In one telling moment during the recent Congressional hearings on the Hewlett-Packard board scandal, ousted chairman Patricia Dunn offered the 'everybody does it' defence.

Asked by one legislator about HP's hiring private investigators who obtained phone records under false pretenses, a practice called pretexting, to identify who'd leaked confidential information, Dunn replied, "I believe these [pretexting] methods may be quite common at companies around the country."

If so, that is chilling to business ethicist Kirk Hanson.

Is HP alone?

"As an ethicist I'm horrified that HP's managers relied on the assertion that it was borderline, but legal, and never asked whether it was ethical," says Hanson, executive director of the Markkula Center for Applied Ethics at Santa Clara University, in Santa Clara, California.

If HP adopted what Hanson called "black ops" as standard investigative practices, he wonders how many other companies have done it.

HP, some of its employees and companies it hired to investigate boardroom leaks to news media still face potential civil and criminal liability for their actions. Other companies find themselves in a dilemma over how to control information within the law.

Companies may have a moral or legal responsibility to respect people's privacy, but they also have a legal and fiduciary responsibility to protect confidential business information. And under the US federal Sarbanes-Oxley Act in effect the last four years, they have obligations to investigate certain leaks, Hanson says.

Companies have a right to investigate their own employees if they're suspected of leaking information. Employees should presume no right to privacy in their use of company computers, email or telephones.

One commonly used tactic to probe security breaches doesn't even involve electronic snooping. Companies exclusively give suspected leakers seemingly important but relatively benign information. If it turns up in the media, the company has identified the leaker.

Apple's approach

But Hanson sees a bright line separating how a company can investigate its own employees and how it can investigate outsiders.

The HP reaction to leaks to reporters contrasts with the recent practice of Apple when proprietary information got out.

Although Apple is known for its devotion to secrecy, it went to court rather than to private eyes when confidential information leaked in 2004. Apple sued two websites to force them to reveal their sources for stories they posted about a possible new Apple product. A state appellate court ruled May 26 that the writers on those sites enjoy the same US First Amendment rights as mainstream journalists and were protected against revealing their sources. Apple dropped the case. It did not reply to a request for comment on this story.

Unexpected by-product

The Sarbanes-Oxley Act requires companies to develop a whistle-blowing reporting system so employees can raise issues about improper behaviour within the company, said Hanson. That has prompted companies to develop an investigative capability in the event improper or illegal activity is alleged. "So (under SOX), companies have developed much enhanced investigative capability," he said.

Companies also have to keep confidential information safe because disclosure could be a criminal act or a breach of fiduciary responsibility, said Rob Enderle, senior analyst at Enderle Group, a technology market research firm.

If word leaks that a board is contemplating an acquisition, for instance, the company or people in it could be prosecuted for insider trading if people used that knowledge to make stock trades.

Given the potential liabilities, corporate investigations of leaks are "common," said Enderle. "The stuff with the pretexting goes to the extreme, but looking at company phone records or emails, that is very common. Hiring an outside contractor is also common."

In fact, leak investigations enjoy broad support among corporate directors.

Any means necessary?

In a September telephone survey of 226 board members at publicly traded companies in the US, 73 per cent said a company's chairman should be empowered to use any legally available means to identify a board-level leaker, according to Ponemon Institute.

About 71 per cent of the respondents said it would be okay for a board chairman to review the email messages of other members, in addition to other types of confidential data stored on company computers. Fifty per cent said that reviewing telephone records of individuals obtained via pretexting is proper as long as that approach hasn't been outlawed.

But HP's tactics of tailing reporters, attempting to install a tracer on a reporter's email program, pretexting numbers of people outside the company and even considering planting spies in newsrooms as janitors or clerical workers is "bizarre" to Rick Belluzzo.

"The reaction by HP was totally out of proportion with the situation," said Belluzzo, chairman and CEO of Quantum (also a former HP executive vice president for 23 years), a network storage equipment maker.

While he understands the importance of keeping certain information confidential and making employees and directors sign confidentiality agreements, HP overreacted to information leaks that are sometimes going to happen anyway.

"It's an impossible task to control information flow. Some leaks are inevitable," Belluzzo said.