In the wake of the pandemic, organizations have had to change the way they approach nearly every aspect of their business. Internal investigations are no exception.
With so many other urgent things to manage, from transitioning to remote work to handling supply chain disruptions, many organizations likely put their internal investigations on the back burner. Now, those organizations are struggling to evaluate their backlog of complaints, especially given the new challenges of interviewing remote employees and gathering documents that have been scattered to the four winds.
But pandemic or not, legal and regulatory problems are sure to follow if you ignore the red flags in your organization. Now is the time, if you haven’t already, to rethink how you manage internal investigations in the post-COVID-19 era.
Contents:
How COVID-19 increased organizational risk
5 essential steps for remote internal investigations
1. Planning the investigation
2. Identifying, preserving, and collecting potentially relevant data
3. Reviewing data
4. Conducting interviews
5. Preparing the investigative report
Remote internal investigations are complex, but not impossible
How COVID-19 increased organizational risk
In the Spring of 2020, it seemed the world had stopped. As organizations worldwide grappled with the rapid spread of the pandemic, businesses ground to a halt. Travel ceased. Workers transitioned to home offices to comply with shelter-in-place orders. Social distancing became the norm.
Yet, despite all of these changes, one thing remained constant: businesses were still required to comply with all applicable laws, regulations, and internal policies. At the same time, the pandemic likely increased the risk of non-compliance, be it intentional or inadvertent. With less oversight and more autonomy, remote employees have freer rein to engage in misconduct—and fewer control mechanisms to catch them in the act. With all of the restrictions of the pandemic limiting contact and office engagement, and with smaller staffs and budgets, it became easier for employees to cross the line into harassment, insider dealing, money laundering, fraud, and other financial crimes. Simultaneously, it became harder than ever for organizations to discover problems.
These risks are why it’s so important to continue moving forward with investigations, despite the continuing challenges of the pandemic. Moreover, the longer you delay investigating a red flag, the greater the risk may become—especially once you’re on notice of a problem. If you delay an internal investigation, your liability may grow, your ability to collect information may be compromised, and you may eventually face an external investigation from a government agency or a lawsuit about your failure to act.
5 essential steps for remote internal investigations
Given social distancing requirements and travel bans, you likely can’t complete all the steps in your usual internal investigation protocol. Fortunately, in some ways, the shift to remote work has made it easier and less costly to conduct an investigation.
Let’s walk through the steps of a typical internal investigation, thinking through how you may need to change your existing procedures to mitigate risk and prevent harm.
1. Planning the investigation
You’ll likely still start with the same process for most of your internal investigations, including:
- assessing the complaint,
- building your investigative team,
- evaluating your potential exposure, and
- engaging external counsel (if necessary).
But an internal investigation now requires additional considerations.
You may want to review what will trigger an internal investigation and how quickly that investigation needs to occur. Whistleblower complaints, reports of discrimination and harassment, and the theft or loss of physical assets, sensitive or confidential data, and trade secrets likely merit a swift, thorough investigation. On the other hand, because employees are working remotely, activities that would have previously triggered an investigation may now be innocuous or even unavoidable, such as using an insecure internet connection or sending business data to a personal email account.
In many cases, the investigative timeline will remain urgent, especially in the case of potential regulatory infractions and harassment complaints. But be mindful that you may have to extend your typical timeline to address the complications of working remotely and the pandemic more generally.
2. Identifying, preserving, and collecting potentially relevant data
Once you’ve planned your attack, the first step in any internal investigation is identifying and preserving potentially relevant information. The burdens here are likely to be greater because more work is happening online, generating even more data, and work is more dispersed.
Because so much data today is stored in the cloud, you can take steps remotely to preserve and collect it. You’ll likely find that you can follow your ordinary procedure for the most part. But the transition to remote work means that you may be storing a variety of new forms of data that you may not have previously contemplated, such as Microsoft Teams chats and Zoom videos. You’ll want to make sure you include these new data forms in your data map so you don’t overlook them.
