Internal Investigation Game Plan A 10-Step Guide to Reliable and

Document Sample
Internal Investigation Game Plan A 10-Step Guide to Reliable and Powered By Docstoc
					                                                                          risks, and also limit the possibility of front-page scan-
              Internal Investigation                                      dals that can tar a company’s public image beyond
              Game Plan: A 10-Step
                                                                          Oversight Needed, But How Much?
              Guide to Reliable and
                                                                               Recent headlines have illustrated the disastrous
              Defensible Electronic                                       consequences that result from either sloppy oversight
                                                                          or fanatical investigation: costly litigation, public
                                                                          scorn, even congressional action. On one extreme, the
              Records Review                                              corporate accounting scandals of 2000 and 2001 so
                                                                          greatly outraged the public and spooked the markets
                                                                          that Congress was forced to act. While public compa-
                                                                          nies had already been required to act in the interest of
                     rying pan or fire? From the perspective of many      shareholders, the new Sarbanes-Oxley Act went fur-

              F      public corporations in the United States, that
                     seems to be the choice when it comes to internal
                     investigations — especially investigations that
              delve into e-mails, Microsoft Word documents, and
              other electronic records. A company that exercises lax
                                                                          ther, requiring management to accept personal respon-
                                                                          sibility for their companies’ misconduct, including cer-
                                                                          tain activities of their directors, managers, and
                                                                          employees. For a few years after Sarbanes-Oxley, com-
                                                                          panies went to great lengths to police company and
              oversight exposes itself to shareholder suits and, possi-   employee activity, and they feared engaging in too lit-
              bly, criminal investigations. Enron, WorldCom, and          tle oversight, not too much. More recently, however,
              the rest of the accounting scandals that produced the       concerns have arisen about companies that go too far
              Sarbanes-Oxley Act provide the clearest examples of         in their efforts to ferret out misconduct that they
              the “lax oversight” risk. On the other extreme, a com-      believe harms shareholders or company interests.
              pany that investigates with too much vigor runs the              The possibility of slipping towards either of these
              risk of violating the privacy rights of employees and       extremes presents corporations with a series of diffi-
              others swept up in the investigation.                       cult questions: How much should (or even must) a cor-
                   While structuring an appropriate internal investi-     poration investigate the activities of its employees,
              gation poses a daunting array of challenges, this article   managers, and directors? How can it do so lawfully?
              focuses on the preservation and processing of elec-         How can it be sure that the results of its work can stand
              tronic records. This is a key element of any corporate      up in court? In an increasingly litigious society, these
              investigation. Companies that handle it properly avoid      are critical questions for any public company.
              both ruinous extremes. Adhering to a handful of key              These concerns take on added complexity in light
              investigative principles will greatly reduce litigation     of relentless and rapid technological changes.

                                                   BY CHAD BRECKINRIDGE

26   W W W. N A C D L . O R G                                                                           THE CHAMPION
Increasingly, investigations and litiga-     For this reason, among others, many          and its standard uses (order process-
tion turn on digital footprints just as      corporations elect to rely on outside        ing, financial analysis, e-mail, data
much as (or more than) they flow from        experts entirely and instruct employees      entry, etc.).
paper records. Gathering electronic          to leave relevant records alone.                   The team must be careful not to
information properly is therefore fun-                                                    overlook any applicable sources.
damental, both to ensure that the cor-           Step 2. Review data reten-               Depending on the scope of an investi-
poration meets its duty to ferret out        tion policies. As the first order of         gation, relevant data can appear in any
unlawful or detrimental conduct and          business, the investigative team should      number of places: file servers, portable
to ensure that it does not slip too far      make sure that the corporation has           and non-portable storage devices, flop-
toward unscrupulous tactics in the           adopted data and document retention          py disks, memory sticks, back-up tapes,
process.                                     policies that will ensure ongoing            desktop computers, laptop computers,
                                             preservation of records that could be        personal data assistants, wireless
Internal Investigations                      relevant to the investigation. Simply        phones, cached files, other temporary

