A day after HP chairman Patricia Dunn promised to step down over her role in a spy scandal, the state of California is continuing its effort to invesigate company officials and the private investigators they used.

The state now has enough evidence to indict people both within HP and contractors outside the company, according to Thomas Dressler, a spokesman for California attorney general Bill Lockyer.

In her efforts to discover the source of press leaks about board deliberations, HP has acknowledged hiring a private investigation firm to pose as the 10 suspected board members and journalists in order to convince the phone company to disclose private phone records. This is a practice known as pretexting.

In an interview on Tuesday, Lockyer said that under California law, people involved in the probe could be charged with crimes both for falsely taking another person's identity and for accessing computer records with their personal information. Dressler confirmed Lockyer's comments.

HP hired investigation firm SOS (Security Outsourcing Solutions), which shares its Boston offices with a law firm called Bonner, Kiernan, Trebach and Crociata, according to a report in The New York Times that cited sources close to the case. The Times also said that the California and Massachusetts attorney generals were working together on the case.

Dressler declined to confirm the name of the security firm HP hired, or whether California and Massachusetts are working together on the case.

"I'm not going to deny it, but beyond what the attorney general said I'm not going to comment. It's not prudent for prosecutors to mention names before bringing charges," Dressler said.

A call to SOS yesterday was answered by a woman who recited the name of the law firm, but denied the two businesses were connected. She declined to give her name, and said that no one was immediately available for comment.

Ironically, an SOS newsletter posted on the firm's website warns corporate executives that their privacy is at risk since their web surfing and email records can be traced by internet browsers and cookies. It advises clients to shield their identities by using a website called Anonymizer.com.