corporate internal investigations best practices
TRANSCRIPT
CorporateInternal InvestigationsB E S T P R A C T I C E S
Intr
od
uct
ion
An estimated of all data
created by corporations is in the
electronic format.
93%
*"A New Frontier in Electronic Discovery: Preservin� and Obtainin� Metadata" - Philip J. Farvo
*
Intr
od
uct
ion Subsequently, the number of
sanctions levied a�ainst parties
who improperly handle electronic
evidence continues to increase.
Intr
od
uct
ion Here are best practices
that should be followed when
plannin� and conductin� an
internal investi�ation.
11
1Id
enti
fy t
rigg
er e
ven
tsIdentify specific trigger events.
This would be anythin� that would cause
you to take action from a le�al,
compliance or investi�ative standpoint.
Document these triggers and make the
records available to stakeholders.
Identify your key external contacts
and document their information.
Ideally, you will have contracts in place ahead of
time to avoid ne�otiatin� a statement of work for
a time sensitive issue.2Id
enti
fy e
xter
nal
co
nta
cts
Identify your key internal contacts and
document their roles.
Once you have identified your internal team, �et
them in a room to�ether to be�in buildin�
relationships and a�reed upon protocols.
Document their
individual roles and
responsibilities within the
investigation process.
3Id
enti
fy in
tern
al c
on
tact
s &
ro
les
Have a plan or policy in place on
what to do when a trigger event
occurs and how to defensibly
handle the investigation.
4H
ave
an in
vest
igat
ion
pla
n
Document your entire process. 5
Do
cum
ent
you
r en
tire
pro
cess
Documentation is your sword in ne�otiatin� a
reasonable scope of discovery and your shield
in showin� that what you included or excluded
in preservation and collection was reasonable.
Document your chain of custody.
This document should provide
details re�ardin� the collection,
transportation, stora�e and �eneral
handlin� of electronic evidence.
6D
ocu
men
t yo
ur
chai
n o
f cu
sto
dy
HandlingStorage
TransportationCollection
7A
void
evi
den
ce s
po
liati
on
Treat the suspect employee’s computer
like a crime scene.
Every time an untrained
individual accesses – or attempts
to access – the data on the
devices, they run the risk of
unintentional destruction of data,
or at best, si�nificant chan�es to
the data that cannot be undone.
Collaborate with outside counsel
and/or a forensic examiner to dive
deeper into the data.
This will arm you
with valuable
information about
the case.
8C
oll
abo
rate
wit
h e
xter
nal
exp
erti
se
Your first steps should always be to
preserve the suspect's workstation and
immediately call a forensics expert.
9P
rese
rve
the
enti
re w
ork
stat
ion
Have the full internal team on this call, and be
prepared to discuss the facts of the
case/back�round, end �oals, and timeline of events.
10U
se f
ore
nsi
c ex
per
tise
& t
oo
ls
Their methods enable them to piece to�ether a
story that traditional discovery methods cannot.
Remember: Trained forensic examiners
with proper tools can recover
deleted information.
Be prepared to testify if you are
handling the electronic evidence.
You must be able to defend the accuracy of the
evidence collected, as well as the actual
collection process.
If this is an internal individual,
then be prepared for questions
surrounding bias and expertise.
11B
e p
rep
ared
to
tes
tify
Bes
t P
ract
ices
Avoid sanctions & risks by following these11 best practices for internal investigations:
1 Identify tri��er events
Identify external contacts2
Identify internal contacts & roles3
4 Have an investi�ation plan
5 Document entire your process
6 Document your chain of custody
7 Avoid evidence spoliation
8 Collaborate with external expertise
9 Preserve the entire workstation
10 Use forensic expertise & tools
11 Be prepared to testify
[ON-DEMAND WEBINAR]
CORPORATE
INTERNAL
INVESTIGATIONS