Preparing for Internal Investigations to Mitigate Risk
The stakes in internal investigations can turn out to be very high. Companies can often respond effectively if they proactively plan for investigations and leverage technology that can comb through large amounts of data quickly at low cost.
May 11, 2020 at 04:01 PM
8 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
No one welcomes the prospect of an internal investigation. Even a relatively narrow and focused investigation can feel like a distraction from day-to-day business. Broader investigations can become complicated exercises requiring investigators (and sometimes outside counsel) to work with multiple departments and stakeholders, struggle to manage disparate workflows, and sift through mountains of data to arrive at the truth.
While complaints to HR alleging discrimination or harassment based on race or gender are among the most common triggers of an internal investigation, other triggers run the gamut. They include whistle-blower complaints alleging compliance violations or corporate fraud, the loss or theft of physical assets, leaked or stolen data containing sensitive or personal information, and leaked or stolen intellectual property.
The stakes in these matters can turn out to be very high. A purely reactive approach to investigations can not only cause delays in determining the truth, but also increase the likelihood of runaway costs and damage to the company's reputation. On the other hand, companies can often respond effectively if they proactively plan for investigations and leverage technology that can comb through large amounts of data quickly at low cost. These organizations have a much better chance of avoiding prosecution, large fines, substantial damages, erosion of employee morale, and negative publicity.
Investigations Are Often Legally, Logistically and Technically Complex
In most traditional litigation, attorneys can proceed from a known set of facts and have a clear roadmap to follow. Compared to litigation, internal investigations can be quite open-ended and unpredictable — you may not even have a date range in which alleged wrongdoing may have occurred, for example, and in some cases you may not know ahead of time who is likely to be involved or which custodians to focus on. Investigations are also highly context-specific, requiring very different approaches depending on the nature and seriousness of the complaint or allegation. Several different departments may need to be involved in addition to legal — HR, IT, finance, and compliance are common examples — each with their own workflows and applications. Also, while investigations often end without becoming the subject of litigation, investigators must always be prepared for that possibility. That means carefully documenting their activities and the chain of custody so the evidence they gather will be admissible in court.
Apart from the legal and logistical challenges, investigations often present significant, daunting technical challenges. The identification, preservation and collection of information relevant to an investigation may have to be completed under severe time pressure, particularly if the behavior in question is ongoing or poses an imminent threat to the organization's reputation or well-being. Data types and sources may be quite diverse, ranging from email, text messages, and instant messages to telephone records, voicemails, backup files and even video surveillance footage. Different technology platforms, applications and device types may all come into play.
Finding the Needle(s) In the Haystack
Consider this real-world scenario that recently played out at a medical device company, which we'll call MDC. It came to MDC's attention that they had suffered a data breach that targeted personally identifiable information (PII) — including Social Security numbers (SSNs) — from MDC customer records. MDC began the investigation knowing which SSNs had been stolen, and they knew that each of those SSNs was associated with the purchase of a particular medical device, but the SSNs were not associated with other customer PII in the company's databases. This meant that MDC was initially unable to notify the affected customers as required by law — a big problem — because they didn't know the names of those customers.
To find those customers, MDC would have to pore through thousands of invoices to identify relevant device model numbers, and then match the PII from the invoices to the SSNs of the affected customers.
To further complicate matters, MDC's sales and operations extend across the globe. Not only were the invoices in multiple languages, but the device model numbers were as well, which meant that model numbers in some languages had different characters than their counterparts in English. There were hundreds of thousands of SSNs that had to be identified with other customer information. All told, the investigation of this data breach encompassed more than 500GB of data in multiple languages (including Japanese), and 44 custodians inside and outside the US.
Imagine trying to tackle this challenge with manual searching, spreadsheets, and office productivity software, not to mention human reviewers and possibly translators. How long would it take, and at what cost? Given the potential for human error, how certain could you be that every detail in your investigation was accurate?
