SFGate has some information on two statutes that the California Attorney General Bill Lockyer says are involved in the HP leak probe case. I thought you might like to see them.

Note that they are not necessarily the only two statutes that may come into play, as there are federal laws also, such as the Computer Fraud and Abuse Act, Title 18, Section 1030, subtitled "Fraud and related activity in connection with computers", and there are federal agencies that could get involved, such as the FCC, the FTC, and the SEC, depending on a number of factors. I'm afraid that doing any kind of law-breaking with a computer tends to compound your problems. But these are the two statutes connected to the California investigation.

If you are interested, Electronic Privacy Information Center, EPIC, has a page specifically on its efforts to get laws passed outlawing pretexting of any kind. Here's a letter it sent on April 24, 2006 providing its views on the California law, SB 1666, that would make pretexting illegal and which is now on the Governor's desk. You can read the text as introduced in February. After amendments, it looks like this. This is a website where you can follow California legislative information. And here you can read all about SB1666. Here are EPIC's comments to the FCC, which is also considering what to do about pretexting. MarketWatch has an article on pretexting that gives some tips on how to avoid becoming a victim. One of the companies that EPIC identified as selling personal data -- it claims it has stopped -- also has a few more tips [PDF] on how to protect yourself from pretexters. I have my doubts that anything works 100% currently, when the phone companies use information to authenticate their customers that employers, neighbors, coworkers, and ex-significant others would likely know or could easily find out and misuse.

Here's the snip from the article to get us started :

Chris Hoofnagle, a privacy expert and senior attorney at UC Berkeley's Boalt Hall School of Law, agreed that it appears the pretexting methods employed by HP's investigators violate the law. "Pretexting like this is technically hacking," he said. "This is illegal under state and federal law."

Specifically, Lockyer said, the HP case runs afoul of California Penal Code Section 502, which prohibits "tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems."

He also said the case involves Penal Code Section 530.5, which bars use of people's personal info "for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services or medical information in the name of the other person without the consent of that person." "Pretexting is a serious problem," Lockyer said.

And in HP's case, he said, the company is guilty of breathtaking arrogance if nothing else. "The idea of a corporate official spying on another official is outrageous," Lockyer said. "It's also incredibly stupid."

Here's Penal Code Section 530.5, in colored text so you can easily see where it begins and ends:

(a) Every person who willfully obtains personal identifying information, as defined in subdivision (b), of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, or medical information in the name of the other person without the consent of that person, is guilty of a public offense, and upon conviction therefor, shall be punished either by imprisonment in a county jail not to exceed one year, a fine not to exceed one thousand dollars ($1,000), or both that imprisonment and fine, or by imprisonment in the state prison, a fine not to exceed ten thousand dollars ($10,000), or both that imprisonment and fine.

(b) "Personal identifying information," as used in this section, means the name, address, telephone number, health insurance identification number, taxpayer identification number, school identification number, state or federal driver's license number, or identification number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, checking account number, PIN (personal identification number) or password, alien registration number, government passport number, date of birth, unique biometric data including fingerprint, facial scan identifiers, voice print, retina or iris image, or other unique physical representation, unique electronic data including identification number, address, or routing code, telecommunication identifying information or access device, information contained in a birth or death certificate, or credit card number of an individual person.

(c) In any case in which a person willfully obtains personal identifying information of another person, uses that information to commit a crime in addition to a violation of subdivision (a), and is convicted of that crime, the court records shall reflect that the person whose identity was falsely used to commit the crime did not commit the crime.

(d) Every person who, with the intent to defraud, acquires, transfers, or retains possession of the personal identifying information, as defined in subdivision (b), of another person is guilty of a public offense, and upon conviction therefor, shall be punished by imprisonment in a county jail not to exceed one year, or a fine not to exceed one thousand dollars ($1,000), or by both that imprisonment and fine.

