Most businesses, institutions, and organizations gather information from and about their customers, constituents, or members. Many businesses also want information about potential customers and may obtain names from a mailing list of some other business ororganization. Unless the owner of the list has a privacy policy that prohibits the sharing of certain information without the  person’s consent, a business may purchase the list and proceed to offer its product or service to all the people on it. Locating potential customers in this manner may be completely legal, depending on how the information was obtained in the first place. Pretexting is a method of collecting personal information that skirts the boundary between legal and illegal.

What Is “Pretexting”?

A pretext is a false motive put forth to hide the real motive, and pretexting is the process of obtaining information by false means. The term pretexting was first used in the 1990s when scammers obtained Social Security numbers by claiming that they were from the Social Security Administration and that their computer had broken down. Pretexters may try to obtain personal data by claiming that they are taking a survey for a research firm, a political party, or even a charity. Then they proceed to ask for information such as the person’s insurance or telephone company, where he or she banks, and perhaps the name of his or her broker. Once they obtain the information, the pretexters sell it to a data broker, who in turn sells it to someone else, who may be a legitimate businessperson, a private investigator, or an individual intent on identity theft.

Pretexting Legislation

In 1999, Congress passed the Gramm-Leach-Bliley Act, which made pretexting to obtain financial information illegal. Initially, it was not clear whether that law prohibited lying to obtain nonfinancial information for purposes other than identity theft.

Fueling the debate over pretexting was a scandal involving Hewlett-Packard’s board of directors. To find out who had leaked confidential company information to the press, Hewlett-Packard chair, Patricia C. Dunn, hired private investigators who used false pretenses to gain access to individuals’ personal cell phone records. Dunn claimed that she was not aware of the investigators’ methods and had assumed that they had obtained the information from public records. Although criminal charges that were brought against her were later dropped, several civil lawsuits followed. The company eventually paid $14.5 million in fines to settle a lawsuit filed by the California attorney general. In 2008, Hewlett-Packard reached a settlement with the New York Times Company and three BusinessWeek magazine journalists in connection with the scandal.

To clarify the law on pretexting to gain access to phone records, Congress enacted the Telephone Records and Privacy Protection Act. This act makes it a federal crime to pretend to be someone else or to make false representations for the purpose of obtaining another person’s confidential phone records. The act also prohibits the buying, selling, transferring, or receiving of such phone records without the phone owner’s permission. The Federal Trade Commission investigates and prosecutes violators, who can be fined and sentenced to up to ten years in prison.

Questions

1. Make sure that your company has a privacy policy. If it does not, one should be created.

2. Never provide a third party with information unless your company’s privacy policy specifically allows you to do so.

3. If you wish to acquire personal information on potential customers from a third party, make sure the data broker is legitimate, and find out how the information was acquired.

4. Treat all pretexting as illegal.