Internal Investigations: A Look atProactive and Reactive ResponsesUsing Technology and ProcessAlbert Barsocchinibarsocchini@gmail.com415.456.8318
Definition of an Internal Investigation P A G E 1 An internal investigation is launched by a corporation to understand and diagnose problems within the corporation. Frequently used to help a corporation avoid or limit possible criminal or civil liability exposure and correct significant problems. Fact driven The old adage that sometimes the best defense is a good offense.
Flawed Investigation Risks P A G E 2 Allegations of obstruction of justice Damage to the corporation’s reputation Damage to employee morale Creation of negative evidence that may be used in future criminal or civil proceedings Destruction of evidence that could be helpful in the company’s defense
Is an Internal Investigation Appropriate ? P A G E 3 The titles, roles and responsibilities of the people alleged to have engaged in the wrongdoing; Whether the company was a victim or the perpetrator of the alleged wrongdoing; If the company was a victim of the wrongdoing, is it likely to recur and will the company likely recover much, if anything, in pursuing the wrongdoers? The nature, length, and scope of the alleged conduct in question; The dollar value of any loss to the company if it was a victim of any wrongdoing; Does the wrongdoing involve ongoing business conduct or existing business relationships, or is it historical and unlikely to recur due to changed business practices or other circumstances? The likely—not merely the possible—potential economic exposure to the company; Whether alleged wrongdoing, if true, is placing any third party at risk; Whether the allegations are susceptible to verification; The cost and effort of the investigation as compared with any results it may yield; The nature and source of allegations, including the motivation and the potential gain to those making the allegation, if that party is known.
Reality Check P A G E 4 There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we dont know. But there are also unknown unknowns. There are things we dont know we dont know. Donald Rumsfeld Query: Traditional investigation techniques focus on known knowns and sometimes known unknowns 4
Know Your Self P A G E 5 Sun Tzu: “If you know your opponents strengths and limitations and know your own strengths and limitations, you can win one hundred battles without a single loss.” “If you know neither yourself nor your opponent, you will always endanger yourself and the mission.” 5
United States Approach To Data Protection & Privacy P A G E 6 The United States has an ad hoc approach to data protection legislation, relying on a combination of legislation, regulation, and self-regulation, rather than overarching governmental regulations. The private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. Corporate Codes of Conduct Alternative Dispute Resolution mechanisms The United States has no single, overarching privacy law comparable to the EU Directive. Privacy legislation in the United States tends to be adopted on an “as needed” basis, with legislation arising when certain sectors and circumstances require. For example: Video Protection Act of 1988; Cable Television Consumer Protection and Competition Act of 1992; Electronic Communications Privacy Act; and Fair Credit Reporting Act.
Today’s Corporate Risks & New Litigation RulesRequire Consistent Digital Investigations P A G E 8 eDiscovery Compliance Data Audit & Internal Security Investigations The Common need to search, collect and preserve electronic evidence in a timely, efficient and defensible process with court admissibility
Comprehensive Approach toInvestigations P A G E 9 Preparedness Centralized Endpoint Visibility Speed, Consistency, Data Mobility, Protection Adaptability
Trends P A G E 10 Board Members Will Demand Investigations Less Pressure to Waive Attorney-Client Privilege More written reports instead of oral More Executives Will Have Their Legal Fees Paid by Their Employer More Employees Will Be Prosecuted For Lying to Outside Counsel Increased difficulty conducting Investigations because of complex enterprise environment
Invest in Leap Ahead Technology P A G E 11 We still use a lot of Homegrown tools. Not enough innovation. Can we prevent wrongdoing by watching the data? Can we make the data police itself? 11
Know the Triggers P A G E 12 Search Warrant, Government Subpoena or Voluntary Request for Information Whistleblower HR matters Media Reports Financial Restatements Shareholder Demand Letter or Civil Complaint Auditor concerns Part 205 Report Board or Audit Committee Concern FCPA
Understand Data Location P A G E 13 What are your “Crown Jewels”? Do you know where all the Crown Jewels are? Processes and procedures should be in place to ensure “The Crown Jewels” remain in authorized locations.
Evolving Corporate Threats P A G E 14 Traditional reactive investigations not enough New technologies bring new exploits Threats can be internal, external and/or inadvertent A determined wrongdoer will find a way
Proactive Considerations P A G E 15 How do you… Identify unknown or covert corporate threats? Limit the risk exposure presented by sensitive information? Respond to a suspected incident? Limit the scope of an incident? Ensure corporate endpoints remain secure? Address and scale technology and processes to include file servers, email servers, semi-structured data repositories?
Find your Heading P A G E 16 Directional orientation determines your focus coming at , going away, or circling you Perception is what you observe Peripheral vision is for detection (perimeter) Central vision is for identification (endpoint) Could you drive with only peripheral vision? Bottom-line: You will conclude what you perceive Learn to use innovative procedures and technology to increase your vision. 16
Technology Obsolescence P A G E 17 Traditional investigative technology are obsolete and not keeping pace with the number of corporate threats being created. Traditional investigative techniques places you in a perpetual catch up mode and provides false sense of security & plausible deniability
Your New Adversaries P A G E 191. “Bear” - firmly nestled where users are most exposed; the data stream…2. “Raccoon” - masked bandit who sneaks in at night and takes our valuable loot.3. “Wolf” - constantly probing and looking for signs of weakness.4. “RAT” - burrowing his way through your foundation, weakening your structure.
Flawed Internal Investigationpersonalities P A G E 201.“Turtle” - both for having a hard outer shell and soft meaty middle, and for being characteristically slow in every endeavor2.“Lemming” – Because we like to follow other’s lead, often to our own demise3.“Guinea Pig” – Using untested new ideas and procedures.4.“Beaver” – Who after getting his dam breached will work feverishly to patch and repair, even when conditions aren’t favorable.5.“Sheep” – They may make great T Shirts, but terrible investigators6.“Ostrich” – who believes that there is a peaceful bliss in ignorance and if you bury your head long enough, maybe the threat will go away…
Desired Qualities of an investigator P A G E 21 Objective Impartial Subject matter expertise Credible Fair Respectful Compassionate Professional Innovative Flexible Open to new ideas and techniques
Undesirable Qualities of an Investigator P A G E 22 Biased Judgmental Accusatory Inconsiderate Angry or “put out” Incompetent Inflexible Not thinking outside the box Unwilling to accept new ideas and technology
Challenges P A G E 23 Complexity - Internal investigations are inherently complicated given regulatory considerations, disclosure implications and overall liability exposure. Timing - Critical aspect of any internal investigation. Risk - The disclosure of investigative findings can subject a corporation and its employees to potential criminal and/or civil liability. Ethical Issues - Effectively conducting an internal investigation often requires keen attention to a myriad of ethical issues (e.g., privilege Adverse impact - The investigation and its findings can adversely impact the company by generating low employee morale, hampering employee recruitment and depressing the stock price. Conflict of interests – can effect investigation effectiveness
Investigative Challenges P A G E 24 Detecting Covert, Advanced and Unknown threats and keeping pace with the evolving nature of attacks Identifying and analyzing suspected threats Quickly triaging and containing an identified threat Locating and rapidly responding to data leakage (PII, IP etc)
Be proactive and Understand PotentialCorporate Threat Vectors P A G E 25 Network Unusual employee behavior Email Open ports VPN Insider threat Software vulnerabilities
Ten Red Flags for the Enterprise P A G E 26 Account information on unauthorized workstation Account information on a web or email server Unencrypted account information Unscheduled bulk data transfers after hours File sharing software (i.e. Bit torrent) Unknown process running on a workstation Account privilege escalation/out of band activity Encrypted/compressed file repositories Large number of removable drives on a single computer Un-patched applications
Recommendations P A G E 27 Assess your risk Assess your readiness Prevention, detection, response Implement effective compliance program People Process Technologies
Getting Started P A G E 28 Have a corporate investigation and document retention policy Develop a process to identify and retain evidence Develop a response strategy for both inside or outside counsel Identify event triggers and decision tree Who in the enterprise controls the investigation? Who should conduct the investigation –credibility is key? How should the investigation be conducted? What should the scope of the investigation be? What will be done with the results of the investigation?
Investigative Objectives P A G E 29 Find the truth Stop the conduct Identify the Evidence Get control of the evidence Preserve the evidence Find out what happened and why Report (oral or written) (purpose) Implement remedial measures Maintain confidentiality
Best Practices P A G E 30 Document the process Establish credibility Don’t make it worse Always re-evaluate strategy Have a clear communication channel Have consistent procedures Use the latest technologies Have an efficient and cost effective response Properly preserve evidence Provide effective expert testimony Review and de-brief
Rewards P A G E 31 Using the latest investigative approaches and technology will help a company identify potential liability and develop a plan to limit such liability while allowing the company to control the process before governmental or other third party intervention. Give a corporation more time to develop responses or defenses which may ultimately minimize overall criminal and civil exposure and reduce the likelihood of lawsuits. Make a corporation look more responsible to government regulators, shareholders, and auditors, thus minimizing the effect of any negative publicity that has arisen from allegations of wrongdoing. Satisfies the board’s fiduciary obligations.