Companies, industries and governments around the world are trying to reopen and recover from the early disruptions of the pandemic. Legal and compliance work is picking up again and teams are trying to understand how to effectively conduct investigations with all the changes since the pandemic began. Even so, operations are far from normal, so teams are looking for efficient and reasonable ways to remotely conduct discovery work.
The data collection phase of E-Discovery and Investigations was one of the hardest hit by global lockdowns. Large amounts of data of complex data types can make collection challenging under the best of circumstances. Now the attorney must remotely coordinate the gathering and sharing of information, either managed and executed by outside vendors or through a guided self-awareness exercise with individuals who may be relevant to the matter. Both options carry the risk of incomplete or inaccessible data sets, which can lead to complications and increase costs in the investigation process. In severe cases, these errors can result in looting or government sanctions.
For legal teams weighing their options for data collection in today’s new normal, there are a few key questions that will help make discovery decisions and ensure that remote processes are effective and legally defensible. These include:
What technical requirements are required and what specialist knowledge is required to meet them?
The technical requirements of a remote collection depend on the data source that the investigators are targeting. In either case, the auditor performing the collection needs to fully understand and understand the scope of the data sources in order to prepare for the specific challenges that may arise. For example, hard drive data can be collected remotely by starting the source computer from a USB drive, using screen sharing features to access the device over the Internet, and using forensic tools to capture a full forensic image. In other cases, it may make more sense to collect only targeted records from the hard drive and to copy specific files and folders in a forensically sound manner. Both approaches require the involvement of people with technical skills to follow the investigator’s instructions and troubleshoot issues like permissions and network speeds. The tools and approach must also be able to take into account the chain of custody and ensure that nothing is overlooked or damaged in the process.
The gathering of mobile devices, cloud sources, and new data platforms such as collaboration tools presents another set of unique technical and practical complexities. As the access and storage parameters between mobile devices and cloud data sources keep changing, the tools and techniques that work today may not work tomorrow. Customer-specific solutions are often required during ongoing operations in order to cope with unexpected challenges. Creating these requires the assistance of a computer forensics expert who knows the limitations of various platforms and knows what workarounds can be.
Are there any pitfalls in the environment that may require bespoke solutions?
While many of today’s leading cloud-based email systems offer search and basic export capabilities, they are not designed for forensically sound data collection. For example, they may not search all types of data on the platform; B. ZIP files, images or screenshots that may have been uploaded. Simply searching for keywords and exporting the files it encounters can undermine an investigation. This is a great example of when a custom solution developed by forensic experts may be needed to avoid the downstream costs and delays that can arise from recording errors.
Teams can also face looting issues if the collection is not reinforced with detailed chain of custody documentation including validation of metadata and export reports showing exactly what, where, and how files or disk images were retrieved from their original sources.
How is the data protected?
With remote collection or when large amounts of data are being moved, security is paramount. Investigation and e-discovery providers should be able to provide detailed documentation of the general safeguards that apply and the specific steps they plan to take to ensure security throughout a collection and beyond. Forensic images and other files captured remotely are typically stored on external drives while they are being processed and loaded into analysis and review platforms. These drives must be encrypted and physically kept in safes and / or a secure forensic laboratory to ensure that confidential information is not accidentally disclosed to anyone outside the case team.
Compliance with data protection regulations is another consideration that falls under data protection. The collection and subsequent processing and review of data protection information must remain within the framework of the provisions in the jurisdiction in which the data originates. Even if a matter originated in the US, it can quickly spread to other regions, and the attorney must be willing to employ investigators who can collect and host the data in the country under cross-border data transfer restrictions.
Despite the challenges associated with remote data collection, in many cases investigations cannot wait indefinitely for the world to return to normal. While remote pickup is typically not a preferred method for investigations, with the right controls it can be done safely and defensively so that critical investigative work can continue regardless of travel restrictions and other lockdown-related obstacles.