Many investigations across the globe are currently being conducted remotely, with in-house investigators/lawyers, external counsel and other providers, and even government prosecutors, working from their homes.
The current crisis is likely to accelerate a longer-term shift towards increased remote and flexible working (a trend that has already developed significantly in recent years).
Increased remote working presents some challenges for those conducting investigations, both in terms of the adjustments to the process of the investigation and the proliferation of data sources companies are using to facilitate remote working.
We set out below five key points to help those navigating investigations remotely, covering: (i) data preservation and collection; (ii) data review; (iii) interviews; (iv) reports; and (v) calls and other practicalities. We also explain some of the advantages of conducting investigations remotely, including potential time and cost savings.
1. Data preservation and collection
Remote working can present challenges for data preservation (particularly preservation of devices, physical media, and hard copy documents that may be held in various and widespread locations). It is important to get legal advice in the relevant jurisdiction(s) so that employment law and data privacy risks can be managed.
In the case of network data, where external data collection providers cannot travel to site (which may commonly be the case for the foreseeable future), data will either need to be collected by granting external providers access to systems or by remote supervision (e.g. screen sharing). Whichever method is used, extra time should be built in and care should be taken to ensure that preservation and collection is forensically sound, particularly in the case of regulatory and criminal investigations. In-house IT teams are likely to need support and careful record-keeping is essential.
Securing physical digital devices and hard copy documents is likely to be more difficult. Co-operation from the custodian is likely to be necessary unless device images are taken periodically or can be extracted remotely (e.g. if employees do not store data on the device itself, or where the data is stored on the cloud).
The proliferation of Bring Your Own Device (BYOD) arrangements in companies will likely make matters more complicated. Now is a good time for employers to review their policies and what powers they possess which require employees to co-operate and provide data, including on personal digital devices and ephemeral communication applications such as WhatsApp, WeChat, Telegram and Signal – particularly where these are prohibited for work purposes. In practice, there can be a tension between the employer prohibiting business use of such applications and the employer wanting individuals to provide the messages that are sent in contravention of the policy.
Employees will likely have privacy concerns (particularly if the digital device is one used by the employee for personal purposes) and will need to be assured of the measures taken to protect their privacy and the company’s interests. Concerns about privacy may lead to employees refusing access to their digital devices. Therefore, subject to data privacy advice in the relevant jurisdiction(s), companies need to put in place robust policies that give them sufficient leverage to obtain access to digital devices, including business data on personal devices. Companies should properly document steps and attempts to obtain access to such digital devices in order to demonstrate to regulators that all available legal measures have been exhausted should an employee refuse to grant access to devices.
Where devices/documents cannot currently be collected and processed but remain in the workplace, it may be possible to arrange to secure these (e.g. lock them away) but there may be employment law and practical issues in securing documents and devices that are located in employees’ homes. Hard copy documents will present less of an issue as many companies move to paperless operations but strict rules are necessary in relation to the storage of hard copy documents at office locations/in archive and the destruction of documents.
2. Data review
Remote data reviews present challenges, for example regarding the availability of equipment and the security and control of data. Very clear guidance needs to be provided on security and confidentiality measures and briefing documents should be encrypted and provided by secure email (or ideally, portals). Without face-to-face reviewer/case team meetings, it can be useful to have daily “wash up” calls to share information, ask questions and allow the team to consider refinements to the review methodology.
Careful consideration needs to be given to the locations in which emails and other personal data are reviewed, whether by the review team or the broader case team. Reviewing such data in another jurisdiction may cause data privacy issues because it may technically be considered to be a data export. This is already a common issue where those working on investigations have global or regional roles and advice should be sought to avoid causing a regulatory issue.
There is also an abundance of technology already available to assist review teams in collaborating remotely to build key event chronologies, track key documents etc. These tools become critical where the review team are not in the same physical location.
Conducting interviews by phone or video can be difficult but technology has improved significantly. Interviews should, as far as practicable, by conducted by video: at the very least, the interviewer is able to observe the interviewee’s facial expressions. Irrespective of the mode of the interview, it is important to make sure that the software/phone line is secure and steps must be taken to ensure that there is a clear line or picture (as a matter of best practice, these lines should be tested first). It is also important to ensure that the interviewee is in a quiet, private and secure location while the interview is taking place – we once started a video interview only to realise the interviewee was driving while holding a tablet on the steering wheel!
