In the wake of recent news at HP, pretexting has become the hot topic in the business world, and its sudden rise to fame broaches numerous questions including: What exactly is pretexting? How are companies liable for it? What are companies doing that is considered pretexting and how can they protect themselves from becoming the next HP?
The Federal Trade Commission Act defines pretexting as "getting your personal information under false pretenses." This definition may seem broad, but does more or less specify the parameters of pretexting as being anything done to mislead an entity, in any way, for the purpose of gaining information. For example, think of a time when you pushed someone for their birth date or address; a little white lie to attain information that otherwise you have no right to. Now imagine this situation on the corporate level. That's pretexting.
Pretexting is a more common practice than people realize and, thanks to recent news, companies are just now realizing their liability. One area where it is truly becoming a major concern is with outsourcing. Consider the example of company A, let's call them American Conglomerate Health Group (ACHG), a networked hospital system. ACHG has grown exponentially over the last few years to the point that ACHG Corporate is no longer able to regulate the group's internal bookkeeping (financial, employee and patient information). Their solution is to outsource bookkeeping tasks to company B, "East Coast Bookkeeping" (ECB).
The first thing ECB does is audit the old books to confirm the information recorded by ACHG in the past is correct. ECB is able to check back records and confirm most information, but has had trouble verifying patient information from April of 2004. Specifically, ECB is having issues aligning contact information, reasons for the hospital visit and financial information. As a result, a team is given the demanding task of filling in these information gaps. The issue begins when several members of the ECB team find it difficult to convince former patients or patient families to disclose such personal facts. Their solution? They pose as insurance company auditors and proceed to ask the same questions. Within a few weeks all information is synced and the company audit is complete. ACHG compensates ECB for their extra effort, completely unaware of the methods utilized for sorting out the bookkeeping error. In this example, the process that some employees at ECB chose to follow is considered pretexting and ACHG is liable because the task was completed on their behalf.
The scary thing is that this type of situation occurs regularly and, as a result, puts many companies in compromising situations, often without their knowledge.
Pretexting is just one example of improper activities involving the acquisition or use of personal information done in the name of "getting the job done." In fact, many incidents are caused by well-meaning individuals trying to get the job done. Errors of this sort can include a small search engine releasing its search results data as a way to attract advertisers, a card processor saving time-sensitive information with the expectation they would be able to use it for fraud protection, a large technology company trying to find the leak in their corporation by hiring a firm to, as it turns out, gather telephone records under false pretenses. By all accounts these practices are considered to be acts of improper personal information acquisition or misuse.
The risks are there, so now what? Companies are now required to demonstrate they have a solid process of communicating expectations to vendors ? auditing and testing their practices and monitoring performance.
The HP situation shows us that, regardless of whether there is legal liability, you can outsource responsibility but not accountability and in the end, the court of public opinion will seriously impact your company's reputation. In many areas, such as privacy or IT security, an organization can put as much indemnification as it wants into a contract but it still cannot shed liability for the actions of any hired agents, both internal and external. In other words, the hit for failure can be twice as severe. With outsourcing trends accelerating at a rapid pace, how many companies feel their vendor risk management programs are at the same level of maturity as their manufacturing systems? The likely answer is very few.
This introduces a fairly obvious question: what can be done? The most pressing problem with pretexting issues is that no one really has that answer. Typical companies today do not have a standard procedure plan, and the few that do are generally vague about the plan's implementation. Luckily, hope is on the horizon. Below are a few suggestions on steps to proactively dealing with pretexting issues.
First, identify which areas/teams are most likely going to be assigned to the task of seeking out personal information.
Second, identify the teams/areas that require personal information. Be able to provide guidance (and be a resource for questions) to help staff decide what information to seek and what process to use in the evaluation.
Third, consider the vendors. Who gathers personal information or supplements information on the company's behalf? Does the company have contracts with them to ensure they use legal methods and, preferably, have they reviewed their techniques for obtaining information? Has the company taken steps to ensure that vendor agreements require the vendor to mandate that their subcontractors provide the same review/controls our company requires? An organization might be opening itself up for potential disaster if the answers to these questions are hard to come by.
Equally as important, organizations should remind their teams to check all decisions against clearly defined standards. Here are a couple of questions people should ask themselves before moving forward:
How will it look on the front page of the New York Times?
Would I feel comfortable telling my mother I did this?
Am I feeling guilty? …If so, I probably should not be doing it.
Another step could be to consider creating a Personal Information Ethics Hotline (PIEH) to which people can call in or ask a question, without fear of negative repercussions, about any personal information focused technique. On the other end, put into place a cross-functional panel which can respond and provide recommended alternates if needed. Consider making the PIEH a vehicle of an internal personal information center of expertise. This could be a semi-formal team led by the chief privacy officer or someone with a regulatory and corporate connection. The team would help identify areas where personal information is captured, used or supplemented and create a risk based assessment of those areas.
The bottom line is to eliminate any information gathering techniques that have a component which can only be regarded as dishonest. Train employees to think about image, not law. A simple approach could be to couple the age old business practice of asking if it "is legal" with the practice of asking "is it right?" Use a rule (call it Leonard's law) which reads, "If it takes more than 10 seconds to explain why you are right, you are wrong."
It is also important to keep in mind that pretexting is a major issue for any large organization but it is only the tip of the iceberg when discussing ethics, integrity, risk and compliance in the supply chain. Imagine how tough it is to gain visibility internally regarding these issues and then imagine trying to achieve this same visibility within the supply chain. What other problems lurk regarding vendor use of employee or consumer information? What regulations may or may not be followed by contractors or agents regarding disposal of hazardous waste, pharmaceutical sales practices, government relations, etc.?
Ultimately, we need to ask ourselves as business leaders, is the issue specifically isolated in pretexting or are we neglecting more broadly to drive and enforce ethics, integrity and reputation management within our rapidly expanding network of business partners and vendors? Proactively addressing this issue could seriously lessen governments' intentions or compulsions to regulate.