No sense pointing the finger at HP anymore; we have Congress and the FBI to do that. But I did want to discuss the "I didn't know what my employees/ vendors/executive staff were doing" defence - which was, of course, made famous by Enron, so you have to know it just won't do. Instead of looking backward, I spoke with a couple of experts on governance, privacy, risk and compliance assessment about how companies can do the right thing in the future.
First, let's define our terms. HP was accused of pretexting. The definition of pretexting is getting private information about an individual under false pretences. To put it in the context of a typical crime, a pretexter might then sell that information to people who might want to do bad things to that individual. HP is the cause celebre of the moment, but what is this story really about? If we take HP at its word, it seems to be admitting it had no policies in place on ethical business practices and what was acceptable behaviour for employees and/or vendors.
Or, if it did have such polices, it had no process in place that communicated those policies in clear and simple terms.
Or, if HP had policies and it communicated those policies to employees and vendors, it had no follow-up process in place that monitored the behaviour of (in this case) its vendors, to ensure that they were abiding by the corporate policies that were originally communicated.
Matt Leonard is a senior fellow at the Ponemon Institute, a think tank that focuses on policy and privacy as it relates to business operations. From years of experience, Leonard gives HP the benefit of the doubt. He tells me that HP, like many companies, has these policies in place - certainly regarding sexual harassment; certainly regarding financial practices, since Sarbanes-Oxley; but also regarding what is proper information-gathering.
"They know what is the appropriate method of gathering information for marketing or CRM," Leonard said. "But as soon as you get out of that narrow focus, people don't have the same awareness of what a particular business unit is doing."
I also put in a call to Ted Frank, president and founder of Axentis, an on-demand software vendor in the governance, risk, and compliance space with a stellar list of Fortune 2000 companies as clients. Frank gave me a very short list of what every company should be doing.
First, everyone - employees and vendors - must be up to speed on what pretexting is, or any other dubious practice. The company, whether it is the chief compliance officer or the board, must also determine what business units potentially may be engaging in practices that are questionable, and monitor them closely.
A company must lay out the behavioural expectations for everyone.
Frank also reminds us that sentencing guidelines hold out a carrot to misbehaving companies: If a company has a so-called effective compliance program in place that makes clear what practices are not acceptable, and the company self-reports when something illegal is uncovered, executives may receive reduced fines (or less jail time) if the company is charged with a crime.
Leonard said we have a culture that rewards people for getting stuff done.
Unfortunately, somewhere along the line that same culture decided that it is better to ask for forgiveness than for permission.