CorporateInternal  InvestigationsB E S T P R A C T I C E S

Intr

od

uct

ion

An estimated               of all data

created by corporations is in the

electronic format.    

93%

*"A New Frontier in Electronic Discovery: Preservin� and Obtainin� Metadata" - Philip J. Farvo

*

Intr

od

uct

ion Subsequently, the number of

sanctions levied a�ainst parties

who improperly handle electronic

evidence continues to increase.

Intr

od

uct

ion Here are         best practices

that should be followed when

plannin� and conductin� an

internal investi�ation.

11

1Id

enti

fy t

rigg

er e

ven

tsIdentify specific trigger events.

This would be anythin� that would cause

you to take action from a le�al,

compliance or investi�ative standpoint. 

Document these triggers and make the

records available to stakeholders.

Identify your key external contacts

and document their information. 

Ideally, you will have contracts in place ahead of

time to avoid ne�otiatin� a statement of work for

a time sensitive issue.2Id

enti

fy e

xter

nal

co

nta

cts

Identify your key internal contacts and

document their roles. 

Once you have identified your internal team, �et

them in a room to�ether to be�in buildin�

relationships and a�reed upon protocols.

Document their

individual roles and

responsibilities within the

investigation process.

3Id

enti

fy in

tern

al c

on

tact

s &

ro

les

Have a plan or policy in place on

what to do when a trigger event

occurs and how to defensibly

handle the investigation.

4H

ave

an in

vest

igat

ion

pla

n

Document your entire process. 5

Do

cum

ent

you

r en

tire

pro

cess

Documentation is your sword in ne�otiatin� a

reasonable scope of discovery and your shield

in showin� that what you included or excluded

in preservation and collection was reasonable.

Document your chain of custody.

This document should provide

details re�ardin� the collection,

transportation, stora�e and �eneral

handlin� of electronic evidence.

6D

ocu

men

t yo

ur

chai

n o

f cu

sto

dy

HandlingStorage

TransportationCollection

7A

void

evi

den

ce s

po

liati

on

Treat the suspect employee’s computer

like a crime scene.

Every time an untrained

individual accesses – or attempts

to access – the data on the

devices, they run the risk of

unintentional destruction of data,

or at best, si�nificant chan�es to

the data that cannot be undone.

Collaborate with outside counsel

and/or a forensic examiner to dive

deeper into the data. 

This will arm you

with valuable

information about

the case. 

8C

oll

abo

rate

wit

h e

xter

nal

exp

erti

se

Your first steps should always be to

preserve the suspect's workstation and

immediately call a forensics expert.

9P

rese

rve

the

enti

re w

ork

stat

ion

Have the full internal team on this call, and be

prepared to discuss the facts of the

case/back�round, end �oals, and timeline of events.

10U

se f

ore

nsi

c ex

per

tise

& t

oo

ls

Their methods enable them to piece to�ether a

story that traditional discovery methods cannot.

Remember: Trained forensic examiners

with proper tools can recover

deleted information. 

Be prepared to testify if you are

handling the electronic evidence.

You must be able to defend the accuracy of the

evidence collected, as well as the actual

collection process. 

If this is an internal individual,

then be prepared for questions

surrounding bias and expertise.

11B

e p

rep

ared

to

tes

tify

Bes

t P

ract

ices

Avoid sanctions & risks by following these11 best practices for internal investigations:

1 Identify tri��er events

Identify external contacts2

Identify internal contacts & roles3

4 Have an investi�ation plan

5 Document entire your process

6 Document your chain of custody

7 Avoid evidence spoliation

8 Collaborate with external expertise

9 Preserve the entire workstation

10 Use forensic expertise & tools

11 Be prepared to testify

[ON-DEMAND WEBINAR]

CORPORATE

INTERNAL

INVESTIGATIONS