You’ll also need to change how you handle devices that are spread out geographically due to remote work. If data is stored locally on your employees’ personal computers and mobile devices, you’ll need to determine how you can obtain that data while creating a defensible chain of custody, whether through your collection team using remote access software or a remote collection kit.
Before you begin, review your organization’s bring-your-own-device (BYOD) policy. Does it give you the right to access employees’ personal devices and their data? If not, modify it immediately. Keep in mind that if your custodians are located in a jurisdiction governed by data transfer rules, such as the EU, you’ll need to exercise caution in collecting devices and their data. You may also need to have a protocol to reduce the risk of refusal to share the device or data destruction by the custodian, which is more likely to happen when a custodian is implicated in wrongdoing.
Finally, don’t forget hard-copy documents and on-site devices. Your ability to collect on-site may be compromised with COVID-19 requirements. If this is the case, you’ll need to figure out how to secure the data and devices until you’re able to physically retrieve them.
Regardless of the procedures you take above, the most important step in this process is to immediately send out a legal hold notice to all affected custodians and to suspend all of your records retention protocols. Securing data early is especially important if you also foresee layoffs affecting your custodians.
3. Reviewing data
After you’ve collected the data, your investigation should mirror your usual process. Utilize your usual tools and technologies to assess any risks in the data. The one thing to keep in mind here is the need to protect any personal data during processing and review whether your data crossed international borders during collection.
For the review process itself, you may be working remotely. To ensure consistency among reviewers, make sure everyone has a set of detailed instructions and expectations, and hold regular meetings to keep everyone on the same page.
4. Conducting interviews
Restricted travel, social distancing, and work-from-home policies have made conducting interviews more complex. Fortunately, online video conferencing tools are a much better alternative to phone calls.
Video tools make it easier to share documents and assess interviewees’ credibility, but they also create some additional risks. Do not record your interviews and instruct your interviewee not to record them, as any recordings could be discoverable. Instead, you should take notes, which are protected as work product.
Be prepared for interviewees who may try to exploit the limitations of remote interviews. An interviewee may claim technological issues to stall or avoid responding to a difficult question. Pay attention to their mannerisms, body language, and other cues that may indicate their discomfort. You may want to note circumstances when the interviewee turns off their video, mutes their microphone, or turns away from the camera.
Interviewees may try to have other people present during their interview to listen in and make sure their stories align. The presence of other people, whether intentional or inadvertent (such as a family member wandering through), may break the attorney-client privilege. For this reason, make sure the interviewee is in a secure, private area before starting the interview; you may ask the interviewee to pan their camera around the room to confirm that it is empty and that any doors are shut.
You should also consider how to share documents before or during an interview. You may need to encrypt documents if you send them in advance to maximize their protection. If you want a more spontaneous response, you can screen share documents instead. If you are conducting a multijurisdictional investigation, consider whether sharing any documents raises any data privacy concerns.
5. Preparing the investigative report
Your reporting procedures should follow your normal protocols. When sharing any documents, whether internally or externally, mark them as drafts and as privileged. Implement encryption and other security settings to prevent distribution.
Remote internal investigations are complex, but not impossible
Conducting internal investigations remotely has its challenges, but these pivots are necessary to stay vigilant during this pandemic—and the next currently unforeseen disaster. With the right internal investigation protocol that builds in flexibility for new ways to preserve, collect, and review data and conduct effective interviews, you can prepare your organization to weather whatever challenges may come and maintain your organization’s compliance.
It may be tempting to let internal investigations slide when you have so many other pressing concerns resulting from the pandemic. That’s why it’s valuable to have a trusted partner to shepherd you through the data collection and review process. The right tools can enable you to securely and defensibly preserve data, no matter where it lives, and expedite your review so you can get the answers you need and get back to the work that matters faster.
[View source.]