                                                                                                                                        RELIABLE AND DEFENSIBLE ELECTRONIC RECORDS REVIEW
                                             deleting files from storage after a pre-     files, erased and deleted files, file slack
Involving Electronic Data                    scribed amount of time may not be an         space, other unallocated space on stor-
     What should a company do to             adequate policy when a company               age devices, cookies, password protect-
investigate suspected wrongdoing?            begins considering whether to com-           ed files and folders, encrypted files and
How can it satisfy its duty to share-        mence an investigation. Acting in con-       folders, software, executable files, etc.
holders, yet also avoid appearing on the     cert with the company’s management           The team must be sure that it has the
front page of the New York Times? It         and information technology staff, the        flexibility and technical proficiency to
turns out that there is a correct answer:    investigative team should develop a          handle this enormous and growing
engage in a forensically pure records        data retention policy that reflects the      array of data sources.
review that adheres to applicable laws       scope of the situation. The team should
regarding the rights of employees and        strive to come up with a policy that             Step 4. Develop a strategy.
outsiders alike. While these parameters      does not require unnecessary and bur-        The team should draft a comprehensive
will shift with time, 10 practical con-      densome preservation, while simulta-         plan in advance of accessing any data.
siderations will help guide any corpo-       neously ensuring that relevant records       Among other things, it must determine
ration framing an internal investiga-        will still exist even if the investigation   whether to work on the corporation’s
tion that — like virtually all corporate     takes an unexpected turn.                    premises or remove relevant hardware
investigations today — entails the                The company and the investigative       and data to a separate location; whether
review of electronic records.                team should share the tailored data          to quarantine any equipment to prevent
                                             retention policy with relevant govern-       erasure or tampering (either intention-
   Step 1. Assemble an experi-               ment regulators, at least to the extent      al or inadvertent); whether to copy
enced investigative team.                    the regulators are already aware of the      individual files or image entire drives;
Whether it investigates using internal       investigation or the underlying issues.      how best to handle encrypted informa-
resources or retains outside experts, the    A company that obtains a green light         tion; how to sift through duplicative
corporation should assemble its inves-       from the relevant regulator at the start     records; and what kind of data storage,
tigative team at the outset and ensure       of the process can greatly reduce the        processing and recordkeeping systems
that its chosen investigators are quali-     risk that the regulator will find the        it will use to process the data it obtains.
fied for forensically pure electronic        results insufficient at the end. For the     With respect to this last issue — data
records review. A qualified investigative    same reason, companies and their             storage and processing — the team
team will generally include legal            investigative teams should consider          should assess whether to use dedicated
experts, technology experts, and, when       discussing data retention policies with      software (usually designed for litigation
appropriate, experts familiar with the       outside accountants and other entities       preparation) or rely on traditional,
matter under investigation ( e.g. ,          that may be asked to accept the investi-     hard copy document filing systems. In
accountants, scientists, physicians,         gation’s results when the investigation      any event, the comprehensive plan
export specialists, etc.). Corporations      is complete.                                 should be detailed yet flexible and scal-
often elect to include white collar liti-                                                 able, because internal investigations
gators on the team as well, to help             Step 3. Study the electronic              rarely proceed precisely as expected at
avoid missteps that could negatively         records system. Before processing a          the outset.
affect any resulting litigation.             single kilobyte of data, but after con-           As with the data retention policy
     As a corollary to Step 1, corpora-      firming that the company and its             described in Step 2, the company and
tions should be sure to prevent unau-        employees will not destroy relevant          the investigative team should consider
thorized employees, managers, or others      records, the investigative team should       sharing the investigation plan with rel-
from taking investigative matters into       develop a complete understanding of          evant government regulators (or out-
their own hands. Although well-inten-        the company’s electronic records sys-        side accountants, etc.). A regulator that
tioned, such efforts can derail investiga-   tem. This step is absolutely fundamen-       accepts a proposed investigative
tions from the start by tainting relevant    tal, as a mix-up about the system’s          approach at the start of an investiga-
records. An opponent in litigation will      parameters can render a search strategy      tion is less likely to challenge that
take any available step to cast doubt on     worthless. A full understanding of the       approach (or the results) when the
evidence, and discrediting the veracity      system includes awareness of its techni-     investigation is complete. In addition, a
of a document or the process by which        cal scope (types of operating systems,       company that seeks input from the reg-
it was found becomes relatively easy         hardware, software, etc.), its geograph-     ulator over the course of an investiga-
when an employee without extensive           ic scope (locations of relevant equip-       tion will generate goodwill and a spirit
investigative experience snoops around.      ment — cities, offices, homes, etc.),        of cooperation that can pay dividends

