I’ll assume you are aware of what is going on over in the Hewlett-Packard board room. I won’t opine on it directly. But I will add this. Pretexting is not identity theft. Pre-texting is a method, a means to gather information. I wouldn’t even say that pretexting to get phone records is identity theft. Criminal fraud, maybe or maybe not. ID theft? No, unless a specific state law has written the term “phone records” into their identity theft law. And I am not aware of one that has. If you are, email me.
Why isn’t pretexting necessarily a crime? There is no federal law that makes pretexting illegal in all cases. There is a federal law (Gramm-Leach-Bliley Act of 1999) that prohibits obtaining customer information by false pretenses—from financial institutions. The only other federal jurisdiction might be the Federal Trade Commission, but that is pretty murky and they can only take civil action. Now, it is possible, I assume, for an attorney general or district attorney to broadly apply other fraud statutes in this case. But it may be an uphill battle. I’ll leave that to others to decide.
Update: Some REALLY great information and discusion is going on in the comments. Thanks for Stuart and Michael for your insights. I will follow up soon.
Update 2: This is a fascinating case, I wish I had time to dig into it more and blog about it. But I will just keep this follow up to the comments below tied to identity theft. Since the crimes occurred on persons and through records in California let’s examine CA penal code 530.5 which is the identity theft law. The private investigator used social security numbers, pretending to be certain individuals in the case, and opened online accounts at SBC/AT&T to view phone records via the web. And it’s possible the PI or their contractors did not unlawfully obtain the SSNs but paid for them through a service. The law is clear that a crime is committed when either (1) personal identifying information is used to for unlawful purpose, or (2) when someone with intent to defraud, acquires or transfers that PIF.
530.5 (a) Every person who willfully obtains personal identifying information, as defined in subdivision (b), of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, or medical information in the name of the other person without the consent of that person, is guilty of a public offense…
(b) "Personal identifying information," as used in this section, means the name, address, telephone number, health insurance identification number, taxpayer identification number, school identification number, state or federal driver's license number, or identification number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, checking account number, PIN (personal identification number) or password, alien registration number, government passport number, date of birth, unique biometric data including fingerprint, facial scan identifiers, voice print, retina or iris image, or other unique physical representation, unique electronic data including identification number, address, or routing code, telecommunication identifying information or access device, information contained in a birth or death certificate, or credit card number of an individual person.
(d) Every person who, with the intent to defraud, acquires, transfers, or retains possession of the personal identifying information, as defined in subdivision (b), of another person is guilty of a public offense…
It isn’t clear that phone records are PIF. However, subdivision (d) seems to apply. So this might be a 530.5 violation if someone obtained (doesn’t matter how) SSN’s with intent to defaud (commit another crime), such as those Michael Webster points out in the comments. Whew. This is too complicated.
And by the way, Patricia Dunn doesn’t seem to have committed a crime in any way. The only possible criminals from where I sit would be the private eye and/or the contractor hired to do the digging. Although the whole thing stinks from an ethical standpoint. One director (Sonsini) assurred other directors (Dunn, Perkins) that getting phone records wasn’t a crime. Dunn clearly approved the nasty investigation of other directors AND reporters. And the people hired by HP (or sub-contractors) might have committed a crime in order to obtain the information. What a disaster all around.
So, I’m with Michael Webster here. There just HAS to be a crime committed here. But I’m still not sure it was identity theft. I wonder if California will amend 530.5 to make subdivision B (the definition of PIF) more broad. Updated: The more I think about it, the more it sure seems like ID theft or damn close to it.
Update 3: It’s worth mentioning that it appears a Caller ID spoofing service was used in this case to fool AT&T customer service (read the link Michael points to in the comments). Probably a spoofcard. I told you these things are bad news.