1 Bender on Privacy and Data Protection § 8.06 (2020)
Pretexting, or obtaining information under false pretenses, is a growing problem, and often is a prelude to identity theft. The FTC has attacked pretexting as an unfair or deceptive trade practice under § 5 of the FTC Act, and has also enforced a provision in the Gramm-Leach-Bliley Act prohibiting pretexting as to financial institutions. Two types of information that seem to be the favorite target of pretexters are financial information and telephone call information.
Pretexting amounts to obtaining the information of another under false pretenses, often by eliciting from a third party information about another individual by pretending to be that individual. For example, a pretexter armed with an account number and some identifying information might phone a bank and, by using that information, acquire additional information,
e.g., the account balance. Pretexters often then use or sell the information they acquire, which can lead to identity theft, where the information is used to open new accounts, buy merchandise, etc. Victims are often unaware they have been victimized until the pretexter defaults on an account and the account holder begins dunning the victim. Identity theft is discussed in elsewhere in this Treatise.
1 However, pretexting does not always lead to identity theft.
Pretexting has been going on for decades (at least), but it took on unprecedented notoriety in 2006 when certain high officials at Hewlett-Packard Corp. allegedly induced or permitted private investigators hired by the company to engage in pretexting by pretending that they were board members of the company, or journalists, in obtaining information from telephone companies. The purpose of this alleged pretexting was to determine which of the company’s directors was “leaking” information to the press.
Aside from the enormous amount of ink this episode attracted from the press, the event sparked significant legal activity. Investigations were launched by the US Securities and Exchange Commission, the US Federal Communications Commission, the US House of Representatives (through its Committee on Energy and Commerce), and the US Attorney for the Northern District of California. The Attorney General of California brought criminal actions in state court against five individuals
2 for fraudulent wire communication, identity theft, wrongful use of computer data, and conspiracy. In addition, the California Attorney General filed a civil action in connection with the occurrence. That civil action was settled as soon as it was brought in December 2006, with HP agreeing to pay some $14.5 million.
3 Most of that sum was to be used to create in the Attorney General’s office a “Privacy and Piracy Fund,” for use by the Attorney General and the state’s district attorneys in enforcing privacy and IP laws. The sum also included a civil penalty of $650,000, and reimbursement of the Attorney General’s costs of $350,000. The Attorney General commended H-P for “cooperating instead of stonewalling … . Fortunately, Hewlett-Packard is not Enron.”
The settlement agreement, in the form of a consent order, required HP to institute reforms in its corporate governance so as to enhance the company’s monitoring of compliance with legal and ethical standards, in connection with any investigations initiated by the company over the next five years. It also required that one position on the Board be occupied by an independent director responsible for compliance by the Board, and it required the company’s chief ethics and compliance officer, and its chief privacy officer, to take on expanded roles. Further, the company is required to create a “Compliance Council,” responsible for creating and maintaining policies and procedures relating to the company’s ethics and compliance program, and for submitting regular reports to the Board of Directors, CEO, and the Audit Committee. The settlement agreement also required the company to strengthen its training program so as to place increased emphasis on ethics and the avoidance of conflicts of interest. Moreover, it required the company to establish a set of guidelines governing the conduct of any private investigators it hired.
The Federal Trade Commission has been active in the pretexting area. The FTC has brought actions alleging unfair or deceptive trade practices in violation of section 5 of the FTC Act
4 against firms that allegedly used pretexting to obtain financial records. In October 2006 the FTC obtained its first settlement in a proceeding that alleged pretexting to obtain phone records (as opposed to financial records), against a private investigation firm.
5 The firm allegedly sold consumer phone records and credit card records that it obtained by pretexting. The settlement barred the firm from pretexting or hiring others to pretext on its behalf. It also required the firm to disgorge the $2,700 it apparently had earned by pretexting. In settling, the firm made no admission of any violation.
Section 521 of the Gramm-Leach-Bliley Act,
6 which was enacted in 1999 and applies only to financial institutions, contains a proscription against pretexting. This section prohibits any person from obtaining (or attempting to obtain) or causing to be disclosed (or attempting to cause to be disclosed) to any person, a financial institution’s customer information relating to another person by false statement to the institution or a customer, or by providing a document to the institution knowing that it is false, lost, stolen, or fraudulently obtained. Three exceptions are provided. One is for law enforcement agencies in the performance of their duties, and another is for insurance companies investigating fraud. The third is for financial institutions that obtain customer information in the course of testing security, investigating allegations of employee misconduct, or recovering customer information obtained in violation of the statute. Moreover, this statute does not apply to insurance companies in their investigation of insurance fraud, or to licensed private investigators to the extent necessary to collect child support from a person adjudicated delinquent. A violation of § 521 Is a crime punishable by a fine and imprisonment for up to 10 years.
