Strategic Use of Email in Internal Investigations

Robert Hennigan, Associate Director Protiviti Forensic
Marshall Matus, Engagement Manager Robert Half Legal

When we first started talking about putting together a webinar on the role of email in internal investigations, none of us anticipated the global impact a single email investigation could have. As it turned out, our well-attended November 15 webinar couldn’t have been more timely.

We presented the webinar during International Fraud Awareness Week together with Scott Moritz, the global leader of Protiviti Forensic, and James Koukios, a partner in Morrison & Foerster’s White Collar and Anti-Corruption practice group.

Our goal was to demystify the process of email investigations. In addition to addressing some of the popular misconceptions that might cause organizations to avoid undertaking a forensic email investigation, we wanted to offer some clear and simple strategies for managing the process, based on our years of experience, both as consulting professionals and as special agents of the FBI.

We thought the webinar was necessary because we’ve heard from a lot of people who believe, incorrectly, that:

  • Due to high volume, email investigations are cost-prohibitive and overly time-consuming.
  • Email investigations are a waste of time because no employee in their right mind would put anything incriminating in an email on a company server.
  • Privacy laws give employees the right to refuse employer access to their individual work emails.

To be sure, the email universe is vast, with more than one hundred billion work-related emails sent and received each day around the globe. We’ve read that employees spend about 28 percent of their work week sending and receiving emails at a rate of 122 emails each day.

It’s easy to see how the prospect of an email investigation of, say, 15 or 20 individuals, spanning several years, could be daunting — not only because of the volume, but also because of the need to maintain the integrity of evidence, which involves following established procedures regarding the acquisition, preservation and processing of email evidence. Managing this process effectively involves striking a balance between sufficiency and overkill.

Planning an Investigation

As with most business controls and processes, the time and cost of an email investigation can be carefully managed through planning. In that regard, it is important to start with a clear understanding of what you are looking for. What is the complaint? How many people could potentially be involved? Over what time frame did the alleged activity take place? Where does that data reside? And who were the custodians of that data?

As for the misconception that employees wouldn’t leave anything incriminating on a company server, experience has shown that it happens all the time. Also, if an employee forwards work emails to a personal mobile phone or home computer, those devices are considered to be discoverable for investigative purposes. There is ample case law to establish that work emails are work product owned by the company. Most U.S.-based organizations have electronic communication policies making it clear that users have no expectation of privacy. There are a few notable exceptions that include communications covered by attorney/client confidentiality, but for the most part, electronic communication at work is fair game for investigators.

Nor do investigations have to be confrontational. Often, investigators can obtain all the evidence they need from system backups or the company email server, without having to notify employees.

Companies also have had great success leveraging email review platforms and other forensic technologies to search for keywords indicative of potential malfeasance. Newer versions of email platform tools have significant capabilities built in.

Each of our expert panelists emphasized the criticality of communication between the various players in an investigation — the review team, forensic accountants, and outside counsel — to ensure coordination, avoid redundancies and share knowledge. A good investigation will follow project management best practices, with phases of the project including data collection, data processing, data analysis and review.

There’s an art to this process that involves knowing how to select key words; when to go broad and when to go narrow; how to leverage techniques and theories from related fields, such as information retrieval; and how to use various forensic technologies. All of this was discussed in our webinar at length, and we encourage you to listen to it.

Finally, we had a number of interesting questions from the audience that followed the presentation and speakers. We will summarize some of these questions in an upcoming post. Subscribe to our blog to be sure not to miss it.

1 comment

Subscribe to Topics

Subscribe to Industries