W W W. N A C D L . O R G                                                          JANUARY/FEBRUARY 2007                                 27
                                                    when the regulator ultimately reviews       condition of admission, of course, pro-     vast digital storage systems has enabled
                                                    the investigation’s findings.               ponents of electronic records must also     companies to retain massive volumes
                                                                                                authenticate them — that is, propo-         of information in electronic form. The
                                                       Step 5. Assess privacy law               nents must demonstrate that the             investigative team must recognize that
                                                    concerns. A company’s management            records are what they claim them to be.     there is no need to review all of the
                                                    and employees have legitimate privacy       This requirement has direct conse-          electronic documents; indeed, doing so
                                                    interests, and an investigation will        quences for structuring a records           would likely require an enormous
                                                    undoubtedly spark concerns. The pre-        search in a corporate investigation. If a   commitment of time and money.
                                                    cise scope of an employee’s or manag-       record has been altered or tampered         Instead, the team should use key words,
                                                    er’s privacy rights depends on several      with, authentication will be more diffi-    date ranges, author identifiers and
                                                    factors, including the state or country     cult. (Although not impossible; courts      other parameters to filter records down
                                                    in which the relevant records are locat-    tend to admit such records, but con-        to a reasonable and relevant universe.
                                                    ed, the state or country in which the       cerns about tampering affect their per-     In addition, the team should apply its
                                                    person works, and the terms of any          suasive value.) Thus, from the first        filter to only a few data sources at the

                                                    employee manuals or document dis-           minute of an investigation, a corpora-      start of its review, just to be certain that
                                                    closure policies that apply. In many        tion must be sure that none of its          it is neither under- nor over-inclusive.
                                                    cases, more than one jurisdiction’s pri-    investigative actions change the under-     The team must be ready to make
                                                    vacy laws may apply. For instance,          lying records in any way, which is a real   changes to its filtering system as more
                                                    many European governments prohibit          and constant risk with digital records.     information comes to light, and it must
                                                    a company from “exporting” records to                                                   retain the ability to return to previous-
                                                    the United States unless the company           Step 7. Preserve the source              ly searched sources in the event it wish-
                                                    demonstrates that it has adequate pri-      data. The investigation team should         es to use new key words, dates, and
                                                    vacy protections in place. As a general     take every precaution to protect the        other parameters.
                                                    rule, accessing a record stored in          source data in their original form. That
                                                    Europe from a computer located in the       is, it should avoid altering or manipu-         Step 9. Document every-
                                                    United States qualifies as “exporting”      lating the very evidence it is trying to    thing. It is essential that all members
                                                    the data to the United States. In such      review. Reviewing digital records with      of the investigative team document
                                                    cases, the investigation must adhere        standard desktop systems actually           their work thoroughly. An accurate and
                                                    both to the restrictive European            alters them slightly. While the face of     comprehensive record will help the
                                                    requirements as well as to all applicable   the record may appear unchanged,            team keep tabs on its progress in a
                                                    United States federal and state require-    simply opening a record can perma-          complex process, and it will assist in
                                                    ments that apply to the records.            nently alter its metadata, such as infor-   demonstrating chain of custody and
                                                                                                mation indicating when it was last          authenticity if necessary in subsequent
                                                       Step 6. Review relevant evi-             accessed or modified.                       litigation. The team should track and
                                                    dentiary requirements. While                      Running seemingly benign pro-         make note of all electronic record
                                                    many internal investigations are            grams (Microsoft Word, Excel, etc.) on      sources, authors, and server and drive
                                                    designed to avoid lawsuits, corpora-        a subject laptop or PC, or even just        locations, and it should identify which
                                                    tions should recognize that litigation is   booting up a machine, can alter or          end users had access to which systems.
                                                    always a possible outcome. Therefore,       erase files stored in temporary folders.    The team should also keep records of
                                                    the investigative team should take great    These changes can destroy records or,       which servers and other data sources
                                                    care to avoid any missteps that could       at the very least, make it harder to        were mirrored and which were not,
                                                    render data unusable in court. Among        authenticate them, demonstrate chain        when, where, and by whom. Taken
                                                    other things, the team should ensure        of custody, and have them admitted in       together, these records will allow inves-
                                                    there are no holes in the chain of cus-     court. Changes to the underlying data       tigators to make quick assessments of
                                                    tody for any data, make sure that it can    also generate doubt about their veraci-     what they have seen, what remains, and
                                                    replicate the data searches it intends to   ty, and they make it impossible to run      what they have found so far.
                                                    run, and (as detailed in Step 7) assidu-    the same search twice (because the               The team should also carefully
                                                    ously avoid any actions that might alter    underlying data have been changed).         track the electronic records that it
                                                    the data or their sources.                        The best way to preserve source       reviews after filtering. Among other
                                                         The complexities of the Federal        material is to avoid touching it at all.    things, reviewers should note the
                                                    Rules of Evidence and admitting elec-       Instead, the investigative team should      source of the relevant record, its
                                                    tronic records in a U.S. federal court      replicate the data and then work from       author, any recipients, and any other
                                                    exceed the scope of this article. Be        the copy rather than handling and pos-      identifying information. Reviewers
                                                    aware that opponents of admission           sible harming the original. Generally,      should also make shorthand notes
                                                    typically argue that the records should     replication of data is accomplished by      describing a document’s relevance so
                                                    be excluded as inadmissible hearsay,        imaging relevant drives and servers.        that the team can retrieve particularly
                                                    while proponents contend that they fall     The investigators should make sure          useful records quickly and easily.
                                                    within the business records exception       that they image the data to a pristine      Finally, and most importantly, the team
                                                    of Rule 803(6).                             storage system; otherwise, electronic       should adopt a system under which
                                                         As a general rule, courts admit        pollutants left over from previous          each document is given a unique iden-
                                                    electronic records despite hearsay con-     searches can contaminate the new            tifier (such as a Bates stamp) to ensure
                                                    cerns as long as the proponent shows        information.                                quick retrieval. Many commercially
                                                    that they were kept as part of a routine                                                available database systems ( e.g.,
                                                    procedure under circumstances that              Step 8. Beware of informa-              Cataphora, nMatrix, CT Summation,
                                                    tend to ensure their accuracy. As a pre-    tion overload. The emergence of             and other litigation support systems)