(e) Every person who, with the intent to defraud, acquires, transfers, or retains possession of the personal identifying information, as defined in subdivision (b), of another person who is deployed to a location outside of the state is guilty of a public offense, and upon conviction therefor, shall be punished by imprisonment in a county jail not to exceed one year, or a fine not to exceed one thousand five hundred dollars ($1,500), or by both that imprisonment and fine.

(f) For purposes of this section, "deployed" means that the person has been ordered to serve temporary military duty during a period when a presidential executive order specifies that the United States is engaged in combat or homeland defense and he or she is either a member of the armed forces, or is a member of the armed forces reserve or the National Guard, who has been called to active duty or active service. It does not include temporary duty for the sole purpose of training or processing or a permanent change of station.

And now the longer one, California Penal Code Section 502, which I've edited to show the pertinent parts (the rest has to do with things like theft of telephone services, which isn't germane):

(a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data.

The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.

(b) For the purposes of this section, the following terms have the following meanings:

(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.

(2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.

(3) "Computer program or software" means a set of instructions or statements, and related data, that when executed in actual or modified form, cause a computer, computer system, or computer network to perform specified functions.

(4) "Computer services" includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network.

(5) "Computer system" means a device or collection of devices, including support devices and excluding calculators that are not programmable and capable of being used in conjunction with external files, one or more of which contain computer programs, electronic instructions, input data, and output data, that performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control.

(6) "Data" means a representation of information, knowledge, facts, concepts, computer software, computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device.

(7) "Supporting documentation" includes, but is not limited to, all information, in any form, pertaining to the design, construction, classification, implementation, use, or modification of a computer, computer system, computer network, computer program, or computer software, which information is not generally available to the public and is necessary for the operation of a computer, computer system, computer network, computer program, or computer software.

(8) "Injury" means any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access, or the denial of access to legitimate users of a computer system, network, or program.

(9) "Victim expenditure" means any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, deleted, damaged, or destroyed by the access.

(10) "Computer contaminant" means any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network.

(11) "Internet domain name" means a globally unique, hierarchical reference to an Internet host or service, assigned through centralized Internet naming authorities, comprising a series of character strings separated by periods, with the rightmost character string specifying the top of the hierarchy.

(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:

(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.

(3) Knowingly and without permission uses or causes to be used computer services.

(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.

(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.

(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.

(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

(8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network.

(9) Knowingly and without permission uses the Internet domain name of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages, and thereby damages or causes damage to a computer, computer system, or computer network.

(d)

(1) Any person who violates any of the provisions of paragraph (1), (2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.

(2) Any person who violates paragraph (3) of subdivision (c) is punishable as follows:

(A) For the first violation that does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.

(B) For any violation that results in a victim expenditure in an amount greater than five thousand dollars ($5,000) or in an injury, or if the value of the computer services used exceeds four hundred dollars ($400), or for any second or subsequent violation, by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.

(3) Any person who violates paragraph (6) or (7) of subdivision (c) is punishable as follows:

(A) For a first violation that does not result in injury, an infraction punishable by a fine not exceeding one thousand dollars ($1,000).

(B) For any violation that results in a victim expenditure in an amount not greater than five thousand dollars ($5,000), or for a second or subsequent violation, by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.

(C) For any violation that results in a victim expenditure in an amount greater than five thousand dollars ($5,000), by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.

(4) Any person who violates paragraph (8) of subdivision (c) is punishable as follows:

(A) For a first violation that does not result in injury, a misdemeanor punishable by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.

(B) For any violation that results in injury, or for a second or subsequent violation, by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in a county jail not exceeding one year, or in the state prison, or by both that fine and imprisonment.

(5) Any person who violates paragraph (9) of subdivision (c) is punishable as follows:

(A) For a first violation that does not result in injury, an infraction punishable by a fine not one thousand dollars.

(B) For any violation that results in injury, or for a second or subsequent violation, by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in a county jail not exceeding one year, or by both that fine and imprisonment.

