2 min read

Listen up and listen in

The HP leak scandal offers lessons in how organizations should act when tracking down trouble

There’s listening in on your spouse’s phone conversation and then there’s pretexting.

The resignation of Hewlett-Packard chairperson Patricia Dunn on Tuesday following the highly-publicized HP leak scandal has put the spotlight on the issue of lawful (or unlawful) methods of collecting information.

The practice of pretexting involves the act of pretending to be someone you aren’t. It usually refers to tricking a telephone carrier into disclosing the personal information of a customer, such as phone records.

In the case of HP, it is alleged that it hired a consulting firm to pretext the phone records of journalists to determine the source of the leaks.

What ever happened to getting peoples’ consent? Former HP board member Thomas Perkins, who resigned from the board in May after learning of the investigation, questioned the board’s ethics and the legality of the methods used by Dunn in her investigation in a letter to HP’s board.

Peter Ruby, partner with Goodmans LLP in Toronto, who focuses on technology litigation, said PIPEDA puts limits on the ability of people to collect, for commercial purposes, personal information.

Canadian privacy law requires that information can only be lawfully collected with the consent of the individual. There are, however, exceptions to this rule. These include cases where telling the individual in advance that you want to collect information from them would compromise the accuracy of the information. For example, if someone is pretending they have a broken arm after an accident and then they are told that they are going to be surreptitiously taped to verify the injury is real.

The HP case also raises questions around how phone companies secure individuals’ phone records. In Canada, it would be difficult to get a phone company to give a person a record because they are obligated under PIPEDA and the Telecommunications Act not to disclose this sort of information. Most phone companies, Ruby pointed out, won’t give out this kind of information without a court order.

The leak scandal, however, is not the first time the security of this information has been called into question. A Maclean’s article late last year highlighted this very issue when the magazine purchased the Privacy Commissioner’s phone records online through a U.S. data broker called Locatecell.com.

So what do the experts advise? Ruby said the legal lesson to be learned from cases like HP and Maclean’s is, if a firm is concerned about the legalities of employee information, it should get employees and board directors to sign away their phone rights in advance.

This has already happened with many companies’ e-mail user policies. So if many of us have already accepted the fact that work e-mail is no longer private, then should we expect the same of phone records?