Document retrieval in the 21st Century

Document collation is likely to be key to any investigation. However, gone are the days when document collation just means retrieving emails, recorded telephone lines and hard copy documents. In the 21st Century firms now have to worry about preserving, retrieving and reviewing instant messaging services, text messages, mobile phone apps and social media.

In the third post of our blog series focusing on challenging issues in internal investigations, we consider some of the difficult issues surrounding more modern and novel types of ‘documents’ that might need to be retrieved for the purposes of an internal investigation.

Electronic Messaging Apps

Popular third-party messaging applications for smartphones and tablet devices are an increasingly valuable source of evidence in investigations. Firms will need to be aware of the preferred communications channels of its employees and the issues unique to each application. Preferences may differ across professions (for example, bank employees may prefer Bloomberg messaging or Blackberry messaging) and different parts of the world (social messaging services such as WhatsApp, Facebook Messenger and WeChat are each popular in some parts of the world, but not others).

Although emails can ordinarily be obtained from company servers and archives, messages from these third-party messaging applications require extraction from the devices by which they were sent (which could be owned by a firm, or by an employee personally). Critical evidence may be missed if a firm is not aware of the types of messaging apps its employees are using or does not know where to look for such data.

The following issues have arisen from the proliferation of such messaging applications:

• Custodians may conduct business across multiple devices, including devices containing personal and business data. Firms need to be careful to ensure that they capture information from each device used for business and to take adequate steps to ensure data protection and privacy laws are respected.

• The ability to forensically retrieve electronic messages from these apps must keep pace with the technical diversity and rapid pace of innovation for smartphone devices. Each application may store data on its device in a different way. Therefore the forensic software generally has to be tailored to the specific device, including the various iterations of devices such as the iPhone, and the specific operating system used on each device. Once one considers the vast number of different models and versions of mobile devices and operating systems and the speed by which they are developed, one can appreciate the difficulty and cost in developing capabilities to retrieve such communications. The types of mobile devices employees use can vary significantly if a company has a ‘Bring Your Own Device’ policy permitting employees to use the device of their choice.

• Some messaging applications offer encrypted messaging services which may place the contents of messages beyond the control of the firm. It is not difficult to envisage how such services can be used to engage in activity of interest to regulators. Participants in an insider trading scheme (for example, here, here) have used BlackBerries to communicate using ‘PIN-to-PIN messaging’ since the content of the messages was not recorded by telecommunications providers and could only be accessed through the devices used. Recently, WhatsApp announced that it had enabled full end-to-end encryption for all communications over its network. This means that while external observers can see the metadata of messages (such as when and to who they were sent), they will not be able to access the content of the messages. This presents difficulties for firms in circumstances where individuals refuse to hand over, have misplaced or have destroyed the devices on which these applications are stored,

Given the potential issues that may be caused by the use of third party messaging applications, some firms have taken the decision to block them from firm-owned devices, meaning that they cannot be downloaded or used by employees.

Records held by third party IT and cloud computing providers

Last year, the Financial Conduct Authority did not object to regulated entities from taking advantage of cloud computing services, so long as "appropriate safeguards" were put in place (here). The move by firms to use of third-party IT providers and cloud computing services has generated new considerations when collecting documents for an investigation. The issues which arise will ultimately depend on the contractual arrangements between the firm and provider. For example, third party IT arrangements can range from the provision of a few discrete IT services to the computer systems used by a firm being owned by the provider.

Where such arrangements are involved, some of the issues firms should consider are:

• What is the level of accessibility and cost required to access these documents for an investigation?

• Whether the firm ‘owns’ the data that is collected, generated and processed by the outsourcing / cloud computing service?

• Are there jurisdictional problems because the user is in one country and the processing power and data in one or more other countries?

• Where on-going monitoring of individuals is required, firms will have to rely on the computing systems and architecture used by the cloud service provider.

And then there is privilege…

In our next blog post in this series, we will consider some of the recent difficult privilege issues that have arisen in internal investigations.

However, leaving privilege to one side of the moment, document identification, collation and review strategies need to keep pace with the constant stream of technological developments we have seen, and will most likely continue to see for the foreseeable future.

Other blog posts in our series on internal investigations

To date, we have also covered the following topics in our series of blog posts on challenging issues in internal investigations:

• Initial considerations at the outset of internal investigations.

• Communications in internal investigations (both internal and external).

If you have any questions about this blog post please contact Investigations.Insight@AllenOvery.com