Creating a Defined Investigatory Process in Government Investigations

gov investigation header
October 26, 2022
Blog

What sticks out from my time at the Department of Justice is this: should your organization receive a government subpoena, the government more likely than not already has the evidence they need to prove the violation. The subpoena, rather, is a tool to see how widespread this violation and others are throughout the organization. Worse for the organization, most government investigators know exactly what they are looking for and they can rapidly find the needle in a haystack. I witnessed an investigator sit down to review a database of more than three million documents and within thirty minutes she was walking away with the document that proved the government’s case. 

Organizations are fearful when the government comes knocking, and too often the response is an overproduction of files that mostly contains unresponsive information that otherwise identifies a new violation. On the other side of the coin are those organizations that are unprepared and unintentionally spoliate data, as well as those that intentionally destroy data to cover up any wrongdoing. No matter the rationale, spoliation of data in a government investigation is a worst-case scenario and could lead to adverse inferences, hefty fines, and potentially criminal charges. In Rimkus Consulting Group., Inc. v. Cammarata, 688 F. Supp. 2d 598, 612 (S.D. Tex. 2010), the court read into the record the definition of spoliation as defined in The Sedona Conference Glossary: E-Discovery & Digital Information Management (Second Edition). That definition included destruction of evidence that may be relevant to a government investigation or audit. 

The current state of the industry is an increased number of government investigations and oversight. Some government investigations are not surprises and many are presupposed by internal investigations that start as HR-related issues, regulatory compliance concerns, or cyber intrusion incidents. Internal investigations may also trigger a duty to preserve if there is a “reasonable anticipation of litigation. Whether these internal investigations lead to larger government investigations or civil litigation, having a defined and repeatable process is paramount.  

While it is unknown at the investigation stage whether litigation will ensue, it makes sense to follow the highest standard for harvesting electronically stored data to avoid doing the collection a second time to comply with the rules of procedure.  

Here are ten action items to help create a defined investigatory process.

  1. Assemble a team from legal, HR, IT, and other departments relevant to the specific subpoena investigation.
  2. Understand the scope of the subpoena and what data sources are involved.
  3. Issue internal legal holds publicly to each custodian or privately by preserving in place using existing technology.
  4. Understand the specifications for the data requests and negotiate the terms with the investigating agency.
  5. Prepare a collection plan and execute that plan following best practices for digital forensics for each data source and chain of custody. Be agile enough to address refresh collections and expanding date ranges.
  6. Understand any privacy and confidentiality requirements and have a plan to collect, process, and review onsite should that be demanded.
  7. Limit exposure while also remaining compliant. Leverage pre-review analytics to eliminate large swaths of unrelated data, reducing the collection by 80-90%.
  8. Analyze the data and leverage technology-assisted review (TAR) to include continuous active learning (CAL).
  9. Confirm your production requirements conform to the data types and your technology’s capabilities.
  10. Have available secure data transfer capabilities to protect the confidentiality of your production.

This exercise should be completed before the subpoena arrivesbecause once it arrives, the clock begins to run and this exercise will take too long. When you do complete this exercise, you will understand your organization's data governance policies and whether those policies adequately remove redundant, obsolete, and trivial data. No one wants to be an organization maintaining 14 years of records when the regulation only requires seven years. In that situation, you are probably required to review and produce all of the relevant data from those 14 years. Until you properly dispose of that old data, it remains in your possession, custody, and controland, more likely than not, it is in play for any investigation or litigation.

Stuart Claire, TLS Senior Director