Internal Investigations: Managing Mobile Device Data in the Age of COVID

While most of today’s law departments are highly proactive when it comes to e-discovery and have solid workflows and tools for managing the entire process, internal investigations do not always inspire the same level of diligence and planning. It’s surprising how many companies still lack formal processes for investigations and fail to consider appropriate technology for preservation, collection, processing and review until they find themselves in the middle of high risk, data-intensive matter. This is unfortunate, because internal investigations can be quite unpredictable. It’s difficult to anticipate where the facts will lead or what legal and logistical complications may arise. Project scope and costs can quickly get out of control, too.

The emergence of COVID-19 has added a new wrinkle to investigations. Because nearly everyone is working remotely, more of the information that needs to be identified and collected is on mobile devices. This is true whether the devices are corporate-issued or employee-owned. That means investigation teams are increasingly reliant on mobile device management (MDM) software or utilities to help collect the necessary information for a new matter so the data can be analyzed for relevance. In today’s work environment, data collected using MDM software is particularly germane to investigations originating with HR, such as allegations of discrimination, harassment, cyberbullying, stalking and similar misconduct.

What is MDM?

Lawyers and risk managers who are involved in data discovery of any kind should be aware that MDM is very likely being deployed across their enterprise and is an increasingly important forensic tool for discovery. Nearly every corporate IT department uses MDM software to securely manage and monitor the use of smartphones, tablets and laptops by employees. In a bring-your-own-device (BYOD) world, MDM is an important security solution that helps IT ensure equipment is configured and updated in a consistent, standardized and scalable way and makes remote diagnosis and troubleshooting of problems more efficient. MDM also allows IT personnel to track exactly how employees are accessing company data, files and email, effectively unifying siloed information into a single, trackable system. From a forensic standpoint, MDM can provide investigators with valuable information about multiple data types, like text messages, voicemail and call logs; such data often includes geographical locations.

MDM is necessary for employees to access corporate email on a device; it also gives companies the capacity to remotely “wipe” email from devices, if necessary. From an investigative standpoint, MDM is not only an important centralized source of information about employees’ use of applications like email, voice and chat, but it also documents with precision when and how employees are using various devices from various locations to access the corporate information system. That said, while MDM can find a lot of the information that legal teams need for internal investigations, it can’t find everything.

Free E-Book Download: The Art of the Internal Investigation

Without the Right Tool, MDM Data is Extremely Difficult to Interpret

In the event of an internal investigation, extracting and decoding data from devices equipped with MDM typically falls to IT, and it’s a good bet they use a particularly good forensic tool for that purpose called Cellebrite. Although it’s not the only forensic software out there, just about every law firm I know of uses Cellebrite. Its output is difficult for most people to make sense of, however; a Cellebrite report is a lot like a very extensive spreadsheet. The information it contains is comprehensive and highly accurate, but interpreting that data can be a nightmare for nontechnical users like lawyers, who are likely to run to IT for help.

Fortunately, at least some e-discovery tools can convert data extracted with Cellebrite into easy-to-comprehend, sequentially organized, chat-like conversations that mimic the “look and feel” of person-to-person interactions as they appear on a phone. This is rapidly becoming a mandatory technical capability for organizations that are serious about conducting internal investigations efficiently and cost effectively. Instead of leaving lawyers to wade through columns of data at prohibitive hourly rates, a good tool for converting Cellebrite output will convert that data into a usable format designed to reveal a multi-layered “story” based on call data, social media, chat and other apps or functions.

Internal Investigations Merit a Thoughtful Approach

The emerging relevance of MDM data to investigations is a key development, and it highlights the importance of understanding your organization’s technology infrastructure and identifying cost-effective technologies for discovery before the next investigation gets underway.

Other best practices to consider:

Don’t Be Tempted to Take Shortcuts

Make sure the collection tools you use deploy official APIs from Dropbox, Microsoft, Google Docs and other common repositories to ensure you get an accurate data set and are able to pull the most recent version of any document, with the option to go back and look at previous versions. While some very large companies may still choose low-tech, ad hoc procedures — like loading emails into Outlook to analyze custodian communications — that’s a very bad idea. Always use purpose-built tools that don’t risk inadvertent data modification or destruction. Even apparently minor investigations can quickly grow into high-stakes matters and should always be managed as such.

Consolidate Technology for Accuracy and Efficiency

Use an integrated SaaS e-discovery and data discovery platform that can manage the data at every phase of investigation in single interface. Ideally, it will:

• Have built-in artificial intelligence (AI) technologies like machine learning and predictive coding so you can run data-intensive searches with optimal speed and accuracy.
• Include multilingual capabilities to help you avoid costs associated with translation and/or multilingual reviewing.
• Provide easy access to data — without risk of data loss or alteration — as well as a complete tool set for performing investigative work to teams distributed across the country or across the world.
• Support hundreds of file types used in corporate environments so you can immediately open and comprehend files, even if you don’t actually have the application installed in your own department. MDM data is just one of many examples of software that generates invaluable information but can be virtually incomprehensible to lawyers if it isn’t converted into a usable format.

Standardize Processes and Workflows Across the Organization

Treat internal investigations like any other legal matter that presents financial and reputational risks. Establish (and put into writing) a formal procedure for conducting internal investigations that identifies stakeholders and roles and outlines in detail how your team will respond to each of the five key phases, including the trigger event; legal hold and custodian interviews; requests for data and data collection; processing, review and analysis of documents and other materials; and recommendation for next steps. Among other benefits, formalizing your approach will force you to gain a better understanding of your information infrastructure and create awareness of the applications (like MDM) that are most likely to come into play the next time a matter for investigation arises.