(e)

(1) In addition to any other civil remedy available, the owner or lessee of the computer, computer system, computer network, computer program, or data who suffers damage or loss by reason of a violation of any of the provisions of subdivision (c) may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief. Compensatory damages shall include any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access. For the purposes of actions authorized by this subdivision, the conduct of an unemancipated minor shall be imputed to the parent or legal guardian having control or custody of the minor, pursuant to the provisions of Section 1714.1 of the Civil Code.

(2) In any action brought pursuant to this subdivision the court may award reasonable attorney's fees.

(3) A community college, state university, or academic institution accredited in this state is required to include computer-related crimes as a specific violation of college or university student conduct policies and regulations that may subject a student to disciplinary sanctions up to and including dismissal from the academic institution. This paragraph shall not apply to the University of California unless the Board of Regents adopts a resolution to that effect.

(4) In any action brought pursuant to this subdivision for a willful violation of the provisions of subdivision (c), where it is proved by clear and convincing evidence that a defendant has been guilty of oppression, fraud, or malice as defined in subdivision (c) of Section 3294 of the Civil Code, the court may additionally award punitive or exemplary damages.

(5) No action may be brought pursuant to this subdivision unless it is initiated within three years of the date of the act complained of, or the date of the discovery of the damage, whichever is later.

(f) This section shall not be construed to preclude the applicability of any other provision of the criminal law of this state which applies or may apply to any transaction, nor shall it make illegal any employee labor relations activities that are within the scope and protection of state or federal labor laws.

(g) Any computer, computer system, computer network, or any software or data, owned by the defendant, that is used during the commission of any public offense described in subdivision (c) or any computer, owned by the defendant, which is used as a repository for the storage of software or data illegally obtained in violation of subdivision (c) shall be subject to forfeiture, as specified in Section 502.01.

(h)

(1) Subdivision (c) does not apply to punish any acts which are committed by a person within the scope of his or her lawful employment. For purposes of this section, a person acts within the scope of his or her employment when he or she performs acts which are reasonably necessary to the performance of his or her work assignment.

(2) Paragraph (3) of subdivision (c) does not apply to penalize any acts committed by a person acting outside of his or her lawful employment, provided that the employee's activities do not cause an injury, as defined in paragraph (8) of subdivision (b), to the employer or another, or provided that the value of supplies or computer services, as defined in paragraph (4) of subdivision (b), which are used does not exceed an accumulated total of one hundred dollars ($100).

(i) No activity exempted from prosecution under paragraph (2) of subdivision (h) which incidentally violates paragraph (2), (4), or (7) of subdivision (c) shall be prosecuted under those paragraphs.

(j) For purposes of bringing a civil or a criminal action under this section, a person who causes, by any means, the access of a computer, computer system, or computer network in one jurisdiction from another jurisdiction is deemed to have personally accessed the computer, computer system, or computer network in each jurisdiction.

(k) In determining the terms and conditions applicable to a person convicted of a violation of this section the court shall consider the following:

(1) The court shall consider prohibitions on access to and use of computers.

(2) Except as otherwise required by law, the court shall consider alternate sentencing, including community service, if the defendant shows remorse and recognition of the wrongdoing, and an inclination not to repeat the offense.

502.01.

(a) As used in this section:

(1) "Property subject to forfeiture" means any property of the defendant that is illegal telecommunications equipment as defined in subdivision (g) of Section 502.8, or a computer, computer system, or computer network, and any software or data residing thereon, if the telecommunications device, computer, computer system, or computer network was used in committing a violation of, or conspiracy to commit a violation of, subdivision (b) of Section 272, Section 288, 288.2, 311.1, 311.2, 311.3, 311.4, 311.5, 311.10, 311.11, 422, 470, 470a, 472, 475, 476, 480, 483.5, 484g, or subdivision (a), (b), or (d) of Section 484e, subdivision (a) of Section 484f, subdivision (b) or (c) of Section 484i, subdivision (c) of Section 502, or Section 502.7, 502.8, 529, 529a, or 530.5, 537e, 593d, 593e, or 646.9, or was used as a repository for the storage of software or data obtained in violation of those provisions. Forfeiture shall not be available for any property used solely in the commission of an infraction. If the defendant is a minor, it also includes property of the parent or guardian of the defendant.

