A recent survey of senior in-house lawyers found that a majority are concerned about the impact of emerging data sources such as collaboration platforms and cloud file-sharing tools. Rightly so, as the pandemic and shift to hybrid working patterns have accelerated the expansion of the corporate data footprint. Traditional channels such as email and laptops are no longer the only data sources that must be addressed when considering data preservation requirements, or in litigation and investigations. Lawyers must now often contend with a complex web consisting of hundreds or thousands of systems, applications and remote devices. This change has made a profound impact on the methodologies used in investigations and litigation.
The New Data Landscape – and Emerging Requirements
To put the scale of the current data universe into perspective, consider that more than two-thirds of the world’s population use mobile devices and more than 12 million people send iMessages every minute. The use of Microsoft Teams has grown exponentially and now boasts 270 million daily active users, whilst the broader Microsoft 365 ecosystem includes more than 1,700 third-party apps that can integrate into Teams. Meanwhile, use of mobile device messaging applications is growing rapidly, with WhatsApp users sending 100 billion messages every day. This widespread use of chat, messaging and collaboration tools has led to the possibility of blurred lines between business and private communications and information.
The sheer volume of information being created in this new data landscape alone is daunting, and creates numerous challenges for businesses, particularly those in highly regulated sectors such as financial services. From a risk perspective, the implications are now manifesting in the form of enforcement actions and increasing regulatory scrutiny.
This year in the U.S., various regulatory bodies have issued or re-emphasised guidance on the need for companies to preserve emerging data sources and noted that controls around the use of personal devices and third-party applications will be relevant to the evaluation of a corporate compliance programme. Recently, more than a dozen financial institutions were fined a collective US$1 billion for failure to monitor and retain data held on employees’ personal devices. In the U.K., the Financial Conduct Authority have announced that they are “actively discussing personal device use with a range of U.K. authorized firms, not limited to those who may have been subjected to other regulatory enquiries.”
Governance to Ensure Investigation Readiness
The increasingly complex data landscape (particularly in a hybrid working environment), coupled with increased regulatory scrutiny is putting pressure on organisations to revise their approach to data preservation and investigation readiness.
Data retention is critically important. A comprehensive data retention programme will support proactive compliance efforts — and will equip the internal legal team with an ability to work with internal or external experts to place legal holds quickly and comprehensively, and ensure access to data sources and devices when a matter arises.
However, organisations will need to be diligent in addressing the many nuances within cloud systems. For example, we have encountered issues where a litigation hold placed by a company on a Microsoft 365 account has not expended to the user’s full scope of activity and access across Teams, OneDrive files and SharePoint. Teams need to be equipped to assist and understand the implications where anything goes wrong. Data retention and preservation orders must be in place continually and cover, for example, any devices later handed in, to ensure that these are not wiped and repurposed.
To support this, legal and compliance teams should collaborate with their IT colleagues to map the types of systems commonly used across the organisation, as well as how the information within these platforms is accessed, shared and preserved. For example, IT should utilise mobile device management systems to take stock of what devices are within the environment and how they are being used. It is also important to ensure that data preservation and related policies (e.g., bring your own device policies) are up to date and enable a company to preserve, monitor and review emerging data sources.
Bracing for Discovery Challenges
Even for legal teams with a strong data retention programme and a good understanding of its data environment, emerging data sources often present unique and technically complex challenges when an investigation or disclosure exercise arises. Legal teams should consult with experts who have experience in navigating these issues early on to avoid issues down the line.
In the initial phases of data collection and processing, challenges can arise in securing access to certain systems or personal devices. Some collection tools are not capable of extracting data from certain emerging data sources, or are unable to handle the volume of data involved. In other cases, data extractions may be incomplete — we have had experience on recent investigations where a specific Teams channel has been collected, but the related attachments or linked documents have not automatically come through as part of that collection. It is absolutely crucial to check that extractions capture all possible aspects of the data source.
While lawyers can advise on the legal and risk considerations of collecting from various data sources, legal advisors and digital forensics experts need to work together to overcome technical hurdles, ensure no data is inadvertently missed in the collection exercise, and ensure the process is defensible and clear methodologies are followed.
From a review and analysis perspective, there are many new considerations with emerging data sources that were simply not at issue when data was predominantly stored in hard drives and in email accounts. Search terms and traditional workflows alone will no longer be sufficient. The scope of an investigation may require analysing (and triangulating) call records, transcripts, recordings, lengthy chat threads and more.
Once gathered, the information within these sources can enrich an investigation and reveal key facts. For example, in recent investigations, we have been able to cross reference the times of Teams calls, or emails, to real-time chat messages, providing context to the (often otherwise obscure) chat messages. However, these additional data sources can also heighten the risk of what may be uncovered or whether everything relevant has been preserved. Additionally, teams will need a way to filter the potentially relevant information from different and disparate data sources into a single, analytical view, to understand the full picture of the facts.
Changes in Investigations Conduct
The shift in data also raises numerous considerations for the conduct of investigations. In past environments, data preservation and investigations could often be initiated centrally from an organisation’s email system, without individuals immediately knowing that an investigation was underway. This element of discretion can be very important, especially during internal investigations into corruption or other forms of misconduct.
Now, individuals may need to be notified at a much earlier stage of the investigation, for example, where the legal team needs to access mobile devices which cannot be preserved remotely. This sets off a ticking timeline for legal teams to try to identify custodians, justify the need to access mobile devices, advise on data privacy considerations, as well as accelerate data preservation and initial document review (where possible) before information is deleted without being backed up centrally. Often, this means relying on the cooperation of individuals, which carries additional risks in requiring user passwords. For investigations involving many custodians in many locations, organisations may need to mobilise and coordinate a team that can execute data preservation processes simultaneously across multiple jurisdictions.
Given the way that corporate and personal data have become co-mingled, there are also more complex legal and compliance risks in terms of how and what data is collected during an investigation. Companies need to ensure data privacy advice is taken on handling data (and this is increasingly being challenged by individuals who are the subject of investigations). Similarly, employment laws in certain regions may also prohibit the ways in which an organisation can secure information on employee devices. It’s critical to have processes in place that account for these issues and ensure that every step of the investigation is handled in a manner that complies with applicable legislation.
An Ever-Changing Landscape
Data is becoming increasingly complex and dispersed. Keeping up with the technical challenges and the broader compliance risks is a significant undertaking that requires expert guidance and support. The consequences of not addressing these issues will continue to intensify — authorities are continuing to focus on this, and past processes may no longer be acceptable. Organisations must ensure they work in conjunction with legal teams and forensic experts to revisit their readiness for investigations, and also to conduct investigations in a way that is aligned to the new data universe.
This article was co-written with FTI Consulting and first appeared in The Lawyer – Briefing Room.