Introduction

In the Hewlett-Packard case, I can t help thinking of how HP could have prevented its pretexting scandal. Clearly, the practice of corporate America as it relates to reporting incidents is at fault here. It is not uncommon for companies to handle criminal incidents in-house, electing not to seek help from outside agencies. This reluctance is due to the fear that reporting the incident will result in negative media exposure, which could lead to a loss of customers, a loss of customer confidence, and ultimately a loss of profits. This holds true even for companies that are required by law to report criminal incidents.

As a cyber crime detective, I was contacted on numerous occasions by companies looking to get help with a criminal case long after their investigation had commenced. In many of these cases, the company was required by law to report the incident immediately, but did not. By the time the cases got to me, they had clearly spun out of control. At this stage of the investigation, my role in their eyes was more of a cleanup crew than someone out to catch the suspect. As a result of involving law enforcement late in the investigation, crucial evidence was lost, suspects got off, and reputations were damaged. These companies played Vegas odds with full disclosure and ultimately rolled craps.

In the Hewlett-Packard case, board members were leaking corporate information outside of the company s board room. HP, as a publicly traded company, had a financial responsibility to...