(2) "Sentencing court" means the court sentencing a person found guilty of violating or conspiring to commit a violation of subdivision (b) of Section 272, Section 288, 288.2, 311.1, 311.2, 311.3, 311.4, 311.5, 311.10, 311.11, 422, 470, 470a, 472, 475, 476, 480, 483.5, 484g, or subdivision (a), (b), or (d) of Section 484e, subdivision (d) of Section 484e, subdivision (a) of Section 484f, subdivision (b) or (c) of Section 484i, subdivision (c) of Section 502, or Section 502.7, 502.8, 529, 529a, 530.5, 537e, 593d, 593e, or 646.9, or, in the case of a minor, found to be a person described in Section 602 of the Welfare and Institutions Code because of a violation of those provisions, the juvenile court.

(3) "Interest" means any property interest in the property subject to forfeiture.

(4) "Security interest" means an interest that is a lien, mortgage, security interest, or interest under a conditional sales contract.

(5) "Value" has the following meanings:

(A) When counterfeit items of computer software are manufactured or possessed for sale, the "value" of those items shall be equivalent to the retail price or fair market price of the true items that are counterfeited.

(B) When counterfeited but unassembled components of computer software packages are recovered, including, but not limited to, counterfeited computer diskettes, instruction manuals, or licensing envelopes, the "value" of those components of computer software packages shall be equivalent to the retail price or fair market price of the number of completed computer software packages that could have been made from those components.

(b) The sentencing court shall, upon petition by the prosecuting attorney, at any time following sentencing, or by agreement of all parties, at the time of sentencing, conduct a hearing to determine whether any property or property interest is subject to forfeiture under this section. At the forfeiture hearing, the prosecuting attorney shall have the burden of establishing, by a preponderance of the evidence, that the property or property interests are subject to forfeiture. The prosecuting attorney may retain seized property that may be subject to forfeiture until the sentencing hearing.

(c) Prior to the commencement of a forfeiture proceeding, the law enforcement agency seizing the property subject to forfeiture shall make an investigation as to any person other than the defendant who may have an interest in it. At least 30 days before the hearing to determine whether the property should be forfeited, the prosecuting agency shall send notice of the hearing to any person who may have an interest in the property that arose before the seizure.

A person claiming an interest in the property shall file a motion for the redemption of that interest at least 10 days before the hearing on forfeiture, and shall send a copy of the motion to the prosecuting agency and to the probation department.

If a motion to redeem an interest has been filed, the sentencing court shall hold a hearing to identify all persons who possess valid interests in the property. No person shall hold a valid interest in the property if, by a preponderance of the evidence, the prosecuting agency shows that the person knew or should have known that the property was being used in violation of, or conspiracy to commit a violation of, subdivision (b) of Section 272, Section 288, 288.2, 311.1, 311.2, 311.3, 311.4, 311.5, 311.10, 311.11, 470, 470a, 472, 475, 476, 480, 483.5, 484g, or subdivision (a), (b), or (d) of Section 484e, subdivision (a) of Section 484f, subdivision (b) or (c) of Section 484i, subdivision (c) of Section 502, or Section 502.7, 502.8, 529, 529a, 530.5, 537e, 593d, 593e, or 646.9, and that the person did not take reasonable steps to prevent that use, or if the interest is a security interest, the person knew or should have known at the time that the security interest was created that the property would be used for a violation.

(d) If the sentencing court finds that a person holds a valid interest in the property, the following provisions shall apply:

(1) The court shall determine the value of the property.

(2) The court shall determine the value of each valid interest in the property.

