Saturday, September 23, 2006

Everyone is jumping on poor HP. That's what they get for not dealing with this more aggressively! There are MANY articles today, so I selected a sample.


To my mind, this blog is reporting better and more completely than those sources that carry HP advertising...

http://www.robhyndman.com/2006/09/22/the-hp-saga-dunn-is-indeed-done/

The HP Saga: Dunn is Indeed Done; Hunsaker Sacked

September 22, 2006 at 19:20

The WSJ and NYT have now issued their first pieces (AP here) after the news flashes that followed HP CEO Hurd’s press conference today (audio). HP Chair Patricia Dunn is resigning as Chair and from the Board effective immediately, at the request of the Board. Hurd will take her place. The NYT reports, with tongue-in-cheek, I hope, that it “was not clear from Mr. Hurd’s remarks if the departure of Ms. Dunn from the board was meant to indicate that she is considered culpable for the failings of the investigation” - is it ever, in press conference land? See also Alex Simpson’s Corporate and Securities Law Blog, particularly his part the twenty-eighth (oy!), with detailed point-by-point notes of the press conference (including more new facts about the surveillance operations).

As for himself, Hurd asserts only a passing familiarity with the leak investigations, and no awareness of the pretexting:

The chief executive admitted he attended a “brief” board meeting last year where the probe was discussed. He said it was a discussion about the first phase of the investigation, which yielded no results.

Mr. Hurd said he and others in the management chain weren’t privy to a second phase of the investigation, begun earlier this year in which “pretexting” and other practices were used. Mr. Hurd said he knew investigators planned to send a fake email to a reporter but said he doesn’t recall approving use of tracing technology.

In the first positive development in some time, at least from a PR standpoint, Hurd announced that HP has hired Bart M. Schwartz, a former U.S. prosecutor, “as counsel, to perform a forward-looking and independent review of investigative methods that were used.” (The NYT reports only that HP has “retained a law firm to do a comprehensive investigation to explain the chain of events that led to the improper conduct”, leaving one to wonder why, when it worked so damnably poorly the first time, under Wilson Sonsini’s watch.) I’ll assume for the time being that the Schwartz choice is grounded in crisis management advice that HP engage someone with a reputation for tough-mindedness and independence, even if it means blood on the floor, and that Schwartz fits that bill.

In the press conference Hurd also apologized to the journalists that were pretexted. My sense is that a public display of contrition will, together with swift action to investigate and act, actually be one of the more important elements of the HP communications strategy over the next few days. I would guess that the California AG will, in an unclear case of HP liability, be reluctant to prosecute if the company has visibly suffered, taken responsibility, and committed to corrective measures. (One of the notable elements of the conference was that Morgan, Lewis & Bockius, the outside counsel retained to manage the investigation, indeed seems to be working intensely towards that end - a positive sign.)

What’s needed now is that swift action. Who directed the pretexting, and who knew it was being done?

Update: The NYT is reporting that two senior employees, unnamed as of yet, have been fired.

Update: NYT has updated its story and says the departures are Kevin Hunsaker, HP’s senior counsel and director of ethics, and Anthony Gentilucci, the Boston-based manager of global investigations for HP. And in what must be the sourest note for HP today, it looks like the Democrats are now involved:

The burgeoning scandal at Hewlett-Packard reflects a broader problem that Congress must tackle through new laws, the Democratic co-chairman of the Congressional Privacy Caucus said Friday.

“Clearly the problem of corporations using private detectives and information brokers to obtain illicit access to telephone records and other personal information is not limited to Hewlett-Packard,” Rep. Edward Markey, a veteran Massachusetts politician, said in a statement. “Congress needs to be asking exactly how widespread this practice is, and whether companies are skirting or even violating the law by prying into the details of people’s telephone records or other personal information.”

The statement came the week before a U.S. House of Representatives oversight and investigations panel plans to grill Hewlett-Packard executives and outside investigators about the company’s probe into journalists, employees and board members suspected of involvement in media leaks.

Markey called for enactment of new consumer privacy laws and a bill–sponsored, not surprisingly, by himself–designed to outlaw the sale of Social Security numbers.

The WSJ reports on the departures thusly:

A person familiar with the matter said Mr. Gentilucci and Mr. Hunsaker “are in the process of leaving the company.” Ms. Baskins relied on the legal opinions provided her by Mr. Hunsaker, a lawyer, this person said. Mr. Gentilucci did not return calls seeking comment. Mr. Hunsaker could not be reached.

“In the process of leaving the company”? Escorted to the door window, perhaps, and not yet having hit the ground.

The obvious question is whether HP’s general counsel will be next.

Update: The Recorder raises the question of whether new outside counsel ought to be reporting to Hurd, now that he may be under a cloud.

Update: Hurd’s press conference bought him about 12 hours of respite, by my reckoning. WaPo is already running a piece questioning why, in light of what is known now about his conduct, he has been given additional duties in the shake-up.



http://news.com.com/2100-1014_3-6118799.html?part=rss&tag=6118799&subj=news

Has HP done enough in corporate governance?

