The directors and officers of a company are responsible for preserving the company’s most valuable assets, such as strategic plans or intellectual property assets. When leaks of company confidential or proprietary assets occur, and there is a suspicion of illegal practices by certain individuals, the company management has an obligation and a legitimate need to make these practices stop. To do so, it is necessary to identify those who are responsible for the leakage of information.
These investigations present a delicate challenge. It might be tempting to try to obtain access to an employee’s personal telephone records, in order to identify the source of the leak or the recipient of the leaked information. Don’t do it!
Think before to you try to peek at your employees’ personal telephone records. This practice is prohibited by the Telephone Records and Privacy Protection Act (“TRPPA”).
TRPPA targets the practice known as “pretexting,” where someone calls a company impersonating a customer and attempts to secure personal records of the customer without the customer’s knowledge or permission. The law focuses on pretexting to obtain phone records. It provides criminal penalties for those who attempt to fraudulently obtain confidential telephone records or to sell or purchase such records.
TRPPA makes it a crime to obtain confidential phone records by making false or fraudulent representations to an employee or a customer of a telecommunications or VOIP carrier, or by accessing customer accounts via the Internet, or through computer fraud. Those prosecuted under this law face fines and prison terms.
Scope of the Law
The Telephone Records and Privacy Protection Act, 18 USC Sect. 1039 regulates obtaining, selling, transferring, purchasing, or receiving confidential telephone records information from telecommunications carriers and other “covered entities.”
“Covered entities” are entities that either qualify as “telecommunications carrier” in section 3 of the Communications Act of 1934 (47 U.S.C. 153), or are providers of VoIP service. The law protects the “customers” of covered entities. A “customer” is any individual or company who receives products or service from a covered entity.
What information is protected?
The law protects “confidential phone records information.” The term is defined as any information that–
- Relates to the quantity, technical configuration, type, destination, location, or amount of use of a service offered by a covered entity, subscribed to by any customer of that covered entity, and kept by or on behalf of that covered entity solely by virtue of the relationship between that covered entity and the customer;
- Is made available to a covered entity by a customer solely by virtue of the relationship between that covered entity and the customer; or
- Is contained in any bill, itemization, or account statement provided to a customer by, or on behalf of a covered entity solely by virtue of the relationship between that covered entity and the customer.
What is Prohibited?
The law prohibits obtaining, selling, transferring, purchasing, or receiving confidential telephone record information from telecommunications carriers of covered entities.
The TRPPA makes it a crime for anyone to knowingly and intentionally obtain, or attempt to obtain, confidential phone record information of a “covered entity,” by making false or fraudulent statements or representations to an employee of a covered entity or to a customer of a covered entity. It prohibits giving a document to a covered entity knowing that such document is false or fraudulent, and accessing customer accounts of a covered entity via the Internet, or through computer fraud without prior authorization from the customer to whom such confidential phone records information relates.
The law makes it crime to knowingly and intentionally sell, transfer, purchase, receive, or attempt to sell, transfer, purchase or receive confidential phone records information of a covered entity, in interstate or foreign commerce (a) without prior authorization from the customer to whom such confidential phone records information relates; or (b) when knowing, or having reason to know, that such information was obtained fraudulently.
There is no violation if the confidential phone records information is used by a covered entityto (1) initiate, render, bill, and collect for telecommunications services; (2) protect the rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services; or (3) provide call location information concerning the user of a mobile device in case of an emergency.
In most instances, those prosecuted under TRPPA face fines and imprisonment of up to ten years, or both.
If the violation is combined with a violation of another Federal law, or is part of a pattern of illegal activity involving more than $100,000, or more than 50 customers of a covered entity, in a 12-month period, then, in addition to the penalties provided above, those prosecuted may be fined up to $500,000 or imprisoned for up to five years, or both. In addition, there are enhanced penalties for the use of the protected information in furtherance of certain criminal offenses.
What Consequence for Businesses?
When investigating an information leak, businesses must ensure that they remain within the boundaries of the law. They must ensure that their service providers do the same, as well. Indeed, the company ultimately remains fully liable for the activities of its subcontractors.
To keep on track, and avoid venturing into the TRPPA minefield, companies need to have in place procedures, and safeguards. They should take steps to instill proper ethics and values to their personnel (and subcontractors or service providers) through rigorous training that sets the tone and sensitizes to the delicate balance between the company’s interest and the protection of individual rights and freedoms. They also need to constantly monitor compliance with the set guidelines, and punish the infringers.
Consider, for example:
- Appointing an independent director to serve as the board’s watchdog on compliance with ethical and legal requirements, and be responsible for overseeing any investigation, reporting violations to the Board.
- Appointing a chief ethics and compliance officer(CECO) with oversight and reporting duties, and authority to retain independent legal advisors.
- Enabling the company’s chief privacy officer to review and oversee the company’s practices and investigation protocols to ensure they protect privacy and comply with ethical requirements.
- Appointment of a Compliance Council to develop and maintain policies and procedures governing the company’s ethics and compliance program, and provide periodic reports to the CEO, Audit Committee, and Board.
- Ensuring that ethics and conflict-of-interest components are included in the company’s training program.
- Addressing ethical standards regarding investigations in the company’s employee and vendor codes of conduct.