Aaron Stephens and Lucinda Brett explore and comment on 'pretexting' developments in the US and UK, with a particular focus on the application of the new Fraud Act 2006
With information a currency in itself, the criminal law is targeting fraudulent schemes for obtaining it. Perhaps unwittingly, corporations that engage in 'competitive intelligence' activities have helped to stimulate an industry which relies upon deceit.
The infamous Hewlett-Packard 'pretexting' furore, which gripped corporate America during 2006, needs no introduction. It claimed the job of HP's chairman, Patricia Dunn, and resulted in the state of California bringing criminal charges against her and various other defendants, including the company's former ethics officer as well as private investigators hired by the company. HP itself has already agreed to pay $14.5m to settle a civil lawsuit filed by the California attorney general, but this is unlikely to be the last time the wallet comes out. Agencies of the federal government are investigating and may ultimately bring charges, while the prospect of private lawsuits also remains.
Indeed, recent reports suggest that some private lawsuits are already in the works. Various American journalists, whose personal phone records were obtained when private investigators used social security numbers and other data supplied by HP to impersonate them, have indicated their intent to sue for breach of privacy. The news organisations they work for might join in, or bring suits of their own.
In the US
The US, often criticised for weak data protection and privacy laws, has reacted to the scandal with new legislation. The Telephone Records and Privacy Protection Act of 2006 was signed into law by President Bush on 12 January 2007. At its most basic, the act makes it an offence to knowingly and intentionally obtain, or attempt to obtain, confidential phone records by making false or fraudulent statements to employees or customers of ‘covered entities’ – in essence, all telecommunication carriers, including all providers of IP-enabled voice services. It also prohibits the sale or purchase of such phone records, unless otherwise permitted by law or authorised by the customer.
Violators are subject to a fine as well as imprisonment of not more than 10 years, and there are enhanced penalties in aggravated cases or where the information obtained is used in furtherance of other criminal offences. The act has extra-territorial effect, meaning that US authorities could potentially use it to prosecute pretexting committed outside the US.
The US Federal Communications Commission has also issued new rules that prohibit telecommunications carriers from releasing customer records over the phone without a password.
These are targeted measures that deal only with pretexting for phone records (federal law protecting financial records has been on the books since 1999). Given the intense interest in the HP scandal, the federal government can be expected to make strong, and very public, use of these measures in order to maximise their deterrent effect.
The UK position
In the UK pretexting is more likely to be referred to as 'blagging', although in this article we will continue to use the former term. There has been no equivalent scandal in the UK, yet, but many forms of corporate espionage are no doubt alive and well in the City and beyond. In addition, many types of businesses use private investigators for a range of purposes, from conducting simple background checks to assisting large-scale internal investigations of fraud or other illegality.
In January 2007 a company boss was jailed after hiring a corrupt private detective agency to tap telephone conversations and hack into computers to monitor opponents of his company. The judge in that case explained that while the private detectives were ‘essential’ to the illegal activity, the corporate customer was also vital: ‘Just as handlers would not exist without thieves, so this agency would not have provided the services they did without a market for them,’ said the judge.
Financial services firms in the City, such as hedge funds and other asset managers, often use 'intelligence' or 'match-making' services to dig up specific information or contacts relevant to stocks in which they have (or are considering taking) a position. Moreover, more than one hedge fund has advertised in the financial press seeking investigative journalists to assist in conducting research and analysis. Such funds must be extremely careful to ensure that more creative methods of doing research, honed by private investigators and journalists, do not infect the investment community. Pretexting may very well be one of these techniques and compliance executives should be on the look out for it.
But there is nothing criminal about pretexting for information other than telephone and financial records, right? Under English law, the answer might not be so straightforward.
Data Protection Act 1998
The Data Protection Act 1998 makes it an offence (with certain exceptions) to obtain, disclose or ‘procure the disclosure’ of confidential personal information ‘knowingly or recklessly’, without the consent of the organisation holding the data. ‘Confidential personal information’ extends beyond telephone and financial records.
The mischief targeted by the Data Protection Act was recently highlighted by the successful prosecution of a husband and wife team who made £140,000 a year selling private financial information – obtained by pretexting. In this case, the couple obtained bank account details by making bogus phone calls, and charged their clients (who included three private detective agencies working for international corporations and City law firms) up to £150 for each piece of financial data.
Prosecutions under the Data Protection Act have generally resulted in low penalties: either minimal fines or conditional discharges. The Information Commissioner, Richard Thomas, wants to address this and has recently recommended that the Government increase penalties for offences committed under the Data Protection Act to a term of imprisonment not exceeding two years.