By Stefanie Olsen Story last modified Fri Sep 22 17:53:03 PDT 2006

In the world of corporate governance, Hewlett-Packard committed a no-no.

Legal experts give HP credit for taking early steps [clearly not “early” by non-legal expert standards Bob] to clean up the mess that followed revelations that the Silicon Valley giant investigated board leaks using measures such as obtaining journalists' home phone records. Yet some experts said HP may need to go further, given that potentially unethical behavior among top executives could undermine the fabric of the company.

"At the center of corporate governance is an ethical corporate culture, and a corporate culture that could produce something like this needs to be re-examined by all involved," said Charles Elson, director of the Weinberg Center for Corporate Governance at the University of Delaware.

CEO Mark Hurd said Friday that HP Chairman Patricia Dunn would step down immediately, [If you don't take sufficient action at the start of a critical situation, you will probably have to keep taking more and larger actions later. Did the directors even recognize this as a critical situation? Bob] and that the company has hired the law firm Morgan Lewis & Bockius to investigate internal operations.

Corporate governance refers to the background rules, regulations and incentives of a board of directors that aim to ensure managers look after shareholders' welfare. All corporations have a board of directors that are bound by fiduciary law, which stipulates that members exercise "care and loyalty" while managing the company. That means they're looking out for the company's and shareholders' financial interests, not their own.

When trying to discover board leaks, which could pose problems to the company's overall strategy, board members would be obligated to join together collectively and decide how to handle it, according to corporate governance experts. The problem, it seems, is the questionable tactics such as "pretexting," or posing as an indivual to obtain that person's phone records, that HP and its investigators used to investigate those leaks.

"You could go a long way down that road without violating the law," said Robert Daines, co-director of the Arthur and Toni Tembe Rock Center for Corporate Governance at Stanford University. "They went to great extremes and chose bad methods to what might have been a valuable goal."

So what's next? Daines said it's important that HP do no less than law enforcement officials in investigating itself and ensure that it doesn't happen again.

Still, Elson believes that HP should have kept the board leaks a matter only for the board itself. "The tone that was set by this is very damaging to the company and its reputation," he said.



http://blogs.zdnet.com/BTL/?p=3658

HP press conference: Inventory of gory details, Hurd "clean," Dunn steps down

Posted by David Berlind @ 2:22 pm September 22, 2006

Download the MP3

... The press conference principally involved two speakers — HP CEO Mark Hurd and Mike Holston, an attorney with Morgan Lewis, the law firm that was retained by Hurd in the earlier days of the investigation and now, the law firm that represents HP in its dealing with state and federal authorities on this particular matter.

As Hurd began the conference, he made it clear that he still did not have all the facts, and also pointed out that they may never have all of them. [Who does? Perhaps they should be in charge of corporate governance? Bob] Later in the conference, he pointed out that part of the problem in getting all the facts had to do with the fact that they were dealing with an outside investigative firm. That firm was identified as Security Outsourcing Solutions (aka: SOS) and it was also pointed out during the conference that SOS outsourced some of the work it was doing to another outfit known as Active Research Group.

Hurd seemed incredibly contrite [i. e. He didn't repeat Dunn's mistake. Bob] during his presentation (far more so than Patricia Dunn, the now former HP chairwoman, ever did) and, on several occasions reminded the attendees and listeners that the practices used to uncover certain information (in the course of the investigation) were very uncharacteristic of the sort of integrity that HP's management wants the company to be known for [weasel phrase Bob] by both its customers and employees. While he didn't condone the techniques, Hurd did say that the investigation was justified given the fact that the leaks were damaging to the company and that the practice of leaking information to the press violated company policies. Hurd said that investigating the leaks was an "appropriate course of action" but characterized the techniques as "isolated incidents of impropriety" and as "having no place in HP."

Hurd looked to clear his own name, saying he never approved of the tracing technology that was embedded into the e-mails sent to CNET News.com's Dawn Kawamoto. HP investigators hoped that Kawamoto would forward the e-mail to her source and that the tracing technology might lead them to whoever was responsible for the leaks. Hurd apparently approved the content of the e-mail, a detail that was offered later in the conference by Holston.

Effectively immediately, Hurd had accepted Patricia Dunn's resignation from what appears to be the board of directors entirely. A different move from the one originally planned where she would step down as chairwoman in January but remain on the board as director. Apparently replacing her, as an independent director, is Richard Hackborn.

Before handing the microphone to Holston, Hurd said he was taking full accountablity for the matter from this point forward.

Holston then went into the four primary techniques involved in the investigation. Namely

  • The use of pretexting to obtain phone and fax records

  • The use of social security numbers in the course of pretexting

  • The sending of emails with tracers

  • Physical surveillance

Holston noted that investigators, in the course of physical surveillance, had even engaged in a bit of dumpster diving — looking through one female reporter's (probably Kawamoto's) trash. In all, Holston said the investigation targeted two current HP employees, seven current or former members of the board of directors, and nine journalists.