28                                                  W W W. N A C D L . O R G                                                                           THE CHAMPION
can assist teams in these critical but
challenging recordkeeping tasks.

   Step 10. Prepare a final
report. When the investigation begins
winding down — or when litigation
looms — the team should prepare a
detailed report that describes all of its
efforts, especially as they relate to each
of the steps identified here. This report,
which will draw largely on the detailed
recordkeeping described in the previ-
ous step, has many vital uses, such as

                                                                        RELIABLE AND DEFENSIBLE ELECTRONIC RECORDS REVIEW
demonstrating the authenticity and
veracity of documents (for use in court
or elsewhere), accelerating the process
of reconstructing past searches when
necessary, cataloging the sources that
were and were not reviewed, and iden-
tifying weaknesses in information
management that the company may
wish to address in the future.

Striking a Balance
     To be sure, it is a daunting list,
which explains why many corporations
elect to hire outside experts rather than
run the risk of taking missteps while
overburdening their internal resources.
However a corporation elects to pro-
ceed, the core message should be clear.
Public companies have an obligation to
monitor internal activities carefully
and appropriately, and there are proven
methods for doing so without tipping
too far toward either lax oversight or
overzealous scrutiny. s

 About the Author
 Chad Breckinridge, an associate with the
                      law firm of Harris,
                      Wiltshire & Grannis
                      LLP, practices in the
                      areas of domestic
                      and international
                      regulation       and
                      internal corporate
                      investigations. He
 has engaged in investigations, domestic
 and international, of management
 integrity, accounting practices and cor-
 porate compliance with export control

 Chad Breckinridge
 Harris, Wiltshire & Grannis LLP
 1200 18th Street NW, 12th Floor
 Washington, DC 20036
 Fax 202-730-1301

W W W. N A C D L . O R G                        JANUARY/FEBRUARY 2007   29