The changing rules of corporate spy games

While it may seem like an anomaly, the saga of high-level snooping at Hewlett-Packard sheds light on an ethical balancing act playing out across corporate America.

Companies routinely take measures – including, as in Hewlett Packard's case, retaining the services of outside private investigators – to guard trade secrets and confidential plans. But as technology makes it easier to trace leaks, firms are also seeing the need to avoid cultivating mistrust.

The drama at Hewlett-Packard is highly unusual because clandestine measures focused on top company officials and on journalists, to find which board member was leaking information to the press.

Yet even beyond HP, defining the limits of corporate snooping may be growing in complexity. New technologies are expanding both the opportunities for malfeasance and the ability to chase it down. And in a knowledge-based economy, generating and guarding ideas is now central to any corporation's market value. That involves nurturing loyalty and morale among creative employees, while also monitoring their activities.

"HP had every right to initiate an investigation," says Sean Walsh, a private investigator who works with other corporations in Silicon Valley and the San Francisco area. "Where things went awry was the methodology used in this case."

As the Hewlett-Packard case suggests, sometimes efforts at damage control do more harm than good. HP should be winning plaudits for its recent stock price highs. Instead, the high-tech giant is in the news for the lengths it went to hunt down a board member with loose lips.

By HP's own account on Friday, its leak-tracing efforts crossed a line into "inappropriate" actions. Chief executive officer Mark Hurd gave a news briefing to apologize for investigators' use of techniques such as gaining access to personal phone records under false pretenses.

But questions have continued to emerge about his own role. As a board member who was aware of the investigation, he lent his approval to an attempted e-mail "sting" that targeted a journalist. Investigators hired by HP put a hidden code in the e-mail to trace if it was forwarded to a boardroom leaker. Mr. Hurd was apparently aware of the general stratagem, but not of the tracer code. He has volunteered to talk about the affair at a Capitol Hill hearing Thursday.

A number of cautionary lessons are emerging, say experts, on business ethics, management, and security. While some of the tactics HP used may be illegal, others have landed the company in hot water simply because they were improper.

"The bar of ethics is higher than the bar of the law," says Dean Krehmeyer, who heads the Business Roundtable Institute for Corporate Ethics in Charlottesville, Va.

At the same time, experts say, today's corporations have a need – even a duty – to protect their business secrets.

Mr. Walsh, who helps many corporations with security, says it's not unusual for companies to hire an investigator to go under cover as an employee to stop theft. Walsh's firm has contracts to perform regular "bug sweeps" and other countermeasures to make sure no one is using high-tech means to steal trade secrets. And when crises erupt, in-house security teams often call for outside help from firms like Walsh's.

"We usually are there when the horse is already out of the barn," says Walsh, a past president of the California Association of Licensed Investigators.

About three years ago, he was tapped to track down a leak of sorts. A software company had detected a pattern of large files being downloaded at odd hours. Walsh helped identify which worker was stealing sensitive data.

In fact, it is now routine for companies to use computers or video cameras to monitor all manner of office behavior.

Experts say it's important that companies let employees know what is being tracked and why, so workers will support efforts that may, in the end, help them prosper.

But recognizing boundaries and privacy is also important, experts say.

"Don't snoop," is generally a good guideline of workplace etiquette, says Barbara Pachter of consulting firm Pachter & Associates in Cherry Hill, N.J. "It might not set the right tone."

Others add that building a tone of trust is especially vital in the boardroom in an era when corporate directors face new duties and heightened scrutiny. Black-bag investigations don't achieve that goal, they say.

"A culture that could produce this kind of thinking ... needs to be seriously reexamined," says Charles Elson, who heads the University of Delaware's Center of Corporate Governance.

At Hewlett-Packard, the boardroom culture was apparently poisoned by personal conflicts during a period that saw the ouster of Carly Fiorina as CEO early in 2005. Next month Ms. Fiorina is publishing a book on her controversial tenure at the iconic Silicon Valley company.

The leaks were a serious matter and each board member denied being the source when asked by HP.

"There was potential for harm," says Craig Dunn, a business ethics expert at San Diego State University.

He doesn't see it as problematic that the probe included surveillance of board members beyond company property. But securing records for personal phone calls under false pretenses, and the phone records of journalists, crossed a line, he says.

"Now you're going outside" the company, he says, beyond where "you have direct control or access."

In a survey of 526 US companies:

• 76% monitor workers' website connections.

• 26% have fired workers for misusing the Internet.

• 6% have fired employees for misusing office telephones.

Sources: American Management Association and ePolicy Institute