As we witness the surge of the COVID-19 pandemic across the globe, more and more businesses implement their (partial) return-to-office policies. While each organization has its own view on which workplace model fits them best, the hybrid model seems to be the preferred option for many. The mix of in-person and remote work will, in turn, affect how businesses operate, including how they manage their internal investigations.
See how the post-pandemic reality defines the corporate investigations landscape in 2022 and what are some of the challenges you should be prepared to mitigate as a corporate investigator.
In this article:
What are internal investigations?
How COVID-19 shaped the remote internal investigations
What will the post pandemic internal investigations look like?
What are the key challenges corporate investigators might face in 2022?
How eDiscovery technology can help digital investigations
In conclusion
What are internal investigations?
Internal investigations are investigations aimed to identify fraud, harassment or any other employee, management, or business partners’ wrongdoings. Depending on the subject that is being investigated, one can highlight several types of investigations:
How COVID-19 shaped the remote corporate investigations
Despite all the changes that COVID-19 has brought to the legal landscape, organizations were still obliged to comply with applicable laws, regulations, and internal policies. The remote work has likely increased the risk of non-compliance, be it intentional or accidental. With more autonomy and less supervision, employees had a better chance to engage in corporate misconduct, such as fraud, money laundering, harassment, etc. At the same time it became much more challenging for companies to identify and tackle such problems.
That said, more than ever, we saw the importance of carrying on with internal investigations without delay to avoid facing further liabilities or lawsuits about your failure to act.
Luckily, remote investigations became possible with the mass transition to remote work. Here are some of the aspects corporate investigators had to reconsider when it comes to their typical investigation process:
- Unsecure internet connection or forwarding business-related information to a personal account became (almost) unavoidable issues with fully remote work. That subsequently made investigators extend their usual timelines to address the new COVID-19 related challenges.
- Identifying and collecting potentially relevant data got more time-consuming as work became more dispersed, generating increasingly more data. New data forms such as Microsoft Teams, Zoom, and Google Meet became integral parts of organizations’ data maps.
- Bring-your-own-device (BYOD) policies had to be reviewed by companies in order to ensure investigators would still have the right to access employees' personal devices and data remotely.
As the hybrid work model is likely to become even more widespread in 2022 and beyond, remote investigations’ best practices will not lose their relevance and should be considered when defining or reassessing your internal investigation protocol.
What will the post-pandemic internal investigations look like?
With pandemic restrictions being lifted in most countries, more employees start returning to in-person work, which is expected to result in an increasing number of reports and investigations.
According to the NAVEX Global 2021 Risk and Compliance Incident Management Benchmark Report, the median number of internal misconduct reports declined slightly for the first time in years. On average, there were 1.3 reports per 100 employees in 2021; in other words, a 1,000-person company would face about 13 events per year.
Reports through traditional hotline services decreased, with more incidents brought to the company’s attention through web-reporting systems, perhaps reflecting the increase in remote work and online communication.
There was also a decrease in retaliation, harassment, and discrimination reports, which may have become less visible or easier to tune out while employees have been working remotely. These reports could rise substantially with the widespread return to in-person work.
Another factor to consider is whistleblower safety. In the European Union, the EU Directive on Whistleblowing is meant to provide a coherent pan-European whistleblowing framework. It would require EU governments to meet minimum standards for establishing reporting channels, ensuring comprehensive legal protection and immunities for whistleblowers, and introducing effective penalties to dissuade retaliation. The directive was supposed to be transposed by all member states by December 2021, meaning each member state would have had to have laws in the books that follow the directive. So far, as of August 2022, only 11 countries out of 27 have adopted the directive while 15 of them have run into delays.
So long as these laws are pending, it may dissuade whistleblowers who await the extra protection.
With the move to more online working and online services, it’s no surprise that data security incidents have increased substantially over the last few pandemic years. Based on data sourced from over 88 different countries, the Verizon 2021 Data Breach Investigations Report found 5,258 confirmed data breaches where data was lost. This was up from 3,950 in 2020. That’s over 20 breaches per workday—and a whole lot of data security investigation.
At a global level, that doesn’t seem too bad, however the Verizon data only confirms a data breach as a breach if data is lost. In case of GDPR, a data breach is to be assumed. For instance, looking at the numbers for EMEA specifically, the report finds a total of 5,379 instances of a breach (with 293 being confirmed). The data is primarily gathered from European countries, where any data breach has to be reported and investigated to the relevant privacy authority. In the EU, tools such as the GDPR enforcement tracker provide a record of reported GDPR violations, which include data breaches. As highlighted in the graph below, the number of GDPR-related fines has increased exponentially since 2018.
Due diligence & second requests
Another major source for digital investigations are due diligence and second requests associated with Mergers & Acquisitions (M&A). Whenever companies are involved in an M&A process, large digital investigations are held on both ends. In the US, the Federal Trade Commission (FTC) received a total of 3,644 merger filings under the Hart-Scott Rodino (HSR) Act in 2021—so many that its own employees struggled to keep up with the agency’s timelines. The overall value of mergers and acquisitions in 2021 reached a record high of $5.8 trillion, up 64% from the previous year.