Remote interviews require a different approach from in-person interviews. When interviews are conducted remotely, the interviewer needs to make a conscious effort to ensure the interviewee is comfortable (particularly given the lack of eye contact) and thought should be given as to how many people should participate in the interview. At the start of the interview, interviewees should be asked to confirm they are not recording the interviews but interviewers should assume that there is a possibility that recordings are covertly being taken. Interviewers should also make sure that interviewees are attending interviews alone and that there is no one else in the room. If interviewers suspect that there is someone else in the room, for example coaching or recording the interview, interviewers should pause the interview to clarify this.
It is important that the interviewee understands the process and implications of the interview and feels comfortable enough to ask questions and take breaks. Care needs to be taken to speak slowly and clearly, and to try to avoid talking over the interviewee. There needs to be more emphasis on non-visual listening signals. For example, nodding and making eye contact needs to be replaced with “Yes, I understand” and “Thank you for explaining”. Interviewers should also be conscious of the need to use the mute button to avoid distracting background noises, including the tapping of keyboards from note-takers.
The provision of documents to interviewees can be challenging because, to some degree, control over the documents may be lost. In some cases it may be appropriate to share screens with the interviewee or provide the documents on a secure portal in advance. However, sharing or providing documents remotely runs the risk that the interviewee takes copies of the document, for example, the interviewee may take photos of the screen. In any event, the general principle is that interviewees should only be shown documents that they have previously seen or which concern them. Documents should be clearly numbered for ease of reference throughout the interview.
Drafting reports where team members are working in different locations requires a clear plan of action and allocation of responsibilities in order to avoid duplication and inconsistency. Reports must be provided securely, for example on a portal, with built-in restrictions on printing and onward circulation and the capability to track access.
Where reports and supporting documents need to be printed, care should be taken to ensure that documents are securely delivered to the intended recipients or that the intended recipients are able to print directly from company systems to home printers. Sensitive documents should not be sent from unsecure webmail or loaded onto personal devices. Clear guidance should be provided on what recipients can and cannot do with the documents and the information within them (particularly if the report is privileged) and how such documents are to be stored and ultimately archived or destroyed.
5. Calls and other practicalities
Those working on investigations – particularly those living with others – must have a location where calls may be taken confidentially. Appropriate equipment (e.g. headsets) should also be used. This may only be possible at particular times of the day and so a regular call at a set time may be appropriate.
Consideration needs to be given to the practicalities of producing data to regulators or prosecutors (especially if eDisclosure personnel do not have access to hard drives or other removable media in their working location). Secure file transfer platforms may provide a solution but it is important to check file size restrictions and system compatibilities – and in any event, well ahead of any deadlines. Regulators and prosecutors have particular requirements for submission of electronic data including in relation to the integrity of the underlying metadata. The mode of delivery of these documents should therefore be checked for compliance with the relevant requirements. Deadlines for production of documents to regulators or prosecutors may need to be extended. In this regard, early engagement with regulators or prosecutors is likely to assist.
The growth in remote working will continue to increase the number and variety of data sources relevant to investigations, e.g. Skype, Zoom, Microsoft teams, Google chat, WhatsApp, WeChat and SMS, etc. Employers should make sure that their remote working and data privacy policies set clear expectations for employees on appropriate use of these media and what may be monitored or reviewed and the extent to which data on personal devices may be required.
As an overarching point, companies should ensure that as far as possible, they have the capability to preserve and collect data remotely. Retaining business records is good business practice, but it also has legal implications. The US Department of Justice (DOJ), for example, requires companies to implement appropriate guidance and controls to ensure that messages sent over ephemeral instant messaging applications are retained, and are retrievable in the event of an investigation. Companies that fail to do so could be prohibited from receiving full credit for timely and appropriate remediation in the context of a DOJ investigation.
Conducting investigations remotely presents a significant opportunity to save costs and to speed up the investigative process because it cuts down on the amount of travel and time required to conduct investigations. However, face-to-face or onsite data collections, meetings and interviews will always have their place (but may increasingly require justification).
The move to remote working necessitates a more technology-driven approach to managing investigations. Companies with a variety of ongoing investigations would be well-advised to consider maintaining a secure online investigations portal which should, among other things, help to track the progress of the various investigations and acts as a repository for key documents.