Legal Tech: Preparing for Internal Investigations to Mitigate Risk

No one welcomes the prospect of an internal investigation. Even a relatively narrow and focused investigation can feel like a distraction from day-to-day business. Broader investigations can become complicated exercises requiring investigators (and sometimes outside counsel) to work with multiple departments and stakeholders, struggle to manage disparate workflows, and sift through mountains of data to arrive at the truth.

While complaints to HR alleging discrimination or harassment based on race or gender are among the most common triggers of an internal investigation, other triggers run the gamut. They include whistle-blower complaints alleging compliance violations or corporate fraud, the loss or theft of physical assets, leaked or stolen data containing sensitive or personal information, and leaked or stolen intellectual property.

The stakes in these matters can turn out to be very high. A purely reactive approach to investigations can not only cause delays in determining the truth, but also increase the likelihood of runaway costs and damage to the company's reputation. On the other hand, companies can often respond effectively if they proactively plan for investigations and leverage technology that can comb through large amounts of data quickly at low cost. These organizations have a much better chance of avoiding prosecution, large fines, substantial damages, erosion of employee morale, and negative publicity.

Investigations Are Often Legally, Logistically and Technically Complex

In most traditional litigation, attorneys can proceed from a known set of facts and have a clear roadmap to follow. Compared to litigation, internal investigations can be quite open-ended and unpredictable — you may not even have a date range in which alleged wrongdoing may have occurred, for example, and in some cases you may not know ahead of time who is likely to be involved or which custodians to focus on. Investigations are also highly context-specific, requiring very different approaches depending on the nature and seriousness of the complaint or allegation. Several different departments may need to be involved in addition to legal — HR, IT, finance, and compliance are common examples — each with their own workflows and applications. Also, while investigations often end without becoming the subject of litigation, investigators must always be prepared for that possibility. That means carefully documenting their activities and the chain of custody so the evidence they gather will be admissible in court.

Apart from the legal and logistical challenges, investigations often present significant, daunting technical challenges. The identification, preservation and collection of information relevant to an investigation may have to be completed under severe time pressure, particularly if the behavior in question is ongoing or poses an imminent threat to the organization's reputation or well-being. Data types and sources may be quite diverse, ranging from email, text messages, and instant messages to telephone records, voicemails, backup files and even video surveillance footage. Different technology platforms, applications and device types may all come into play.

Finding the Needle(s) In the Haystack

Consider this real-world scenario that recently played out at a medical device company, which we'll call MDC. It came to MDC's attention that they had suffered a data breach that targeted personally identifiable information (PII) — including Social Security numbers (SSNs) — from MDC customer records. MDC began the investigation knowing which SSNs had been stolen, and they knew that each of those SSNs was associated with the purchase of a particular medical device, but the SSNs were not associated with other customer PII in the company's databases. This meant that MDC was initially unable to notify the affected customers as required by law — a big problem — because they didn't know the names of those customers.

To find those customers, MDC would have to pore through thousands of invoices to identify relevant device model numbers, and then match the PII from the invoices to the SSNs of the affected customers.

To further complicate matters, MDC's sales and operations extend across the globe. Not only were the invoices in multiple languages, but the device model numbers were as well, which meant that model numbers in some languages had different characters than their counterparts in English. There were hundreds of thousands of SSNs that had to be identified with other customer information. All told, the investigation of this data breach encompassed more than 500GB of data in multiple languages (including Japanese), and 44 custodians inside and outside the US.

Imagine trying to tackle this challenge with manual searching, spreadsheets, and office productivity software, not to mention human reviewers and possibly translators. How long would it take, and at what cost? Given the potential for human error, how certain could you be that every detail in your investigation was accurate?

Automation and Advanced Technologies Pave the Way To a More Proactive Approach

While the above scenario is unique in some respects, it should serve as a warning for all companies that lack standard processes and appropriate technologies to respond effectively when potential wrongdoing from within or outside the organization is identified. It is particularly sobering in light of the fact that many enterprises — especially medium-size organizations — still lack clear plans and policies around internal investigations, rely on investigative workflows siloed by department, and use a patchwork of office applications and manual processes to carry out the investigative work.

While many of these same companies may deploy sophisticated e-discovery tools to address the challenges of high data volumes and data complexity in litigation, investigations are more likely to be ad hoc affairs that are organized only after a specific complaint or incident arises, and carried out with little standardization of processes and inadequate tools.

If that describes your organization's approach to internal investigations, it's probably time to consider some significant changes. Here are some suggestions:

• Use today's highly flexible, fully integrated and infinitely scalable SaaS platforms for e-discovery to manage diverse data types in a single, secure, user-friendly interface without having to invest in additional hardware or IT staff. Taking this step will also put you in the best possible position to move forward should the investigation ultimately trigger litigation.
• Deploy artificial intelligence (AI) technologies like machine learning, natural language processing and predictive analytics, just as many organizations now do for complex eDiscovery projects. Because investigations often begin without a clear pattern of facts, initial data searches tend to yield low percentages of relevant documents. AI is very powerful and cost-effective in these situations, enabling much faster culling, earlier cost projections, overall savings, and highly accurate results. It is also indispensable for complex tasks like building a chronology and storyline, threading to sort out email relationships, and creating word clouds to identify links between related concepts.
• For each investigation, create a secure, collaborative workspace that authorized users across departments and functions can access from anywhere with a Web browser via multi-factor authentication. This will help you establish more consistent workflows, and monitor activities and progress for more rigorous oversight and transparency. It will also make it easier to document steps across multiple departments and minimize the possibility that sensitive information may be inadvertently exposed while the investigation is in progress.
• Take advantage of the multilingual capabilities offered by some platforms to avoid the cost of hiring translators or reviewers fluent in the language(s) in question.
• Use AI to run "health check" investigations preemptively. If, for example, your organization is concerned about potential privacy violations related to the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), you can use these tools to perform privacy audits and predict your organization's vulnerability. You can also use these technologies to look for data anomalies that may indicate security breaches or suspicious behavior.

Remember the medical device company (MDC) that was trying to match invoices to SSNs? In the course of using AI to complete this massive task, they discovered a second data breach they had been completely unaware of. This highlights the very real proactive potential of the advanced technologies that many companies may be already using for e-discovery. These tools can help companies develop more mature information governance and record management systems, perform regular privacy and other compliance audits, and even identify potential security vulnerabilities.

MDC has certainly taken notice. They are developing a formal, technology-enabled program for investigations. They plan to revisit their information architecture in light of recent experience, establish standard workflows across departments, and create a complete set of policies and procedures for investigative activities, including preemptive investigations where no problems are currently evident. It certainly beats waiting for the next trigger to come along.

*****

David Carns is the Chief Revenue Officer of Casepoint. He joined Casepoint as a Director of Client Services in 2010, rose the ranks to Chief Strategy Officer until his most recent promotion in 2019. In addition to being a recovering attorney, David possesses a lifelong passion for technology and its advancements. His career has always found him at the intersection of technology and the legal field given his intimate knowledge of both. Connect with David on LinkedIn @dcarns.