Mastering Complex Data Types During an Internal Investigation
Best practices for handling mobile data and ephemeral messages
Collecting mobile phone and messaging app evidence for an internal investigation can be a walk on a tightrope for legal and investigations teams. There’s the need to identify all potentially relevant data, something that’s more and more challenging as organizations create an ever growing digital footprint. Then there's the people who create and own the data. These individuals aren’t always willing participants in what needs to be a thorough, defensible, and efficient procedure. Personal and privacy concerns loom large and can lead to gaps in evidence and costly delays.
As data becomes more elusive, investigations teams need to be more creative in identifying and preserving potential evidence. In addition to the decisions made in the fire drill of the moment, successful outcomes rely on policies hammered out long before a data breach, whistleblower complaint, or government subpoena triggers an investigation.
Brock Bosson, chairman of the Corporate Governance & Compliance Advisory Practice at Cahill Gordon & Reindel, and Steve Davis, Licensed Private Investigator & VP of Forensics and Investigations at Purpose Legal, discussed best practices in “Mastering Efficient Internal Investigations: Best Practices,” an Everlaw webinar co-sponsored by the CCBJ and moderated by attorney and content specialist Gina Jurva.
Persuading Reluctant Custodians to Comply With Data Collection
When someone’s personal phone or computer is identified as a potentially relevant source of information, it’s very often a careful balancing act.
The DOJ and SEC expect that bring your own device policies, or BYOD, are applied consistently. While executives and employees generally understand that they’re expected to cooperate with an investigation, personal concerns regularly come up. Bosson, who helps companies enhance their compliance programs (often in parallel with an investigation), said creativity comes into play if a person of interest, or custodian, pushes back on a collection.
“What you often run into is where an executive, a manager, or someone who’s relevant to the investigation says: ‘You can look at my text messages, but you can’t look at my photos,’” Bosson said. “Someone will say, ‘I'm fine with you looking at my texts for people with work, but not my spouse.’ Or ‘I don't use this messaging app for work. Trust me on that.’”
For an investigation that is defensible and able to withstand scrutiny, Bosson advises a practical approach that makes custodians feel comfortable but doesn’t make perfect the enemy of the effective. “At the end of the day, there has to be a risk-based decision made,” Bosson said. “If we didn’t make some compromises in certain scenarios, we wouldn’t have any data at all.”
“At the end of the day, there has to be a risk-based decision made. If we didn’t make some compromises in certain scenarios, we wouldn’t have any data at all.”
– Brock Bosson
Tips for managing custodian resistance:
Run preliminary keyword searches to get the lay of the land
Be alert for language indicating a conversation is going offline, such as, “Text me.”
Discuss with the custodian the company’s need to access specific materials
Look for a solution that will make the individual feel comfortable
ID and pull all work-related contacts from a personal phone
Sit down with the custodian to spot-check contacts or other data in the mobile device for relevancy
Memorializing each decision and step in the process is crucial, Bosson added. “You may need to explain someday why you collected certain information, why you didn't, and how you navigated that.”
Negotiating Privacy Concerns While Gathering Data
During litigation, the rules of engagement follow an agreed-upon protocol typically hashed out during a meet-and-confer. Davis, a former federal investigator, said that the handling of privacy concerns during an internal investigation is more about bedside manner.
“People have a right to privacy and there’s always the concern about Big Brother,” Davis said. “I get that someone doesn't want to hand me their phone and let me look at all their stuff.”
To make employees and executives feel more at ease, he validates their concerns and explains the process in non-technical terms. By demystifying the science behind getting a bit-by-bit image of their computer or a physical extraction from their phone, he helps people understand that he only goes after specific search terms targeted by lawyers, not all the data on their device, and that the information goes into a secure “black box” area that's not connected to the internet, so no one can hack into it or steal it.
He said that when appropriate, he’ll allow the custodian to see the data before the lawyers review it. “You need to be sensitive to people's concerns, because they're real,” Davis said.
“You need to be sensitive to people's concerns, because they're real.”
– Steve Davis
Having a clear BYOD policy in place before an investigation breaks out helps set expectations and makes the collections process easier, Davis said.
Covering Your Bases on Ephemeral Messaging
The potential to lose evidence that is difficult to retrace or can’t be recovered keeps investigations professionals up at night. They need to identify all the relevant apps employees are using and know where the data is stored. They also need to get to that material in time.
That’s why ephemeral messages – communications that are designed to disappear after a certain action or period of time – must be top of mind for collection.
Corporate BYOD policies should spell out an organization’s rules for ephemeral messaging use.
“More and more companies are developing tight controls and procedures around when ephemeral messaging may be used, if at all, related to company business,” Bosson said. “And insofar as you were looking to draw conclusions in an investigation, that’s something important to compare against.”
“More and more companies are developing tight controls and procedures around when ephemeral messaging may be used, if at all, related to company business."
– Brock Bosson
Applications like Signal, Telegram, and WeChat provide varying levels of protection and archiving depending on the settings. Davis said that while forensics experts can prevent potential evidence from going up in smoke through screenshots or backups, he agrees the best strategy for companies is to cover their bases long before a dispute or investigation ever comes up.
“The more you can make these decisions up front, the more you can create policies that people live by, the easier it is to herd the cats when you’re trying to collect data,” Davis said.
Building a Strong Foundation Through Corporate Policies
Everyone – from the client to the regulators – wants an internal investigation to move swiftly to the best possible outcome.
With the advent of massive data volumes and complex new data sources, potential evidence is more elusive than ever, and it’s harder to capture. Legal and investigations teams need to know how to navigate the tools and techniques and the nuanced human factors that go into collecting and preserving evidence in today’s internal investigations.
Teams need to make practical, risk-based decisions along the way, particularly when it comes to data from tricky sources such as mobile phones and ephemeral messaging apps. Preparation – in the form of rules and policies that everyone in a company is familiar with – is more than half the battle.