Though Europe saw no such an increase, levels did bounce back to pre-pandemic levels over the course of 2021, and is likely to continue increasing in 2022 - M&A deal numbers rose to a total of 2,015 transactions, a higher total than in 2019 (1,958) after a down year in 2020 (1,705). In terms of M&A in the larger countries in Europe, the United Kingdom and France lead the way. All told, organizations are facing unprecedented challenges in keeping up with investigations. Let’s turn to a more in-depth consideration of those challenges.
What are the key challenges corporate investigators might face in 2022?
Having a robust compliance program and proper investigative tools in place won’t guarantee you stay out of trouble - but it’ll reduce the amount of trouble you might find yourself in.
Investigations present a wide array of challenges in 2022, as businesses juggle between in-person, remote, and hybrid work policies. Some of these challenges include:
When an organization learns about a complaint, it must act quickly. Every day that the investigation is being delayed is another day during which an employee is stealing funds, mistreating a coworker, or abusing corporate policy. When regulatory agencies are involved, timelines can grow even shorter and less flexible. The prompt action demanded by investigations does not leave time for legal or compliance teams to sift through data manually.
Organizations conducting an internal investigation do not know whether the allegation is founded at the outset. It is often in the company’s best interest to conduct its initial investigation quietly, without disclosing the claim or its suspicions to other employees or the subject of the investigation. If a governmental agency is involved, that agency may not fully disclose what or who it is investigating, leaving the company to search for records without a complete understanding of the conduct it is investigating.
An initial allegation is likely to contain only the facts known to the complainant, but those are not necessarily the only important facts. For example, if an employee reports that their supervisor discriminates against them on the basis of race, gender, or other protected characteristic, there may be other employees—current or former—who have experienced the same treatment. The scope of an investigation should be controlled as tightly as possible, but sometimes an investigation must expand to encompass new facts. When regulatory agencies are involved, an organization is entirely at the mercy of that agency in setting the scope of its investigation.
Investigations can implicate a wide range of departments and organizational units, from HR, IT, and compliance to the C-suite, risk managers, data privacy officers, and the legal team, both in-house and outside counsel. Keeping everyone on the same page—while maintaining discretion and data security—can be a substantial challenge.
If bad actors communicated explicitly about their intentions, it would be quite easy to search for evidence of their misdeeds. Unfortunately, they generally hide their actions behind code words or other veiled references—leaving organizations to figure out how to uncover those unknown unknowns with few, if any, hints to start from.
When data relevant to an investigation resides in a jurisdiction with strict data privacy laws, transferring that data to another jurisdiction with weaker protections may create an entirely new compliance issue for the organization.
Data that is relevant to an investigation could be found almost anywhere: on the local drive of a laptop, on a mobile phone or tablet, in a file sharing platform, in a cloud account, or within a browser-based application such as a project management or collaboration tool, among other possibilities. Organizations must sift through a tremendous volume of data—some of it hard to access or export—to find the facts they need.
Many investigations ultimately lead to litigation or must report results to third parties (regulatory agencies, for example). To prepare for that possibility, organizations must manage data in a defensible manner, preserving chain of custody and ensuring that no data is modified or otherwise interfered with.
How eDiscovery technology can help digital investigations
Both eDiscovery and digital investigations require the ability to rapidly and accurately sift through reams of data, discarding unhelpful or irrelevant data sources, surfacing important facts, and identifying hidden patterns. The tools developed for eDiscovery are therefore tremendously applicable to investigations. Those tools fall into four broad categories:
- Automation tools such as deNISTing, deduplication, data processing, email threading, and optical character recognition. These techniques can quickly eliminate extraneous data files, organize messages into related threads, and allow investigation teams to focus on the data that might help their search rather than getting bogged down in duplicate files or missing clues in image files that haven’t been converted to searchable text.
- Context tools such as entity search, basic entity extraction, foreign language extraction, language translation, and dark language detection. These basic analytics capabilities can quickly detect concepts such as persons, places, and things and can then group like concepts together. For global organizations where employees use multiple languages, language extraction and translation tools are crucial for conducting efficient and rapid investigations that incorporate data sources written in other languages. These capabilities are founded in part on natural language processing (NLP), a branch of artificial intelligence (AI). Dark language detection— which can unearth code words—is particularly useful in the context of investigations.
- Proactive intelligence tools such as technology-assisted review (TAR), topic modeling, concept clustering, and document classification. These approaches use AI— both the older predictive coding models and the newer continuous active learning approaches—to group documents into related sets and determine which are most likely relevant or helpful.
- Emerging intelligence approaches such as relationship analysis, auto-detection and auto-redaction of sensitive entities, network analysis, sentiment analysis, and anomaly detection. These advanced analytics tools represent the next frontier for legal technology, and they’re particularly helpful for investigation teams, as they can quickly uncover relationships between parties— even when those relationships are carefully concealed—based on communication patterns. Auto-detection and auto-redaction of sensitive entities also help organizations protect private data when an investigation involves cross-border data transfers and the accompanying data privacy considerations.
To better understand the applicability of the aforementioned eDiscovery tools, it’s useful to study a few use case examples.
In conclusion
Internal investigations will continue facing the challenges imposed by both remote and in-person work. Increasing volumes of structured and unstructured data stored across various devices and systems as well as short timelines legal teams have to take action within will call for more efficient identification, collection, and review of information. eDiscovery tools will be the answer to better, more streamlined investigations when leveraged efficiently.
Now is the time to unlock the power of intuitive, accessible eDiscovery technology.
[View Source]
