Corporations remain under significant pressure to conduct internal investigations for a variety of serious matters, such as alleged employee misconduct, whistleblower reports and data breach incidents. NAVEX Global’s 2018 Incident Management Report found that the number of internal reports of potential ethics and compliance incidents hit the highest level recorded last year, with a median of 1.4 reports per 100 employees. This continued the trend of a significant rise in the internal reporting rate over the last eight years.
All signs point to an acceleration of this trend this year and beyond. For example, some experts argue there has been a fundamental shift in perceptions of sexual harassment and abuse in the workplace, in large part due to the #MeToo movement that began in late 2017. “The #MeToo movement has empowered more people to come forward and raise these issues at their companies or organizations,” said Nancy Kestenbaum, co-chair of the white collar defense and investigations team at Covington & Burling LLP, in a story published by Law360®. “And that has caused the organizations to examine those specific issues, or issues of harassment and abuse more generally, to make sure that they don’t face these problems going forward.”
Data security incidents resulting from insider threats represent a growing concern as well, whether from intentional malicious behavior or pure human error. According to the 2018 Verizon Data Breach Investigations Report, one in five (17%) of breaches have been the result of human error, such as misconfiguring web servers or sending an email to the wrong person. While not intentional, these incidents represent a fair number of internal investigations at an organization, as they try to piece together where the incident originated.
Internal investigations are often high-stakes undertakings for the company’s finances and brand reputation, but they are also more challenging than ever to actually perform. Most evidence these days is electronic in form, which means it is often located across a variety of devices and platforms. Investigations are also complicated by the fact that numerous stakeholders across the organization must be involved to some extent, such as Legal, Human Resources, Compliance and Finance—not to mention the need to conduct the investigation in a discreet manner, so as to not alert employees or interrupt business operations.
E-discovery teams need to be prepared in advance for internal investigations because their skills will be called upon to oversee the sensitive process of data collection, analysis, review and production. The e-discovery professionals must ensure the investigation is handled efficiently, cost-effectively and in a legally sound manner.
Based on our experience serving as technology providers and professional service trainers for hundreds of corporate internal investigations, here are some best practices that e-discovery teams should consider when approaching their role in an investigation:
- Determine what you’re trying to find.
This isn’t as trite as it sounds. It’s essential that you start out by having a clear understanding of the specific electronic evidence you need to locate in order to help your colleagues make a determination regarding the merits of the complaint or incident report. For example, some investigations into alleged sexual harassment have been wrapped up quickly with the discovery that the claims were false from the outset, so a full-scale investigation is never required. A successful investigation starts with clarity of the target data at the beginning so investigators can quickly determine what they’re dealing with and identify how widespread the data collection needs to be.
- Identify the relevant data custodians.
The investigative team is going to need a clear data map from you so they know where the potentially relevant electronic evidence resides and how they can collect the data. Make sure you have all of your access privileges and clearances in place so they can go straight to the proper data sources.
- Define search parameters.
The e-discovery team is uniquely positioned to rely upon its professional experience on the litigation discovery front to establish precise and useful search terms for the investigators. For example, we were once involved in a case where there was a relevant party who spelled her name “Page” and some members of the team wanted to search for all references to her name. Of course, due to the ubiquitous occurrence of the word “page” in electronic documents, this was too broad to be useful. Experienced investigators will tell you that perhaps only 5 percent of the data on a typical hard drive may actually be relevant in a case, so the e-discovery team can use its expertise to define the optimal parameters for the forensic investigation. In addition, by being more targeted in your searches up front, the e-discovery team can reduce the amount of data for review in the event the investigation moves to litigation —which in turn saves time and cost down the line.
- Oversee the investigation.
The investigation itself will be conducted by forensic examiners, but they will only be as effective as the direction they receive. Collaborate with these skilled technicians to conduct the actual searches of the collected data, review the preliminary results, refine the search as appropriate, etc.
- Maintain chain of custody.
The e-discovery team should oversee the chain of custody throughout the investigation to ensure it is conducted in a forensically sound manner. For example, you want to make sure the searches are done in a repeatable and defensible manner that can be recreated for opposing counsel with the exact same results. This ensures that it will stand up under scrutiny in the event of litigation. If the investigation is not properly handled with the right tools, processes and experienced professionals, it could be cause for it to be thrown out of court.
There are a couple of keys that will maximize the success of any internal investigation with respect to the data collection and analysis. First, it’s essential that the e-discovery professionals and forensic investigators have the proper training and certifications to do this highly specialized work. For example, the Certified E-Discovery Specialist (CEDS) certification, administered by ACEDS, responds to the need for professionals with diverse skills and knowledge across the e-discovery spectrum. AccessData offers the ACE® credential, a certification for forensic examiners that demonstrates proficiency with Forensic Toolkit® (FTK®) technology
Second, it’s crucial to use software tools that facilitate collaboration and efficiency throughout the investigation, preferably with technology that has been recognized by courts as being forensically sound. AccessData’s AD Enterprise is the only U.S.-owned solution in the marketplace that can perform comprehensive end-to-end forensic investigations within a single tool by collecting all sorts of complex data types directly at the endpoint. It is powered by forensic technology that is court cited and has been relied upon for more than 30 years.
Finally, after an investigation is concluded, if the matter proceeds to litigation, it will be important to use tools that seamlessly connect in order to reduce data movement between platforms. AccessData’s AD eDiscovery® is a single, fully integrated software platform that helps organizations mitigate risk, ensure compliance and improve response efficiency. It helps legal teams manage forensically sound enterprise-wide preservation, litigation holds, search, collection, processing, data assessment and complete legal review.
AccessData partnered recently with ACEDS to host a free webinar, “Internal Investigations in Today’s Connected World.” During the webinar, guest speakers Paul Becker, IT Security Lead for Rockwell Automation, and Len Robinson, Manager of Cyber Defense for Ahold Delhaize walked through internal investigation examples and recommended best practices, covering everything from who should be involved to how you prepare when the investigation moves to potential litigation. You can view a recording of the webinar here.