The states have also been active in the area of pretexting legislation, especially in connection with telephone records. For example, in September 2006 New York enacted the Consumer Communications Records Piracy Act.
7 Subsection 2 of this law prohibits the knowing and intentional procurement, or attempt to procure, solicitation or conspiracy with another to procure, offer, sell, or fraudulently transfer or use telephone record
8 information from a telephone company, absent written authorization from the customer, except as otherwise authorized by law. The state Attorney General is authorized to bring an action to enjoin violations of the statute, and the court may award reasonable attorney’s fees and damages incurred by customers whose records were the subject of a violation. The court may also impose a civil penalty of $1,000.
Interestingly, a broad and strict California anti-pretexting bill that sailed through the California Senate 30-0, was defeated by sudden intense lobbying by the Motion Picture Association of America, which was of the view that it was necessary for representatives of the motion picture industry to pretext in order to identify those who unlawfully download motion pictures.
9 Accordingly, just a few days before the Hewlett-Packard matter attracted publicity, the bill was defeated 33-27 in the California Assembly. However, a narrower bill was then enacted in California, focusing solely on telephone records.
10 It prohibits the purchase, sale, or attempt or conspiracy to purchase or sell, any telephone calling pattern record or list, absent written consent of the subscriber. Unlike the New York law, it has criminal sanctions (imprisonment for up to one year, and a fine of up to $2,500).
Where the number of violations is large, statutory damages can be extremely extensive. Numerous defendants have argued that, for one reason or another, statutory damages should not apply. The U.S. Supreme Court long ago held that statutory penalties violate due process “where the penalty prescribed is so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable.”
11 Courts are reluctant so to find. Defendants in TCPA cases have argued that the penalty prescribed in that statute qualifies under the
Williams rule. In at least four cases, courts have awarded damages in an amount substantially less than statutory damages. In
Golan v. Veritas,
12 the court found that statutory damages that would exceed $1.6 billion were “obviously unreasonable and wholly disproportionate to the offense,” and instead awarded $32,424,930, amounting to $10 per call. The court found that this amount reflected the severity of the offense, would have a deterrent effect, and would account for unquantifiable losses, as well as take into account the time and expense of notifying the class and distributing damages. In
American Blastfax,
13 the court read the TCPA provision
14 as requiring statutory damages of
up to $500 per violation, and awarded damages of seven cents per violation (which it trebled for willful conduct).
In
Maryland v. Universal,
15 where statutory damages might have been $34 million before trebling, and plaintiff sought about $10 million, the court awarded $1 million. The court explained that $10 million was disproportionate to the size of defendant and its ability to pay. And in
Dish Network,
16 the court, in response to plaintiffs’ demand for $2.1 billion, awarded $280 million (20% of defendant’s after-tax profits for 2016, and amounting to $17 per violation), finding that amount “appropriate and constitutionally proportionate, reasonable, and consistent with due process.” Of these four cases,
Dish Network and
Golan based the reductions on compliance with due process.
Footnotes — § 8.06:
2 The five persons were the company’s chairwoman, its former ethics head, and three private investigators.
3 See M. Meland, “HP Settles Civil Charges in Spying Scandal,
IP Law 360 (7 Dec. 2006); J. LeClaire, “HP Reaches $14.5 Million Settlement in Spying Case,”
e-Commerce Times (8 Dec. 2006); AP, “HP to Pay $14.5 Million to Settle Pretexting Lawsuit,”
Boston Herald.com (7 Dec. 2006).
5 Federal Trade Commission v. Integrity Security & Investigation Services, Inc., et al. (E. D. Va., Newport News Div. 5 Oct. 2006) (Civil Action No.: 2:06-CV-241-RGD-JEB; FTC File No.: 062 3101).
8 Subsection 1(a) of this statute defines “telephone record”: “information retained by a telephone company that relates to the telephone number dialed from the telephone of a customer or the incoming number of a call directed to the telephone of a customer, the content of alphanumerical messages sent to or from a telephone or other data related to such calls typically contained on a telephone bill of a customer including but not limited to the time the call started and ended, the duration of a call, the time of day the call was made and any charges applied, provided, however, that information commonly known as caller identification or caller ID information transmitted to or retained by the recipient of a call shall not constitute a telephone record.”
9 See, e.g., R. Singel, “MPAA Kills Anti-Pretexting Bill,”
Wired News (1 Dec. 2006). The California Association of Licensed Investigators also opposed that bill.