintiff claims that a third-party contractor acting on the company’s behalf broke the law. In 1999, Liam Youens contacted an investigative firm, Docusearch, to request information on Amy Boyer, a girl he had been obsessed with since high school. Docusearch hired a subcontractor who called Boyer pretending to be an insurance company representative.
The subcontractor asked Boyer to verify her work address, telling her that the insurance company owed her money.
Docusearch sold the information to Youens for $109. Youens drove to Boyer’s workplace, where he shot and killed her before turning the gun on himself. Investigators later found that Youens maintained a Web site devoted to his plans to kill Boyer. Claiming that Docusearch was liable for her daughter’s death, Boyer’s mother filed a wrongful death lawsuit. In 2004, the case was finally settled out of court for $86,000.
The Lawlor case (mentioned in the beginning of this article) is also an example of this type of decision. In the case, the company consulted its legal counsel, which in turn hired a private investigator. The investigator then hired an outside database company, which conducted the pretexting. According to Eric N. Macey of Novack Macey of Chicago, who represented North American, companies should not be under the illusion that outsourcing removes the potential for them being held liable for any criminal activity. “With that much distance, the company may not know the pretexting was going on. This company got hit even through all those layers,” says Macey.
Pretexting can also become a factor in cases that involve trade secret violations or trademark infringement, as noted. But in cases involving covert placement of personnel, the law is not always clear regarding when the line into illegal pretexting is crossed. Consider the following two cases.
In the first case, (Gidatex v. Campaniello Imports, U.S. District Court for the Southern District of New York, 1999) attorneys were investigating a possible trademark infringement allegation in which a furniture manufacturer, Gidatex, sued a distributor, Campaniello Imports, for trademark infringement and unfair competition. Gidatex, maker of Saporiti Italia products, claimed that Campaniello lured customers in with signs and advertisements bearing the Saporiti Italia trademark. When prospective customers asked about the products, sales employees working in Campaniello’s showroom told them that the Saporiti Italia items were no longer in production but that the same style and quality of merchandise was available in other products.
To prove that Campaniello was violating trademark law, attorneys for Gidatex hired a private investigation firm. Two investigators went undercover. Posing as interior designers, they visited Campaniello’s showrooms. The investigators secretly tape recorded conversations with Campaniello’s employees. The investigators proved that Campaniello was misusing the Saporiti Italia name and lying to customers.
Campaniello sued Gidatex, claiming that the pretexting was a violation of attorney ethics rules and that the evidence gained from the practice should not be allowed at trial. The court disagreed, finding that the ethics rules, which precluded misrepresentations by attorneys, did not apply to the situation for two main reasons. First, the pretexting was conducted by investigators, not attorneys. Second, the court noted that the ethics rules were designed to protect individuals from being tricked into making statements in the absence of proper representation.
In the written opinion of the case, the court noted that “the presence of investigators posing as interior decorators did not cause the sales clerks to make any statements they otherwise would not have made. There is no evidence to indicate that the sales clerks were tricked or duped by the investigators’ simple questions, such as ‘is the quality the same?’ or ‘so there is no place to get their furniture?’”
In a similar case, (Midwest Motor Sports v. Arctic Cat Sales, Inc., U.S. Court of Appeals for the Eighth Circuit, 2003), the outcome was reversed. In that instance, another federal appeals court ruled that the pretexting violated rules governing deceitful conduct by attorneys.
In the case, Midwest Motor Sports sued Arctic Cat over a franchising disagreement. Arctic Cat, a snowmobile manufacturer, had terminated the franchise of Midwest Motor Sports and established A-Tech as the new franchise. Concerned that they were not privy to all the available evidence, attorneys for Arctic Cat hired a private investigator to visit Midwest Motor Sports and A-Tech stores and secretly record conversations with sales personnel to gather evidence that could be helpful in the pending lawsuit.
Visiting several showrooms, the investigator posed as a customer and talked with sales staff as well as the president and owner of A-Tech. When the court learned of the investigator’s tactics, it excluded the evidence obtained through the investigation. The franchise lawsuit was settled out of court, but attorneys for Arctic Cat pursued a civil suit against the attorneys for Midwest Motor Sports, arguing that monetary sanctions should be imposed because of the pretexting.
