As part of our ongoing internal investigations series and in conjunction with Fraud Awareness Week, Protiviti, in partnership with Morrison & Foerster and Robert Half Legal, presented a webinar last week on the strategic use of email in internal investigations, discussing ways companies can undertake email investigations without letting costs get out of hand. My colleagues Robert Hennigan and Marshall Matus recapped the highlights, but I want to share here a few of the questions addressed during the live Q&A session, which I facilitated.
Q: What are the points to consider before accessing email data — including legal rights to open email accounts, legal responsibilities to notify users, and how to avoid alerting users that someone is accessing their email?
Robert Hennigan, Protiviti: Any time you have a question specifically about legal issues, we recommend consulting with counsel to help you make those determinations prior to initiating an email investigation. Generally speaking, there is no reasonable expectation of privacy in the United States for work email — and that extends to personal devices if they are being used to send and receive business email. There is no obligation to notify users of a pending examination of email on a company exchange, although some types of information are protected under HIPAA and laws governing the cross-border transfer of personally identifiable information. Employees are not obligated to divulge passwords for personal devices, but case law has established that biometric account security is not protected.
Q: What should you do to ensure you’re following rules of evidence and maintaining a chain of custody?
James M. Koukios, Morrison & Foerster: Companies wouldn’t invest time and resources in an email investigation unless they have a reason to believe that the investigation will yield important evidence. It is therefore important to ensure that the investigation is conducted in a way that ensures the findings will be admissible in court. Specifically, it is important to freeze the account to prevent alteration or deletion of emails. This may involve taking physical custody of a laptop, device or workstation. Searches must be planned and conducted in a way that ensures the resulting analysis will present a thorough and accurate picture. By the end of the investigation, the party presenting the evidence should be able to demonstrate that the evidence is complete, authentic, and authored or received by the individual or individuals being investigated. The evidence should support what actually happened.
Q: How do you search for information embedded in PDFs and other non-searchable “picture” attachments? Is there technology available to extract text that might not otherwise show up in a standard keyword search?
Marshall Matus, Robert Half Legal: An important part of determining the scope of any email investigation is understanding the allegations, and determining how information was communicated. It is not uncommon for perpetrators to try to bypass traditional keyword search capabilities by scanning documents into PDFs or image files. In such cases, optical character recognition (OCR) software can help extract text from such files.
Q: What if someone in the IT organization is the subject of the allegation?
Marshall Matus: That is a tricky one. That said, the proper response, with few exceptions, is to go up. Most organizations of any size have a chief information officer, or chief information security officer, who can be enlisted to help. If the subject of the investigation is the CISO, CIO or CTO, investigators can reach out to the CFO, General Counsel or CEO for assistance.
Because email investigations can be resource-intensive and costly, it is important for companies to do their homework before they initiate the investigation, to make sure the work will yield maximum results and be accepted into evidence in court. Our audience was interested in many more details of an email investigation, and we cannot cover all of them here — but I do invite you to listen to the archived webinar (the Q&A session is at the end of the recording).