Silent Detective: An Investigator’s Perspective on e-Discovery Today

View this page in: Français

When an investigator is faced with a case, probably the two most commonly asked questions are:

  • where do we start?
  • how much do we need to do?

These questions are further amplified in large investigations (e.g. FCPA[1], SEC) where the scope often extends over several geographical boundaries, and the documentary evidence cannot always easily be identified because of differences in corporate cultures and practices across regions.

Most investigators are used to correlating progress in the investigation with the number of personal interviews. As such, as soon as they discover what appears to be a problem, they often march out the troops and start questioning potentially relevant people.

This habitual reaction typically occurs because of our sense of urgency relating to the matter. We all know we need to act quickly to contain the situation and determine the scope of the problem, but the way many investigators go about this may not be optimal in all cases. 

At the risk of sounding like a cliché, I believe, in this electronic age, there is tremendous opportunity for us to do a lot of detective work inconspicuously; hence the title “Silent Detective”.

Think of all that can be accomplished before we hit the interview trail. Think of the accomplishments in the context of operational efficiency, risk management and cost containment. Here are a few examples:

  • Efficiency: A search of emails, transactional data or other electronic documents in advance of the interviews will provide a more focused approach and enable the interviewer to better assess the information provided
  • Preservation of evidence: Preserve all potential sources of relevant information before word gets around within the organization and increases the risk of deliberate of inadvertent spoliation
  • Risk-based approach: use data analytics techniques to identify hot spots (e.g. geographical location, accounts, types of transaction, etc.)
  • Less intrusive: data analysis can be done behind the scenes with minimal interruption to the organization’s day-to-day business. A benefit of data analysis is that, in most cases, it can be done remotely and out of sight. A minimal number of people need to be involved and, given the right resources, a lot of ground can be covered

Where do we start?

Most often, experts in the field start with the preservation of potential sources of relevant information (both in electronic and hard copy formats). The objective is not to preserve absolutely everything, but to ensure, and be able to demonstrate, a thorough understanding of the computing, storage and archiving environment and that each source of data has been carefully considered for information relevant to the case. A well planned review, and a reasonable and defensible approach to document preservation can potentially satisfy all parties concerned.

Document preservation is usually accomplished through discussions with legal, finance, IT, HR and other relevant business units. The emphasis here should not be on the document retention policy, but instead on the actual practice – it is not about what should be available, but what is actually available. For example, the Chief Information Officer may be aware of document retention polices, but it may be the IT manager who knows that a backup tape drive has not been working for a few months, or that after the migration of data few years ago, the tapes were not destroyed. Therefore, if the relevant documents exist, chances are, they need to be produced regardless of the company’s retention policy.

On the topic of production, the scope of preservation is somewhat dictated by the interests of the parties involved. For example, just because it has been decided to limit the scope of the investigation to a few specific years, it does not mean that the preservation efforts should be limited only to those years. In most jurisdictions, it is not about what one needs to prove/defend their case, but what relevant information may be required by all parties involved in the case in support of their respective positions. I am aware of a recent case where a company, for financial reasons, decided to limit its investigation of an employee fraud to the three most recent years, and accordingly took steps to preserve only documents from this timeframe to support its investigation, trusting this would give the company sufficient evidence to dismiss the employee with cause. However, in the preliminary interview with the supervisor investigating the case, the suspected employee claimed innocence, indicating that his actions were as a result of a mutual agreement with management dating back six years. Thus, one might ask about the company’s obligation in preserving all relevant information going back six years in anticipation of potential litigation.

There are many other factors that may impact the preservation process. For example, we must consider differing local personal data privacy and data export laws, as well as company polices and union contacts.

It should be noted that our objective is not only to safeguard, but also to preserve the integrity and authenticity of the information. For example, copying data from a server to an external hard drive for safekeeping will not necessarily ensure the preservation of document metadata, since document creation, modification, and/or access data may be altered in the process.

How much do we need to do?

In bygone times (three to four years ago in technology years) data analysis was considered as a supplement to the investigative approach. Nowadays, data analysis has become the driving force in investigations.

Data comes in many types and formats and, depending on their nature, there are different tools and methodologies to mine them. Emails, for instance, are like a time machine that can take us back in time to show daily activities and discussions.

The use of databases is becoming the norm in capturing and maintaining both transactional[2] and non-transactional records. Due to the structured[3] nature of databases, it is generally straightforward to perform various analyses, which can be as granular as the details captured within. As an example, a vendor master summary may provide an overview of vendors and their related activities, such as the total number of invoices, payments, credit memos, average invoice amount, etc.

Most investigations involve financial data, the analysis of which often involves the collaboration of three groups: IT, finance and legal. The IT team is involved with the extraction and summation of relevant data; finance reviews the data to identify transactional anomalies, while legal considers the evidentiary value of the findings.

In what may appear to be a straightforward exercise across different lines of service, one cannot dismiss the fact that the three parties generally employ completely different business languages. Hence, there is a risk that something might get lost in translation.

While the close interaction between legal and finance can help to narrow the gap, an experienced data analyst not only brings the technical skills to run complex queries, but also an understanding of the accounting lifecycle and records to test for completeness and accuracy.

In conclusion, we live in a decade where the vast majority of our transactions and communications are in electronic form. There are many sophisticated tools and well established methodologies that can help us to comb through data to unravel the truth and gain a better perspective on the issue and its potential players. Experience shows that the up front preliminary analysis of data and the review of electronic correspondence can make the investigation more effective and efficient.

[1] Foreign Corrupt Practices Act
[2] Transactional data: data such as orders, invoices, payments, plans, activity records, deliveries, travel records, etc.
[3] Structured data: data that resides in fixed fields within records or files such as relational databases and spreadsheets.

The article originally appeared in the Advocates E-Brief Autumn 2009 issue and is republished here with permission.