It’s natural for employees to balk at making private messages open to outside counsel or forensic specialists as part of an internal investigation, but there are ways to meet privacy concerns while enabling the company to get what it needs, investigation experts say.
“Privacy concerns are real. They’re fair and legitimate,” said Steve Davis, vice president of Purpose Legal and a licensed private investigator, in a webcast hosted by Corporate Counsel Business Journal and eDiscovery software company Everlaw. “People have a right to privacy.”
Start by taking at face value what data sources the employee says are personal and, for that data, just do spot checks to validate that they don’t apply to the investigation.
“To make this a defensible investigation, you must put some checks in place,” said Brock Bosson, a partner with Cahill Gordon & Reindel. “Identify all of the employee’s contacts who are work related, pull all of those, and then do spot checks of the remainder. In my experience, people are usually more comfortable with spot checks.”
If the spot checks appear to support the claim the data isn’t work related, you can note that and support your decision later should you be asked about that as part of a government investigation or other matter that requires a look-back.
Keeping contemporaneous records of what you’re doing will help ensure you can retrieve your steps, said Davis. “Two or seven years later, when you’re arguing about the process, you understand what was done.”
Getting buy-in can be helped by being clear how the data is collected and how it’s checked, said Davis.
“I explain how scientifically we go about getting [data] bit by bit, putting it into a secure area that’s airgap – not touching the internet, so no one can hack into it and grab it – and that these are the only search terms I’m looking for,” he said. “Sometimes we even allow the custodians to review it before [the investigating outside counsel] gets it back to look at. So, there are ways to skin that cat and handle it.”
For data that’s on company devices or in company cloud storage, it makes sense to try to extract as much as possible directly from the source, by accessing it using backend technology, said Bosson. This has the advantage of saving the data before it can be deleted, either intentionally or inadvertently, and can be especially helpful if you’re concerned some employees, alarmed at receiving a preservation notice, will respond by deleting data.
“Maybe the company is very far from the flagpole,” said Brock, “on the other side of the world and maybe not used to notices such as these and could actually precipitate people getting rid of data. In these cases, whatever you can collect from the backend as quickly as possible is a good strategic step.” Backend collection can also help with employees working remotely.
But this kind of collection must be supported with policies upfront so that employees understand the data on their company-provided devices, or when work is done on personal devices, is subject to collection for investigations, in response to subpoenas and so on, and they’ve signed an agreement about that.
“You’re not coming in covertly, like a SWAT team, to do things,” said Davis.
The company’s IT department might come forward to manage collection on behalf of the in-house team overseeing the investigation, but data collection has become much more complex in recent years and it’s likely that, as good as the IT team is, it doesn’t have all the tools it needs to collect data in all the different ways it’s stored.
“We have hundreds of home-grown and off-the-shelf tools that we use … because you don’t know if it’s going to take a sledgehammer or a tweezer,” said Davis. “IT might think they can get the data but it might take a specialized tool that they don’t have.”
What’s more, data collection that would work in the past might not work today because of the speed at which platforms and manufacturers change their systems.
“Every day that goes by, data is more privatized, and people change security settings and they change APIs and connectors,” said Davis. “We [can be] downloading LinkedIn or Facebook or Instagram and the next day it’s disabled.”
Ephemeral messaging apps like Telegram, Signal and WhatsApp pose their own challenges, but for the most part, preserving this type of data comes down to policy; these apps generally have settings to preserve data, so it’s a matter of telling employees using these apps for work to use the setting to preserve the data. “It’s a settings issue,” Davis said.