The Need for Speed and Secrecy – eDiscovery Investigations Series, Part 2

A multi-part series discussing the realities of eDiscovery in the context of investigations

“I feel the need – the need for speed!”
– Jim Cash & Jack Epps, Jr., Top Gun

In the first Part of this series, we reviewed the categories of investigations in which companies are frequently involved and their general eDiscovery ramifications.  In this Part, we dive deeper into the need for speed and secrecy in the conduct of an investigation.

The Need for a Different Approach

As we noted in the first Part, investigations often function on even shorter timelines than litigation discovery and often require more-careful control of the flow of information.

Time pressure is great in most investigative scenarios.  If you are working to assess an internal issue, you will want to identify and quantify risks to the organization as quickly as possible so that they can be appropriately mitigated.  If you are working to respond to a regulatory agency’s information request, you will likely be facing a tight, agency-imposed deadline, in a context where you want to satisfy the agency, in which the potential for renegotiation is limited, and in which the option to appeal to an independent judge is generally unavailable.

The need to more-carefully control the flow of information arises from the reality that in many investigative contexts you will be looking for bad actors within your own organization.  Failure to control the flow of information (or to move with sufficient speed) provides opportunity for bad actors to spoliate evidence to cover their actions and to coordinate their stories with each other before talking to you.  In either case, your ability to assess organization risks or to respond accurately to an investigating agency would be compromised, and the cost and effort required would become greater as you worked to overcome the attempted spoliation or penetrate the deliberate deception.

Achieving Speed in eDiscovery

Speed in eDiscovery is a challenge in any context, but there are steps that can be taken at each phase to ensure things are moving as quickly as possible when you are racing an investigation deadline:

• Before an Investigation Arises
  • As we discussed in our Program Management series (and in our Data Targeting series), improving organizational litigation readiness, including data mapping and data remediation, is the most effective way to speed up subsequent eDiscovery efforts of all types
  • The speed, efficiency, and reliability advantages that accrue from having less data, knowing where it all is, and having established procedures for how to act on it cannot be overstated

• During Identification, Preservation, and Collection
  • Undertake the brainstorming of potential sources immediately (see our guidance on this process in our Project Scoping and Planning series)
  • Then, rather than engaging in the more gradual processes that typically follow, move immediately to collect what you believe to be the key sources from the key custodians, so that preliminary analysis and review can begin while additional identification, preservation, and collection efforts are still ongoing in parallel
  • Because, in this context, speed is most important, err on the side of over-collection (e.g., capture full images) from those key sources to avoid having to go back and conduct supplemental collections from those sources later

• During Processing and Analysis
  • When focused on maximizing speed, processing should be done without overly-complex or iterative filtering at that phase; standard de-NISTing, deduplication, etc., should all be done, but keyword and date filters should be saved for post-processing analysis in the review platform being used
  • When processing data for time-sensitive investigations, it is beneficial to perform as a default step the necessary indexing to enable advanced analytic features (e.g., email threading, near-duplicate identification, conceptual search and clustering features, etc.) and technology-assisted review
  • Advanced analytic features significantly increase the efficiency and effectiveness of analysis and assessment activities – particularly in early phases of an investigation when you may not be certain exactly what you’re seeking

• During Review and Production
  • Unlike in litigation, where some concerns and complications persist, technology-assisted review can be used freely during internal investigations to significantly speed up needed review processes, and many federal agencies are now comfortable with investigation subjects using it as well (although methodology details generally have to be provided to the agency to secure approval)
  • Finally, it is very common in the investigation context to engage in rolling productions over time, beginning with the key sources from the key custodians and moving through progressively lower priority materials as they can be completed; this can be a way to show a good-faith effort to cooperate when it is not possible to complete all needed work by an agency-imposed deadline 

Controlling the Flow of Information

Controlling the flow of information actually goes hand-in-hand with achieving speed, as speed during identification, preservation, and collection is one of the best ways to stay ahead of the flow of information within your organization.  As soon as a detailed hold notice (in the case of an agency-directed investigation) is issued, or as soon as active collection begins, any bad actors within your organization will be put on notice that you’re looking for them and may take steps to destroy evidence or prepare for questioning.  So, in situations where bad actors are suspected, certain collection steps may need to be taken before the hold notice is issued to all subject employees.

There are several collection strategies that can be employed to acquire key data without alerting suspected employees.  For example:

• IT can typically collect from employees’ active corporate accounts for email, messaging, documents, etc. without alerting the employees, and IT can also take steps to preserve existing backups of those sources as needed
• For an individual, a laptop or computer (or mobile device) upgrade can be triggered, allowing IT to collect the current machine and image it without raising suspicions
• For a team or department, IT can require all laptops be left at desks overnight for required security or software updates, and images can be made during those hours

In the context of an agency-directed investigation where a hold notice should be issued, the hold notice should still be created and issued immediately to relevant IT personnel, to other relevant systems owners within the organization, and to any relevant managers above the level of the suspected bad actor(s), with strict instructions about the confidentiality of the matter.  Any unannounced collections, like the examples above, should happen as soon as possible thereafter, and then the hold should immediately be issued to the rest of the subject employees.

Upcoming in this Series

In the next Part of this series, we will discuss in more detail the challenges of nuanced analysis and review in investigations.

About the Author

Matthew Verga, JD
Director, Education and Content Marketing

Matthew Verga is an electronic discovery expert proficient at leveraging his legal experience as an attorney, his technical knowledge as a practitioner, and his skills as a communicator to make complex eDiscovery topics accessible to diverse audiences. A ten-year industry veteran, Matthew has worked across every phase of the EDRM and at every level from the project trenches to enterprise program design. He leverages this background to produce engaging educational content to empower practitioners at all levels with knowledge they can use to improve their projects, their careers, and their organizations.