Legal Tech: Preparing for Internal Investigations to Mitigate Risk

Apart from the legal and logistical challenges, investigations often present significant, daunting technical challenges. The identification, preservation and collection of information relevant to an investigation may have to be completed under severe time pressure, particularly if the behavior in question is ongoing or poses an imminent threat to the organization's reputation or well-being. Data types and sources may be quite diverse, ranging from email, text messages, and instant messages to telephone records, voicemails, backup files and even video surveillance footage. Different technology platforms, applications and device types may all come into play.

Finding the Needle(s) In the Haystack

Consider this real-world scenario that recently played out at a medical device company, which we'll call MDC. It came to MDC's attention that they had suffered a data breach that targeted personally identifiable information (PII) — including Social Security numbers (SSNs) — from MDC customer records. MDC began the investigation knowing which SSNs had been stolen, and they knew that each of those SSNs was associated with the purchase of a particular medical device, but the SSNs were not associated with other customer PII in the company's databases. This meant that MDC was initially unable to notify the affected customers as required by law — a big problem — because they didn't know the names of those customers.

To find those customers, MDC would have to pore through thousands of invoices to identify relevant device model numbers, and then match the PII from the invoices to the SSNs of the affected customers.

To further complicate matters, MDC's sales and operations extend across the globe. Not only were the invoices in multiple languages, but the device model numbers were as well, which meant that model numbers in some languages had different characters than their counterparts in English. There were hundreds of thousands of SSNs that had to be identified with other customer information. All told, the investigation of this data breach encompassed more than 500GB of data in multiple languages (including Japanese), and 44 custodians inside and outside the US.

Imagine trying to tackle this challenge with manual searching, spreadsheets, and office productivity software, not to mention human reviewers and possibly translators. How long would it take, and at what cost? Given the potential for human error, how certain could you be that every detail in your investigation was accurate?

Automation and Advanced Technologies Pave the Way To a More Proactive Approach

While the above scenario is unique in some respects, it should serve as a warning for all companies that lack standard processes and appropriate technologies to respond effectively when potential wrongdoing from within or outside the organization is identified. It is particularly sobering in light of the fact that many enterprises — especially medium-size organizations — still lack clear plans and policies around internal investigations, rely on investigative workflows siloed by department, and use a patchwork of office applications and manual processes to carry out the investigative work.

While many of these same companies may deploy sophisticated e-discovery tools to address the challenges of high data volumes and data complexity in litigation, investigations are more likely to be ad hoc affairs that are organized only after a specific complaint or incident arises, and carried out with little standardization of processes and inadequate tools.

If that describes your organization's approach to internal investigations, it's probably time to consider some significant changes. Here are some suggestions:

• Use today's highly flexible, fully integrated and infinitely scalable SaaS platforms for e-discovery to manage diverse data types in a single, secure, user-friendly interface without having to invest in additional hardware or IT staff. Taking this step will also put you in the best possible position to move forward should the investigation ultimately trigger litigation.
• Deploy artificial intelligence (AI) technologies like machine learning, natural language processing and predictive analytics, just as many organizations now do for complex eDiscovery projects. Because investigations often begin without a clear pattern of facts, initial data searches tend to yield low percentages of relevant documents. AI is very powerful and cost-effective in these situations, enabling much faster culling, earlier cost projections, overall savings, and highly accurate results. It is also indispensable for complex tasks like building a chronology and storyline, threading to sort out email relationships, and creating word clouds to identify links between related concepts.
• For each investigation, create a secure, collaborative workspace that authorized users across departments and functions can access from anywhere with a Web browser via multi-factor authentication. This will help you establish more consistent workflows, and monitor activities and progress for more rigorous oversight and transparency. It will also make it easier to document steps across multiple departments and minimize the possibility that sensitive information may be inadvertently exposed while the investigation is in progress.
• Take advantage of the multilingual capabilities offered by some platforms to avoid the cost of hiring translators or reviewers fluent in the language(s) in question.
• Use AI to run "health check" investigations preemptively. If, for example, your organization is concerned about potential privacy violations related to the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), you can use these tools to perform privacy audits and predict your organization's vulnerability. You can also use these technologies to look for data anomalies that may indicate security breaches or suspicious behavior.

Remember the medical device company (MDC) that was trying to match invoices to SSNs? In the course of using AI to complete this massive task, they discovered a second data breach they had been completely unaware of. This highlights the very real proactive potential of the advanced technologies that many companies may be already using for e-discovery. These tools can help companies develop more mature information governance and record management systems, perform regular privacy and other compliance audits, and even identify potential security vulnerabilities.

MDC has certainly taken notice. They are developing a formal, technology-enabled program for investigations. They plan to revisit their information architecture in light of recent experience, establish standard workflows across departments, and create a complete set of policies and procedures for investigative activities, including preemptive investigations where no problems are currently evident. It certainly beats waiting for the next trigger to come along.

*****

David Carns is the Chief Revenue Officer of Casepoint. He joined Casepoint as a Director of Client Services in 2010, rose the ranks to Chief Strategy Officer until his most recent promotion in 2019. In addition to being a recovering attorney, David possesses a lifelong passion for technology and its advancements. His career has always found him at the intersection of technology and the legal field given his intimate knowledge of both. Connect with David on LinkedIn @dcarns.