Internal investigations in corporations are typically conducted by the human resources (HR) department, internal compliance teams, and/or the IT department. Some cases may also require the involvement of outside third parties like forensic experts, consultants, law or accounting firms, or security experts.
These are often complex matters from a legal, process and technical perspective. Depending on the nature and extent of the potential misconduct, the stakes can be very high, with risks that include legal jeopardy, large fines or damages, negative publicity, and damage to company culture and morale. Speed and efficiency are vital: organizations need to understand the extent of the problem and act immediately to prevent further damage.
Key phases of an internal investigation
An internal investigation typically follows five key phases: a trigger event; a legal hold and custodian interviews; requests for data and data collection; processing, review and analysis of files; and the recommendation of next steps. COVID-19 and work-at-home requirements are most relevant to the second and third phases, in which interviews take place and data is requested and collected.
A trigger event kicks off an action from a legal, compliance, or investigative standpoint. While complaints to HR alleging discrimination or harassment based on race or gender are among the most common triggers of an internal investigation, other triggers include leaked or stolen intellectual property, whistle-blower complaints alleging fraud or compliance violations, the loss or theft of physical assets, or leaked or stolen data containing sensitive or personally identifiable information (PII).
In the next phase, legal hold and custodian interviews, the legal department must quickly perform an assessment of the veracity of the allegation(s) and the degree of risk involved, and then determine whether further investigative action is required. If a decision to continue is made, a legal hold is immediately put in place.
While some companies may be able to preserve information by working with their IT department without notifying the person(s) being investigated, in other cases the organization may need to send an official notification to the person(s) and ask for their cooperation in preserving information. The latter option is more common, especially in the age of COVID-19.
Initial interviews will often expand the scope of the investigation. A custodian may say, “I only worked on that project for a week; X was the driving force behind it,” or “I’ve only been with the company for a month, but Y and Z have been working on this since last year.” As the number of custodians grows, so does the number of devices to collect data from. Data locations and data types also have a tendency to multiply, with sources ranging from corporate email, text messages, file shares, and “loose” files stored on local devices or thumb drives to cloud storage like Office 365, Dropbox, Google Vault and even, in some cases, surveillance video.
After custodian interviews, it’s time for the request for and collection of data. The complexity at this stage depends to a large extent on the company’s information infrastructure. Especially during the pandemic, cloud-based data or work product saved in a virtual environment will be more straightforward to collect than on-premise data or data stored locally on a mobile device. Collection can become especially challenging with work-at-home requirements. A custodian may need to allow a forensics professional to access their device(s) at home. In other cases a device—which the custodian presumably needs to do their job—may need to be shipped.
Before COVID-19, an employee under investigation could be surprised with an on-the-spot collection at the office under the guise of an in-person meeting or “routine” request to bring in a device for an IT upgrade or a mandatory security update. Such strategies are much less likely to be practical or successful in a remote work environment. “At home” collection may also become impossible if the employee has opted to work from a second home or another location in a different region.
Employees using their own devices for remote work present a further complication. Devices like personal phones or tablets usually lack many of the security protections embedded in a company-provided mobile device and are therefore more vulnerable to malware, spyware, and co-mingled (personal and work-related) data. The data is also much more likely to be accessible by family and friends, increasing the potential for vulnerability as well as foul play. Upon collection, such data will often need to go through more extensive screening, and custodians may be more reluctant to cooperate when personal information is stored on a device targeted for collection. It is also possible they may use the virus as a pretext and refuse to allow a forensic professional into their home.
Increasing numbers of companies are turning to remote assisted collection kits (RACKs), which allow a forensic investigator to gain access to a device online and gather data directly from it. While RACK collections are forensically sound and legally defensible, some RACKs are designed to create a forensic image of a device and can consume large amounts of Internet bandwidth in the process. With less robust home connections, this can result in the disruption of ordinary work, or perhaps open the door to delaying tactics or data erasure on the part of custodians who have something to hide.
Once the data collection phase is complete, COVID-19-related constraints on the investigation recede from the picture. Processing, reviewing and analyzing files can proceed as normal—although review teams will be dispersed and have to be managed via a virtual collaborative workspace. The last phase in the investigation, recommending a next step, involves either closing the investigation, expanding it or possibly bringing in third parties such as a managed document review company and/or outside counsel.
Given the complexity of many internal investigations and the risks involved, it’s surprising how many organizations conduct them in an ad hoc manner. This is asking for trouble, especially in the age of COVID-19. Careful planning, clear policies and a consistent, formal process are essential. Each matter should begin with the development of a step-by-step plan based on the type of event and the trigger.
Detailed documentation is crucial every step of the way, so stakeholders can continually monitor progress while assessing scope and risk, and to be certain information is gathered in a legally defensible way. Documentation should address:
1. The investigation plan, processes and updates.
2. The data chain of custody.
3. The scope of the investigation, which needs to be legally “reasonable.”
In addition to working closely with the IT department, the investigation team should also consider engaging a company that specializes in forensic collections and solicit the input of the organization’s trusted eDiscovery provider. While some companies do not routinely use eDiscovery tools in internal investigations, these tools can save significant time and money in the culling, analysis, and review of data, particularly when they have a built-in cloud collections capability. AI technologies can dramatically speed up the process while minimizing human error and increasing accuracy, especially in investigations involving large volumes of data.
AI tools also have tremendous potential for companies seeking to apply more proactive controls over information governance and record management, identify security potential vulnerabilities before they become serious liabilities, and perform regular compliance audits. For example, these tools can perform privacy audits and assess an organization’s vulnerability to violations of regulations like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). AI technologies can also be deployed to look for data anomalies that may indicate security breaches or suspicious behavior.
While the age of COVID-19 presents new challenges for internal investigations, companies should be able to weather the storm by identifying which processes in their investigation workflows will need to change, carefully following best practices, and ensuring they have appropriate, scalable technologies that can be deployed quickly when a new matter emerges.