The U.S. Court of Appeals for the Eighth Circuit declined to impose sanctions on the attorneys, finding that the exclusion of the evidence at trial was sufficient. However, in the written opinion of the case, the court warned attorneys about the perils of engaging in such behavior. The court noted that “Arctic Cat’s attorneys may have become frustrated with their opposing counsel’s refusal to cooperate, but that frustration does not justify a self-help remedy.”
Unfortunately, when viewed as a whole, the case law does not offer clear guidance to companies on pretexting. According to R. Mark Halligan, partner, Nixon Peabody, LLP, in Chicago, the law has not been settled as to what is permissible by someone conducting investigations.
“It is too difficult to counsel on it as a lawyer in the present environment,” he says. “The problem is that no one understands what the ground rules are now, and they won’t be clear until they are sorted out by Congress.”
Congress is currently considering a bill that would make all pretexting by data brokers illegal. If it becomes law, the bill could affect private investigators, some of whom use data brokers to gather background information.
The issue of pretexting may be unsettled, but companies must still conduct investigations. A company may decide to vastly limit or prohibit pretexting in its own investigations, but as the Lawlor case illustrates, it may still be held liable for the actions of subcontractors working on its behalf. For companies to protect themselves, say experts, they must conduct due diligence, discuss details, and set limits.
Due diligence. “The take-away lesson from the Lawlor case is that companies must investigate the third party vendors they do business with,” to be sure their practices are within the law, says Macey.
Steven Foster, president of Business Controls in Littleton, Colorado, stresses that companies should inquire into investigative firms just as they would any other business partner. “You are looking for up-to-date certifications, licensing, experience, and references,” he says.
Price is also a factor. If a vendor offers to do work for an unusually low price, that can signal that basic research is outsourced, so companies should make sure that they know who is conducting the work. “Outsourcing can be a big red flag,” says Foster. “And it can lead to liability.”
The investigative company should also carry liability insurance, cautions Foster. While there is no hard and fast rule about the amount of insurance a company should carry, an adequate insurance policy indicates that the firm is responsible and reliable.
Discuss details. Companies should not provide vague directions and then trust the third-party investigator to get the appropriate information in a legal manner. Investigators should be able to define the objectives, describe their methodologies, and articulate what sort of information they will and will not gather.
If an investigator insists that he has secret methods, companies should steer clear. “If someone tells you they can get nonpublic information but that you shouldn’t ask where it came from, don’t trust them,” says Mark Rasch, principal with Secure IT Experts of Bethesda, Maryland, and a former federal prosecutor.
“Ask investigators how they go about gathering data,” Rasch warns. “And if it isn’t through reasonable investigative practices, don’t hire that company.”
Schmedlen notes that the process works both ways. The company and the investigators should both know what data is needed and how it will be obtained. If a customer says: “I don’t want to know how you get the information,” a reputable investigative company should turn down that client.
Set limits. A good rule of thumb to keep from incurring liability is to consider the proximity of an investigation, says Foster. Since corporate investigations involve wrongdoing in the workplace, an investigation should not extend into an employee’s private life. “If I am interested in policy violations on company time and property, and I am going through my employee’s garbage, what exactly am I trying to do?” he asks.
If a problem does extend outside of the workplace, companies should consider whether it has become a criminal issue. For example, Foster’s company was called in to investigate cases of copper wire theft. “Once we learned that the employee had stolen the wire and stashed it in his living room, that became a criminal matter,” he says. “We urged the client to call the police.”
For many experts, the bottom line on pretexting is that it should be avoided if possible. If there are other ways to gather information that do not involve pretexting, those ways should be pursued first. For example, in the HP case, Foster says that he would have recommended a different tactic, one that was both simpler and pertained to the professional capacity of the board members. “I would have sent out official e-mails to all of those suspected of leaking information, and each of those e-mails would have contained slightly different information,” says Foster. “Then I would have waited to see which version appeared in the press.”
Teresa Anderson is senior editor at Security Management.