Incident Response

3 tips to get internal investigations done right

More and more organizations are recognizing the need to have digital forensic investigatory abilities in-house. With data breaches and ransomware attacks on the rise, they need to be able to respond quickly (if not automatically) in order to contain and begin remediating incidents—heck, it’s becoming harder to obtain cybersecurity insurance without having endpoint detection and response technology in place.

And that’s only one use case. Investigations for human resources of possible employee wrongdoing, legal department reviews to facilitate regulatory compliance, and investigations related to civil litigation remain priorities as well. But given the private nature of internal investigations, most organizations lack opportunities to benchmark their practices and capabilities and understand if they’re up to standards.

Thankfully, a new report from Exterro and EDRM addresses that blind spot. Based on survey data from over 70 respondents, representing 10 industries and companies with revenues from < $1 million to > $1 billion a year, this report gives a glimpse behind the curtain at how organizations uncover the facts around potential employee wrongdoing, regulatory compliance, civil litigation, and more.

What are three key takeaways organizations can learn from the report?

Invest in internal investigation capabilities—including people, processes, and technology.

While investigations may seem rare, they are not. Almost half (45%) of organizations with over $1 billion in annual revenue found themselves conducting six or more internal investigations every month. Even with fewer investigations, the value of having technology in place is clear cut. Mary Mack, CEO and Chief Technologist for EDRM, explains, “It’s no surprise that larger organizations conduct more internal investigations than smaller ones, but even a steady flow of one or two investigations per month requires a defined investigatory process, dedicated technology, and trained personnel. Between HR issues, regulatory compliance, and cyber-incidents, organizations shouldn’t expect investigations to go down anytime soon.”

Don’t forget to consider the legal implications of internal investigations.

But surprisingly, not all organizations automatically link investigations with legal holds to preserve data. As David Cohen, Partner and Chair of Records and E-Discovery Group at ReedSmith, observes, “There could hardly be more disparity in whether respondents use legal holds for internal investigations: about 1/3 use holds all the time, 1/3 use them some of the time, and 1/3 never or almost never use holds for internal investigations. Considering that internal investigations are often a precursor to external investigations, legal claims, or other significant company actions, these results suggest that many companies could benefit from having better established and defined processes for their internal investigations, including appropriate use of legal hold processes to secure information that could be or become important evidence in legal proceedings.”

Advanced technology offers an additional layer of protection.

It’s one thing to have a solid process in place and investigators skilled in the issues IT, legal, and human resources department face. It’s another matter entirely to have advance technology like silent legal holds and digital forensic toolkits in place. With those capabilities, organizations can increase the reliability of their processes. As Jenny Hamilton, General Counsel at Exterro, explains, “Silent legal holds offer advantages in contentious legal matters, preventing bad actors from spoliating relevant data, as well as inadvertent data loss.” And in terms of investigative capabilities, Justin Tolman, FTK Evangelist and former criminal forensic investigators, says, “Many investigations of this sort can have criminal, in addition to civil, implications. While internal investigators aren’t prosecutors, there’s a benefit to collecting ESI knowing that it can meet the higher evidentiary standard required in such cases. It is better to have forensically collected the data and not need it than to need it and not have it.”

By Tim Rollins

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.