Yet...

http://www.eweek.com/article2/0,1759,2019381,00.asp?kc=EWRSS03119TX1K0000594

Calif AG Says No Evidence to Link HP CEO to Crime

By Reuters September 22, 2006

NEW YORK (Reuters)—The California attorney general said on Sept. 22 there was no evidence yet linking Hewlett-Packard Chief Executive Mark Hurd to any criminal wrongdoing, as scrutiny grew over his role in the PC maker's probe of a boardroom leak.

... Hurd became a new focus in the scandal following published reports this week that he was more involved in the probe than originally thought.

The Washington Post reported Thursday that Hurd approved an elaborate "sting" operation on a reporter to determine the source of the leaks.

HP shares fell 29 cents to $34.58 on the New York Stock Exchange on Friday. The stock dropped 5.2 percent after the Post report Thursday.

... Hurd may face greater pressure to resign, even if his involvement is not proven, as HP aims to rebuild credibility, analysts said.



Another ethics question?

http://ask.slashdot.org/article.pl?sid=06/09/16/230253&from=rss

Data Theft Notifications - How Soon is Too Soon?

Posted by Cliff on Friday September 22, @11:36PM from the sooner-than-later dept. Privacy Security

bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account [dedicated email acounts... think about it! Bob] account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?"

"Personally, I believe a security breach has occurred. So, I asked them how many people are affected by this; they feel certain that it's an isolated problem, because they haven't received a deluge of complaints. They don't know how these spammers got my reserved email address from my online broker (but they didn't sell it, they are quite clear on that), so how can they be so certain it's not their entire database, and how can they be so sure that things like my SSN and bank routing information wasn't also stolen?"



Isn't this the question almost everyone asks every 10 years?

http://techdirt.com/articles/20060922/084038.shtml

Um, Aren't You Guys Supposed To Count And Keep Track Of Stuff?

from the one-two-four-five dept

Government data leaks are becoming so common, they're hardly noteworthy anymore. But it does seem slightly ironic that the government agency tasked with counting the country's citizens and keeping track of all sorts of demographic data can't keep track of its own computers, as the news emerges that since 2001, the Census Bureau has lost 672 laptops, 246 of which contained people's personal information. It's also lost track of 15 of the PDAs census workers use to collect information, and 46 portable data storage devices. The best part? They've got no idea whose data, or how many people's was compromised, since the information workers collect is removed from the laptops at the end of every day -- though they are in the process of contacting the 558 households whose information was on the PDAs. But it gets better: other units within the Department of Commerce have lost another 500 or so laptops, in addition to those lost by the Census Bureau. It seems inevitable that, at some point, data leaks will come back to haunt private companies as their customers put a higher priority on data security and the impact of identity theft becomes more widespread. But the government's customers -- meaning us -- can't really take our business elsewhere, to a more secure vendor or retailer. So what motivation will they have to solve their leaky data problems?



Classroom lawyers...

http://techdirt.com/articles/20060922/142813.shtml

The Growing Backlash Against Automated Cheating Detectors

from the but-for-a-good-reason dept

It's been nearly four years since we wrote about students and parents being upset that online services that check student homework for plagiarism were also uploading and storing a copy of every paper they checked. [Why would they do this? Bob] It got to the point, earlier this year, that at least one university banned the use of Turnitin, one of the most popular services in this field. It seems that the student rebellion against such tools is growing, as many more students are questioning the legality of such tools, and asking their schools to stop using them. They're not just upset about the uploads, but about the assumption of guilt. While there clearly is plenty of plagiarism to go around, that doesn't mean this is the right solution to it. It's often easy to just throw technology at a problem, but it's worth recognizing that doing so always raises unexpected issues -- and those issues may not be technological on their own, but legal and cultural issues. It seems like many of the schools who jumped on the Turnitin bandwagon didn't spend much time thinking about those additional consequences, [“Thinking? Damn, I knew we forgot something!” Bob] and are now facing student anger because of it.



Another case of “forgot to think?”

http://techdirt.com/articles/20060922/144246.shtml

Not Just Third World Nations Banning Skype; Universities Get On Board Too

from the bad-policies dept

It looks like it's not just third world countries with government-backed telephone monopolies to protect that are banning VoIP. Some universities are getting in on the game as well. San Jose State University, just down the road from Skype's parent company eBay, has apparently decided to block all Skype use on campus. The reasoning isn't entirely clear, as school administrators say that it's because Skype's peer-to-peer nature effectively allows others to use the on-campus network -- though the same could be said of any peer-to-peer application, and hardly seems like a reasonable explanation for the outright ban. A more likely explanation probably has something to do with whatever contracts the university has with its telecom provider -- who doesn't like the idea of being undercut. In the case of San Jose State, it looks like outrage from both professors and students (as well as a pending visit from eBay) has caused the university to hold off on the ban for now.

No comments: