1. Internal Investigations: A Look at
Proactive and Reactive Responses
Using Technology and Process
Albert Barsocchini
barsocchini@gmail.com
415.456.8318
2. Definition of an Internal Investigation
P A G E 1
An internal investigation is launched by a corporation to understand
and diagnose problems within the corporation.
Frequently used to help a corporation avoid or limit possible criminal
or civil liability exposure and correct significant problems.
Fact driven
The old adage that sometimes the best defense is a good offense.
3. Flawed Investigation Risks
P A G E 2
Allegations of obstruction of justice
Damage to the corporation’s reputation
Damage to employee morale
Creation of negative evidence that may be used in future criminal or
civil proceedings
Destruction of evidence that could be helpful in the company’s
defense
4. Is an Internal Investigation Appropriate ?
P A G E 3
The titles, roles and responsibilities of the people alleged to have engaged in the wrongdoing;
Whether the company was a victim or the perpetrator of the alleged wrongdoing;
If the company was a victim of the wrongdoing, is it likely to recur and will the company likely
recover much, if anything, in pursuing the wrongdoers?
The nature, length, and scope of the alleged conduct in question;
The dollar value of any loss to the company if it was a victim of any wrongdoing;
Does the wrongdoing involve ongoing business conduct or existing business relationships, or is it
historical and unlikely to recur due to changed business practices or other circumstances?
The likely—not merely the possible—potential economic exposure to the company;
Whether alleged wrongdoing, if true, is placing any third party at risk;
Whether the allegations are susceptible to verification;
The cost and effort of the investigation as compared with any results it may yield;
The nature and source of allegations, including the motivation and the potential gain to those
making the allegation, if that party is known.
5. Reality Check
P A G E 4
There are known known's. These are things we know
that we know. There are known unknowns. That is to say,
there are things that we know we don't know. But there
are also unknown unknowns. There are things we don't
know we don't know.
Donald Rumsfeld
Query: Traditional investigation techniques focus on
known known's and sometimes known unknowns
4
6. Know Your Self
P A G E 5
Sun Tzu:
“If you know your opponents strengths and limitations and know your
own strengths and limitations, you can win one hundred battles without a
single loss.”
“If you know neither yourself nor your opponent, you will always
endanger yourself and the mission.”
5
7. United States Approach To Data Protection & Privacy
P A G E 6
The United States has an ad hoc approach to data protection legislation, relying on a
combination of legislation, regulation, and self-regulation, rather than overarching
governmental regulations.
The private sector should lead, and companies should implement self-regulation in
reaction to issues brought on by Internet technology.
Corporate Codes of Conduct
Alternative Dispute Resolution mechanisms
The United States has no single, overarching privacy law comparable to the EU
Directive.
Privacy legislation in the United States tends to be adopted on an “as needed” basis,
with legislation arising when certain sectors and circumstances require. For example:
Video Protection Act of 1988;
Cable Television Consumer Protection and Competition Act of 1992;
Electronic Communications Privacy Act; and
Fair Credit Reporting Act.
9. Today’s Corporate Risks & New Litigation Rules
Require Consistent Digital Investigations
P A G E 8
eDiscovery Compliance
Data Audit &
Internal Security
Investigations
The Common need to search, collect and preserve electronic evidence
in a timely, efficient and defensible process with court admissibility
11. Trends
P A G E 10
Board Members Will Demand Investigations
Less Pressure to Waive Attorney-Client Privilege
More written reports instead of oral
More Executives Will Have Their Legal Fees Paid by Their
Employer
More Employees Will Be Prosecuted For Lying to Outside Counsel
Increased difficulty conducting Investigations because of complex
enterprise environment
12. Invest in Leap Ahead Technology
P A G E 11
We still use a lot of Homegrown tools.
Not enough innovation.
Can we prevent wrongdoing by watching the data?
Can we make the data police itself?
11
13. Know the Triggers
P A G E 12
Search Warrant, Government Subpoena or Voluntary Request for
Information
Whistleblower
HR matters
Media Reports
Financial Restatements
Shareholder Demand Letter or Civil Complaint
Auditor concerns
Part 205 Report
Board or Audit Committee Concern
FCPA
14. Understand Data Location
P A G E 13
What are your “Crown Jewels”?
Do you know where all the Crown Jewels are?
Processes and procedures
should be in place to ensure
“The Crown Jewels” remain
in authorized locations.
15. Evolving Corporate Threats
P A G E 14
Traditional reactive investigations not enough
New technologies bring new exploits
Threats can be internal, external and/or inadvertent
A determined wrongdoer will find a way
16. Proactive Considerations
P A G E 15
How do you…
Identify unknown or covert corporate threats?
Limit the risk exposure presented by sensitive information?
Respond to a suspected incident?
Limit the scope of an incident?
Ensure corporate endpoints remain
secure?
Address and scale technology
and processes to include file
servers, email servers,
semi-structured data repositories?
17. Find your Heading
P A G E 16
Directional orientation determines your focus
coming at , going away, or circling you
Perception is what you observe
Peripheral vision is for detection (perimeter)
Central vision is for identification (endpoint)
Could you drive with only peripheral vision?
Bottom-line: You will conclude what you perceive
Learn to use innovative procedures and technology to
increase your vision.
16
18. Technology Obsolescence
P A G E 17
Traditional investigative technology are
obsolete and not keeping pace with the
number of corporate threats being created.
Traditional investigative techniques places
you in a perpetual catch up mode and provides
false sense of security & plausible deniability
20. Your New Adversaries
P A G E 19
1. “Bear” - firmly nestled where users are most exposed; the data
stream…
2. “Raccoon” - masked bandit who sneaks in at night and takes our
valuable loot.
3. “Wolf” - constantly probing and looking for signs of weakness.
4. “RAT” - burrowing his way through your foundation, weakening your
structure.
21. Flawed Internal Investigation
personalities
P A G E 20
1.“Turtle” - both for having a hard outer shell and soft meaty middle,
and for being characteristically slow in every endeavor
2.“Lemming” – Because we like to follow other’s lead, often to our own
demise
3.“Guinea Pig” – Using untested new ideas and procedures.
4.“Beaver” – Who after getting his dam breached will work feverishly to
patch and repair, even when conditions aren’t favorable.
5.“Sheep” – They may make great T Shirts, but terrible investigators
6.“Ostrich” – who believes that there is a peaceful bliss in ignorance
and if you bury your head long enough, maybe the threat will go
away…
22. Desired Qualities of an investigator
P A G E 21
Objective
Impartial
Subject matter expertise
Credible
Fair
Respectful
Compassionate
Professional
Innovative
Flexible
Open to new ideas and techniques
23. Undesirable Qualities of an Investigator
P A G E 22
Biased
Judgmental
Accusatory
Inconsiderate
Angry or “put out”
Incompetent
Inflexible
Not thinking outside the box
Unwilling to accept new ideas and technology
24. Challenges
P A G E 23
Complexity - Internal investigations are inherently complicated given
regulatory considerations, disclosure implications and overall liability
exposure.
Timing - Critical aspect of any internal investigation.
Risk - The disclosure of investigative findings can subject a
corporation and its employees to potential criminal and/or civil
liability.
Ethical Issues - Effectively conducting an internal investigation often
requires keen attention to a myriad of ethical issues (e.g., privilege
Adverse impact - The investigation and its findings can adversely
impact the company by generating low employee morale, hampering
employee recruitment and depressing the stock price.
Conflict of interests – can effect investigation effectiveness
25. Investigative Challenges
P A G E 24
Detecting Covert, Advanced and Unknown threats and keeping pace with
the evolving nature of attacks
Identifying and analyzing suspected threats
Quickly triaging and containing an identified threat
Locating and rapidly responding to data leakage (PII, IP etc)
26. Be proactive and Understand Potential
Corporate Threat Vectors
P A G E 25
Network
Unusual employee behavior
Email
Open ports
VPN
Insider threat
Software vulnerabilities
27. Ten Red Flags for the Enterprise
P A G E 26
Account information on unauthorized workstation
Account information on a web or email server
Unencrypted account information
Unscheduled bulk data transfers after hours
File sharing software (i.e. Bit torrent)
Unknown process running on a workstation
Account privilege escalation/out of band activity
Encrypted/compressed file repositories
Large number of removable drives on a single computer
Un-patched applications
28. Recommendations
P A G E 27
Assess your risk
Assess your readiness
Prevention, detection, response
Implement effective compliance program
People
Process
Technologies
29. Getting Started
P A G E 28
Have a corporate investigation and document retention policy
Develop a process to identify and retain evidence
Develop a response strategy for both inside or outside counsel
Identify event triggers and decision tree
Who in the enterprise controls the investigation?
Who should conduct the investigation –credibility is key?
How should the investigation be conducted?
What should the scope of the investigation be?
What will be done with the results of the investigation?
30. Investigative Objectives
P A G E 29
Find the truth
Stop the conduct
Identify the Evidence
Get control of the evidence
Preserve the evidence
Find out what happened and why
Report (oral or written) (purpose)
Implement remedial measures
Maintain confidentiality
31. Best Practices
P A G E 30
Document the process
Establish credibility
Don’t make it worse
Always re-evaluate strategy
Have a clear communication channel
Have consistent procedures
Use the latest technologies
Have an efficient and cost effective response
Properly preserve evidence
Provide effective expert testimony
Review and de-brief
32. Rewards
P A G E 31
Using the latest investigative approaches and technology will help a
company identify potential liability and develop a plan to limit such
liability while allowing the company to control the process before
governmental or other third party intervention.
Give a corporation more time to develop responses or defenses
which may ultimately minimize overall criminal and civil exposure
and reduce the likelihood of lawsuits.
Make a corporation look more responsible to government regulators,
shareholders, and auditors, thus minimizing the effect of any
negative publicity that has arisen from allegations of wrongdoing.
Satisfies the board’s fiduciary obligations.