In Depth

5 Things About Corporate Investigations That Won't Change...

...As a Result of the Hewlett-Packard Pretexting Scandal

By Sarah D. Scalet

play well on the evening news. "We're already overregulated, and we think we're knowledgeable about

all the laws," says Wipprecht, whose group typically investigates things such as cash shortages,

mortgage fraud and expense abuse.

Likewise, the senior director of loss prevention at Luxottica Retail, who's a member of the ASIS Retail

Loss Prevention Council, insisted that he hadn't experienced any extra scrutiny on the investigations his

group runs, which are typically background checks on new employees or investigations into thefts from

stores.

"I have no intention of scaling back, because I know our investigations are done under guidelines and

the law," says Alan Greggo, whose company operates 4,600 retail locations including LensCrafters,

Pearl Vision and Sunglass Hut. Checks and balances are key, he says. Any use of the company's camera

system, for instance, must be approved by a senior director and the legal department; results of

investigations must be reviewed by a director-level loss prevention associate to make sure evidence is

used properly.

Elsewhere, CSOs were looking at their policies and largely concluding that they had appropriate

guidelines in place. Recruiter Kathy Lavinder, executive director of Security and Investigative Placement

Consultants in Bethesda, Md., says some of her clients were dusting off their policies, pushing them out

to their chains of command, and emphasizing that certain tactics—such as pretexting to obtain

private telephone records—were not allowed. She adds that no one she talked to had indicated

they ever permitted such activities. But she didn't seem convinced that the HP investigation would

necessarily result in any seismic changes.

"I think there'll be a lot of talk," Lavinder predicts. "In some cases it will be genuine, and in some cases

it will be window dressing. A certain number of senior executives want to do what they've always done,

which is to some extent turn a blind eye, particularly if an investigation is outsourced. Don't ask, don't

tell. That's a risky strategy, but I think we'll see some of that as well."

What makes this easy to do, given the circumstances, is that the HP case appears to be an

outlier—something so outlandishly awful that the industry can shrug its collective shoulders and

simply disregard it. Companies can say, "It won't happen to us," because it probably won't.

Furthermore, if people with lots of money and power are committed to a project that constitutes an

epic lapse in judgment, it's very difficult to stop them. Sad, but true.

Reality check: For better or worse, HP is a talking point, not an industry-changing event.

Assumption #2 Companies will quit exposing themselves to the risks of third-party