(3) If the value of the property is greater than the value of the interest, the holder of the interest shall be entitled to ownership of the property upon paying the court the difference between the value of the property and the value of the valid interest.

If the holder of the interest declines to pay the amount determined under paragraph (2), the court may order the property sold and designate the prosecutor or any other agency to sell the property. The designated agency shall be entitled to seize the property and the holder of the interest shall forward any documentation underlying the interest, including any ownership certificates for that property, to the designated agency. The designated agency shall sell the property and pay the owner of the interest the proceeds, up to the value of that interest.

(4) If the value of the property is less than the value of the interest, the designated agency shall sell the property and pay the owner of the interest the proceeds, up to the value of that interest.

(e) If the defendant was a minor at the time of the offense, this subdivision shall apply to property subject to forfeiture that is the property of the parent or guardian of the minor.

(1) The prosecuting agency shall notify the parent or guardian of the forfeiture hearing at least 30 days before the date set for the hearing.

(2) The computer or telecommunications device shall not be subject to forfeiture if the parent or guardian files a signed statement with the court at least 10 days before the date set for the hearing that the minor shall not have access to any computer or telecommunications device owned by the parent or guardian for two years after the date on which the minor is sentenced.

(3) If the minor is convicted of a violation of Section 288, 288.2, 311.1, 311.2, 311.3, 311.4, 311.5, 311.10, 311.11, 470, 470a, 472, 476, 480, or subdivision (b) of Section 484e, subdivision (d) of Section 484e, subdivision (a) of Section 484f, subdivision (b) of Section 484i, subdivision (c) of Section 502, or Section 502.7, 502.8, 529, 529a, or 530.5, within two years after the date on which the minor is sentenced, and the violation involves a computer or telecommunications device owned by the parent or guardian, the original property subject to forfeiture, and the property involved in the new offense, shall be subject to forfeiture notwithstanding paragraph (2).

(4) Notwithstanding paragraph (1), (2), or (3), or any other provision of this chapter, if a minor's parent or guardian makes full restitution to the victim of a crime enumerated in this chapter in an amount or manner determined by the court, the forfeiture provisions of this chapter do not apply to the property of that parent or guardian if the property was located in the family's primary residence during the commission of the crime.

(f) Notwithstanding any other provision of this chapter, the court may exercise its discretion to deny forfeiture where the court finds that the convicted defendant, or minor adjudicated to come within the jurisdiction of the juvenile court, is not likely to use the property otherwise subject to forfeiture for future illegal acts.

(g) If the defendant is found to have the only valid interest in the property subject to forfeiture, it shall be distributed as follows:

(1) First, to the victim, if the victim elects to take the property as full or partial restitution for injury, victim expenditures, or compensatory damages, as defined in paragraph (1) of subdivision (e) of Section 502. If the victim elects to receive the property under this paragraph, the value of the property shall be determined by the court and that amount shall be credited against the restitution owed by the defendant. The victim shall not be penalized for electing not to accept the forfeited property in lieu of full or partial restitution.

(2) Second, at the discretion of the court, to one or more of the following agencies or entities:

(A) The prosecuting agency.

(B) The public entity of which the prosecuting agency is a part.

(C) The public entity whose officers or employees conducted the investigation resulting in forfeiture.

(D) Other state and local public entities, including school districts.

(E) Nonprofit charitable organizations.

(h) If the property is to be sold, the court may designate the prosecuting agency or any other agency to sell the property at auction. The proceeds of the sale shall be distributed by the court as follows:

(1) To the bona fide or innocent purchaser or encumbrancer, conditional sales vendor, or mortgagee of the property up to the amount of his or her interest in the property, if the court orders a distribution to that person.

(2) The balance, if any, to be retained by the court, subject to the provisions for distribution under subdivision (g).

502.9. Upon conviction of a felony violation under this chapter, the fact that the victim was an elder or dependent person, as defined in Section 288, shall be considered a circumstance in aggravation when imposing a term under subdivision (b) of Section 1170.