Fraud Act 2006
The Fraud Act 2006 aims to close a number of loopholes in existing anti-fraud law, which the UK government said was unsuited to modern fraud. Until the Fraud Act's implementation on 15 January 2007, there had been no single, general fraud offence in English law. Fraudsters were primarily dealt with through a collection of deception offences in the Theft Acts and by the common law conspiracy to defraud.
The new offence of fraud, punishable by imprisonment of up to 10 years, can be committed in three different ways: by false representation, by failing to disclose information and by abuse of position. For false representation and abuse of position, the defendant's behaviour must be dishonest (both subjectively and objectively) and must intend to secure either a gain for the defendant – or a loss or risk of loss to another – of money or any other property. Crucially, there is no requirement that any actual gain or loss be incurred.
Although the issue of pretexting may not have been a catalyst for the Fraud Act, there is no obvious reason why the Act cannot be used to prosecute it and other corporate espionage activities.
Fraud by false representation The first type of fraud offence is couched in extremely general language – it prohibits the making of a false representation (by words or conduct as to any fact, law or state of mind of any person), whether express or implied, and either knowing that the representation is false or misleading or being aware that it might be. So, in effect, the offence appears to criminalise lying, so long as the intent of the lie is to make a gain – or cause someone else to incur a loss of money or property.
A common example of this offence would be false statements on insurance or mortgage application forms, but the offence is also intended to criminalise 'phishing', – where bulk e-mails are sent, purporting to represent a well-known brand, in the hope of luring victims to a bogus website that tricks them into disclosing bank account details.
But this offence is so general that it could be deployed in a number of novel scenarios. Consider the example of a hedge fund instructing a private investigator to uncover information (whether or not the information is 'inside' or otherwise confidential) to assist the management of its portfolio. Such a technique could uncover extremely relevant information that might not otherwise be disclosed to the fund – and could theoretically lead to enormous gains, for the portfolio, the portfolio manager (as reflected in his bonus) and perhaps even the private investigator. Due to the wide nature of the general fraud offence, any use of pretexting techniques by the investigator would appear to be caught. Thus, the hedge fund (or relevant individuals) could potentially be prosecuted.
In general terms, such a prosecution would seek to establish that the hedge fund intended to make a gain by using information knowingly obtained by deceit. Indeed, if the fund disseminated negative information obtained by deceit, in an effort to drive down the stock price of a stock it was short selling, this might amount to both an intent to make a gain for the fund (as it would profit from the stock's decline) as well as to cause a loss to the targeted company's shareholders.
It is instructive to note that the reverse of this situation may have already occurred in America. In February 2007, federal prosecutors subpoenaed records of Allied Capital, upon allegations that it hired private investigators to pretext for phone records of David Einhorn (a hedge fund manager who was shorting Allied Capital's stock and had been publicly critical of the company).
Possession of articles for use in frauds The Fraud Act also makes it an offence for a person to possess or have under their control any article for use in the course of, or in connection with, any fraud. The offence is primarily aimed at articles that are specifically designed for fraud, such as credit-card cloning devices. However, the offence includes in its scope articles that may also have a benign use, such as an ordinary computer that is used to store stolen credit card numbers. Since virtually any article might be used in a fraud, much will turn on a defendant's state of mind.
Fraud by abuse of position Where a person occupies a privileged position such that they would be expected to safeguard another's financial interests, and they abuse that position, they could be subject to the offence of fraud by abuse of position.
The types of relationships covered include director and company, employer and employee, and professional and client. This offence raises serious risks for businesses. Such ‘abuse’ is capable of being committed by omission and an offence could potentially encompass situations where a director or professional fails to take up the opportunity of a crucial contract, or where the compliance officer of a bank fails to monitor the bank's risk because he spends his day surfing the internet for personal use. If a jury finds that he is dishonest, he may be guilty because he is in a position of trust and, by omission, has abused this position.
Liability of company officers for offences by company If an offence under the Fraud Act is committed by a corporate entity with the ‘consent or connivance’ of a company officer, the latter will also incur liability for the offence. The point of the provision is in situations where it can be said that a corporate officer had a duty to intervene and stop the company from committing a fraudulent act.
Internal investigations
Internal investigations are an essential element of prudent corporate oversight and a proven method for uncovering fraud. However, as demonstrated by HP, methods used during investigations can themselves become a problem. In light of the breadth of the new legislation, companies and directors should ensure that investigations are conducted with sensitivity to privacy and data security concerns – which will likely vary by jurisdiction – and should engage outside counsel if there is any uncertainty.
Aaron Stephens is an associate and Lucinda Brett a solicitor, both from the regulatory and government affairs group at DLA Piper, www.dlapiper.com