Investigations in a New Data Landscape

Veeral Gosalia , Eric Christofferson


February 1, 2022

Few exercises are more complicated and anxiety-inducing than corporate legal and regulatory investigations. Such matters have always been crisis events—a signal that an organization is facing a large risk to its financial, operational or reputational stability. Driven by an accelerated use of cloud-based communication applications, the adoption of artificial intelligence and the move toward dispersed workforces, today’s new data landscape increases the legal and practical challenges of executing an investigation.

Before the massive influx of data in recent years, investigations mostly dealt with email, some chat applications and certain transactional records. Now, the scope of electronic evidence has expanded to also include instant and short-form messages from countless collaboration applications, documents from cloud-based file shares, audio and video files, millions or billions of transaction records linked across numerous systems, and data from personal devices. The range of evidence sources and types of data that must now be examined in the course of an investigation becomes very complicated very quickly.

Commingling of personal and professional data is another major obstacle, and it has increased as a result of widespread remote work. In many cases, sensitive company files or evidence in scope in an investigation have been found in personal accounts and on devices not managed by the organization. For example, in a recent case, a company’s intellectual property was discovered saved on an employee’s device as well as his child’s computer. The employee had been using his personal scanner for company files while working from home, and the scanner was also attached to the child’s device. In a similar case, an employee had used an online fax service attached to his spouse’s phone to send company documents, which ended up saved in the spouse’s iCloud backups. Many of these instances are benign in nature, but the end result for investigators is a tremendous number of technical challenges and legal complexities when gathering evidence.

Governments and courts are also becoming more sophisticated in their understanding of new data sources as relevant and in scope as electronic evidence. In some matters, U.S. regulators have begun sending separate subpoenas to individual employees of interest in an investigation, often with a primary focus on chat and text records. 

New data challenges will continue to proliferate as technology advances. Organizations are increasingly expected to manage and keep up with these changes. Legal teams that want or need to cooperate with regulators will need to be even more thorough. This applies not only in the collection phase, but when searching data sets and developing workflows to gain insight when search terms are not sufficient or searching is not possible.

When preparing for an investigation, legal and compliance teams should ­evaluate the following legal and practical considerations:

Requirements and limitations associated with the type of investigation. Every government agency will approach investigations slightly differently and regulatory investigations will differ significantly from internal investigations. Such nuances will impact costs, strategy and production requirements.

Types of data involved. Just as different types of investigations and different government agencies will influence a matter’s parameters, so will the types of data in scope. Early on, teams should decide how they will determine what is relevant or responsive, and how they are going to deal with issues like the use of emojis within texts or establishing the context of a conversation thread when personal and professional topics are mixed.

Regulations and company policies regarding responsive data. Many jurisdictions now have data privacy and protection regulations that may necessitate additional steps or obligations when collecting data from individuals or transferring it across borders for review. Teams must understand the boundaries across data protection laws, cultural nuances and corporate policies. Organizations that have strong information governance and legal hold policies and use mobile device management software may have an easier time accessing and collecting data spread across personal devices and accounts. Regardless of these information governance controls, investigators will often need to ask data holders to provide access to their devices and cloud accounts, and should know the legal and logistical requirements that flow from these requests.

Data availability and requirements. It is important to avoid an all-or-nothing view of a person’s data, especially when it resides on a personal device. The first step is to determine what data is available, taking into account any company policies regarding mobile device management and usage, and whether the individual is cooperating or if the data is encrypted. Then, when collecting from personal devices, investigators can make a forensic copy of the device, but also make every effort to isolate the specific and relevant data that is needed from any personal conversations or files. This approach makes it possible to maintain forensic defensibility while also assuring individuals that their personal information will not be on display.

Just as the information landscape has changed, the nature of investigations is changing too. Information governance and data privacy considerations are increasingly intersecting with investigation methodologies. Teams will now need to adjust their strategies to deal with the scale and scope of these evolving data challenges.

Veeral Gosalia is senior managing director at FTI Technology.
Eric Christofferson is a partner in DLA Piper’s Boston office and a member of the firm’s white collar and corporate crime group.