Placing Emerging Data at the Centre of Investigations Strategy

In e-discovery and digital forensic investigations, the smoking gun isn’t what it once was. Due to a sharp rise in the use of mobile devices, workplace chat, collaboration and file-sharing tools, and a subsequent dispersion of business communications across many channels (some “off-channel”), it’s becoming less and less likely for investigative teams to find critical evidence solely in email, or even for a case to be built around a singular incriminating message. Rather, key events are playing out in multiple data locations concurrently, and evidential fingerprints are spread across mobile chat applications, collaboration tools, cloud repositories and other emerging data sources.

For the last several years, these sources of information were considered peripheral when scoping an investigation. However, a tipping point in the data landscape is imminent, requiring legal teams to shift their focus to emerging data platforms as central to fact finding and build new strategies according to the nuances of these dynamic sources.

Regulatory authorities and courts have already adjusted their focus to a wider range of data sources. To date, U.S. regulators have fined more than two dozen organisations in the financial services sector nearly US$2.5 billion total for record keeping failures across messaging applications. The U.K. Competition and Markets Authority is exploring similar actions. Judges in numerous jurisdictions have handed down sanctions for failures to preserve and produce relevant data from cloud and collaboration tools. A judge in a ruling involving proportionality arguments for production of Slack data said, “Requiring review and production of Slack messages…is generally comparable to requiring search and production of emails.” These instances are becoming more common and severe.

Emerging data sources (e.g., Slack, Dropbox, Google Workspace, WhatsApp, WeChat, etc.) introduce legal and compliance challenges across the spectrum of digital risk, from information governance and data retention at the readiness phase, through the investigation lifecycle from data collection and processing, to analysis, review and production. Despite these challenges, they are now ubiquitous and legal teams can no longer avoid or deprioritise difficult sources. Rather, it’s time to become aware of common, complex and technical issues, so counsel can mitigate challenges as part of their investigative strategy. Such issues include:

• Shortfalls in information governance and data retention. In the rush to adopt platforms that support new modes of remote collaboration and communication, many organisations have fallen behind in establishing or maintaining information governance across emerging data sources. Failure to properly manage, preserve and defensibly dispose of information across cloud sources can lead to legal and compliance exposures, including potential loss of information relevant to investigations or dispute proceedings.
• Taking stock of new digital artefacts. In most investigations, it is no longer sufficient to only examine company servers for relevant data. Electronic evidence may reside in numerous locations across a sprawling network of communication applications and cloud-based systems, each of which may require unique technical steps to access certain information stored in uncommon formats that may need to be converted for compatibility with investigative tools. Moreover, when addressing issues related to misappropriation of IP, trade secrets and other sensitive material, when legal teams know where and how to look, they have access to activity logs, document versioning and other data artefacts unique to cloud-based collaboration platforms that can help uncover fact patterns and event chronologies. Appropriately harvesting, analysing and interpreting the data contained within these artefacts requires forensic expertise and careful handling
• Conflicts between discovery needs and privacy. As data on individual mobile devices becomes more relevant and valuable to investigations, there is a rising tension between the need to collect and individual data protection and privacy rights. Many employees now are using encrypted messaging, ephemeral messaging and/or declining to consent to collection of their devices, as a means to exercise their privacy rights. These new barriers in retrieving data from devices poses a risk of sanctions or adverse consequences in an investigation or dispute setting.
• Information dissemination. The simple ability to provide shared access to files and folders within cloud-based collaboration tools raises many questions around the historically siloed view of data ownership. Cloud storage also provides a vector to transfer files from one system to another or bring information from a previous employer without needing to physically transfer material on a flash drive. With Dropbox or OneDrive, access to content can easily (and sometimes unintentionally) be provided to a wider group, leading to potential transfer and spread of sensitive files, confidential information and intellectual property, increasing the risk of users accessing content they shouldn’t.
• Digital hieroglyphs and ambiguity. Keywords and custodians remain anchor parameters to scope and narrow in on information. However, as emojis, reactions and memes have become part of the modern communication experience, legal teams must also consider non-verbal interactions — and their inferred meanings — when developing the scope at the outset of a case. Each emerging data platform records this information differently, and the approaches to identification, collection and downstream review must be considered early on to ensure data is preserved and can be defensibly collected.

Emerging data sources and unconventional forensic artifacts — and the data retention, collection, analysis and review challenges that surround them — are now an unavoidable reality in modern investigations. The information contained on a device or in an email inbox may no longer hold the keys to a case. Legal teams must begin to prioritise the difficult source and remain agile for the ongoing cat and mouse game between data disruptions and practical solutions for them. 

The upcoming emerging data sources roundtable will cover these issues and provide guidance for how counsel can modernise investigations readiness, improve information governance across cloud and chat platforms, and develop approaches to scoping that prioritise rich, dynamic data sources. 
 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.