Automation and Advanced Technologies Pave the Way To a More Proactive Approach
While the above scenario is unique in some respects, it should serve as a warning for all companies that lack standard processes and appropriate technologies to respond effectively when potential wrongdoing from within or outside the organization is identified. It is particularly sobering in light of the fact that many enterprises — especially medium-size organizations — still lack clear plans and policies around internal investigations, rely on investigative workflows siloed by department, and use a patchwork of office applications and manual processes to carry out the investigative work.
While many of these same companies may deploy sophisticated e-discovery tools to address the challenges of high data volumes and data complexity in litigation, investigations are more likely to be ad hoc affairs that are organized only after a specific complaint or incident arises, and carried out with little standardization of processes and inadequate tools.
If that describes your organization's approach to internal investigations, it's probably time to consider some significant changes. Here are some suggestions:
- Use today's highly flexible, fully integrated and infinitely scalable SaaS platforms for e-discovery to manage diverse data types in a single, secure, user-friendly interface without having to invest in additional hardware or IT staff. Taking this step will also put you in the best possible position to move forward should the investigation ultimately trigger litigation.
- Deploy artificial intelligence (AI) technologies like machine learning, natural language processing and predictive analytics, just as many organizations now do for complex eDiscovery projects. Because investigations often begin without a clear pattern of facts, initial data searches tend to yield low percentages of relevant documents. AI is very powerful and cost-effective in these situations, enabling much faster culling, earlier cost projections, overall savings, and highly accurate results. It is also indispensable for complex tasks like building a chronology and storyline, threading to sort out email relationships, and creating word clouds to identify links between related concepts.
- For each investigation, create a secure, collaborative workspace that authorized users across departments and functions can access from anywhere with a Web browser via multi-factor authentication. This will help you establish more consistent workflows, and monitor activities and progress for more rigorous oversight and transparency. It will also make it easier to document steps across multiple departments and minimize the possibility that sensitive information may be inadvertently exposed while the investigation is in progress.
- Take advantage of the multilingual capabilities offered by some platforms to avoid the cost of hiring translators or reviewers fluent in the language(s) in question.
- Use AI to run "health check" investigations preemptively. If, for example, your organization is concerned about potential privacy violations related to the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), you can use these tools to perform privacy audits and predict your organization's vulnerability. You can also use these technologies to look for data anomalies that may indicate security breaches or suspicious behavior.
Remember the medical device company (MDC) that was trying to match invoices to SSNs? In the course of using AI to complete this massive task, they discovered a second data breach they had been completely unaware of. This highlights the very real proactive potential of the advanced technologies that many companies may be already using for e-discovery. These tools can help companies develop more mature information governance and record management systems, perform regular privacy and other compliance audits, and even identify potential security vulnerabilities.
MDC has certainly taken notice. They are developing a formal, technology-enabled program for investigations. They plan to revisit their information architecture in light of recent experience, establish standard workflows across departments, and create a complete set of policies and procedures for investigative activities, including preemptive investigations where no problems are currently evident. It certainly beats waiting for the next trigger to come along.
*****
David Carns is the Chief Revenue Officer of Casepoint. He joined Casepoint as a Director of Client Services in 2010, rose the ranks to Chief Strategy Officer until his most recent promotion in 2019. In addition to being a recovering attorney, David possesses a lifelong passion for technology and its advancements. His career has always found him at the intersection of technology and the legal field given his intimate knowledge of both. Connect with David on LinkedIn @dcarns.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Lavish 'Lies' Led to Investors Being Fleeced in Nine-Figure International Crypto Scam
3 minute read
Meta Hires Litigation Strategy Chief, Tapping King & Spalding Partner Who Was Senior DOJ Official in First Trump Term
Trending Stories
- 1'It's Not Going to Be Pretty': PayPal, Capital One Face Novel Class Actions Over 'Poaching' Commissions Owed Influencers
- 211th Circuit Rejects Trump's Emergency Request as DOJ Prepares to Release Special Counsel's Final Report
- 3Supreme Court Takes Up Challenge to ACA Task Force
- 4'Tragedy of Unspeakable Proportions:' Could Edison, DWP, Face Lawsuits Over LA Wildfires?
- 5Meta Pulls Plug on DEI Programs
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
