The securing and analysis of digital evidence are key components of an internal investigation. It is crucial, during the preparation phase, to identify the (personal) data required, determine their location, and assess their significance. Challenges can emerge, particularly in the context of remote work, personal use of company IT resources, and the use of bring-your-own-device (BYOD) solutions. In this article, the authors address practical aspects of securing digital evidence, supplementing them with considerations related to the Austrian Labor Constitution Act and data protection laws.
1. User Profile and Data
The starting point of an internal investigation is a suspicion of a legal violation or a breach of internal regulations. During the initial phase of the investigation, uncertainties often persist, including identifying the involved individuals (whether limited to employees or extending to external parties), establishing the relevant timeframe, and determining the specific issues that require clarification
As an initial step, it is crucial to acquire information pertaining to the employee's responsibilities, encompassing their job description and labor contract, as well as details concerning identity and access management.
Subsequently, key points of the investigation are defined, addressing questions such as:
How time-sensitive is the investigation?
Who is leading the operational aspects of the investigation?
How is the interdisciplinary team composed?
How is the subject and investigation period defined?
Should external consultants be involved?
What information or data is crucial for the case?
The last point is examined more closely. Due to technological advances, relevant information is rarely available in physical form. Typically, data from the following applications or devices are relevant:
Microsoft Outlook (emails, calendar entries, tasks, notes)
Other communication data (e.g., WhatsApp, SMS, MS Teams)
ERP systems (e.g., SAP, Microsoft Dynamics)
HR systems (e.g., SAP)
CRM systems (e.g., Salesforce)
Access control systems
Time tracking systems
Smart multifunctional network printers
Notebooks and mobile devices (smartphones, tablets)
In preparing for the investigation, it is crucial to understand which data are associated with a specific user profile. Specifically, the applications the employee has access to, whether they could be relevant to the case, the significance of these data, and how particularly volatile data can be secured for later analysis. A central identity and access management system is helpful for this purpose.
The measures required for data security must be implemented promptly and with appropriate forensic diligence. Discovering that data has been deleted because it was not secured in time can be frustrating. The importance of data often becomes evident when correlating various data sources.
For instance, in a case involving the unauthorized disclosure of a confidential agreement, it was uncovered that the agreement had been stored on the central server under the label 'ABC_1_5_18.' A printed copy of a document bearing the same designation was produced in close temporal proximity to the disclosure. This correlation was established by cross-referencing print orders from the print server with the names of documents stored on the server. As a result, the investigation focued on the individual who initiated the print order.
However, caution is advised against hasty conclusions in data analysis. Even if it seems likely that the person who initiated the print order also disclosed the agreement, it is not proven. Objectively, only the fact that a document with the same designation as the unlawfully disclosed agreement was printed by a person using a specific user profile was established.
Some perpetrators disguise their actions and exploit the trust of their colleagues, such as obtaining access credentials and logging in with their user profile. In one case, an employee close to retirement was asked to provide login credentials because his user profile had extended SAP permissions. He was told the SAP authorization was necessary to review invoices.
2. Forensic Readiness
Large companies should not only consider the considerations outlined in Section 1 reactively. It is prudent to proactively prepare for investigations involving digital evidence, a concept known as forensic readiness. This foresight is particularly valuable because investigations may also be conducted by external authorities. In such scenarios, having a clear understanding of data locations and knowing the procedures for voluntary disclosure or in response to a search warrant becomes advantageous. Additionally, the potential necessity for simultaneous internal investigations underscores the importance of knowing which tasks can be conducted in parallel or sequentially alongside the official inquiry.
3. Preventing Data Deletion
At the outset of an investigation, a critical measure involves preventing the deletion of data, especially emails. In Microsoft Office 365, an administrator can implement a setting known as 'litigation hold,' which prevents users from deleting emails. Even if a user deletes emails, they remain preserved in the system, appearing as deleted to the user but retained nonetheless. The administrator has the option to decide whether the litigation hold should be visible to the user or remain concealed.
It's important to note that data deletion may not always be with the intent of destroying evidence; it could be part of routine deletion or overwriting to comply with defined retention periods. Therefore, understanding the investigation timeframe and verifying the availability of data for that specific period is crucial.
4. Backups and Recovery of Deleted Data
Even if data is deleted, it might be stored in on-site or off-site backups. Previously deleted data can often be restored, particularly for storage devices and, to some extent, for mobile devices. This process requires a functioning Bitlocker and Mobility Management, ideally complemented with forensic endpoint solutions for the initial examination (forensic triage) and preservation of evidence.
5. Forensic Preservation of Data
As a primary step, it is advisable to implement security measures centrally, whenever possible, without involving affected employees. This approach ensures the confidentiality of the investigation and mitigates the risk of intentional data deletion. Centralized data, such as information on company servers or in cloud applications like Microsoft 365 and Microsoft Azure, can be safeguarded through the creation of a 'forensic snapshot in time.'
Following the completion of central security measures, decentralized efforts can be initiated. This encompasses securing company-owned notebooks, smartphones, and tablets, either through physical handover or remote security using endpoint agents. Leveraging endpoint agents also facilitates a swift initial examination.
When physically securing and subsequently copying data from notebooks, smartphones, and tablets, it is crucial to adhere to the best practices of digital forensics, as identified by checksums (hashes). This principle applies equally to central and cloud backups. Such practices ensure and document that the data handed over or copied remains unchanged and in its original form, avoiding alterations during the investigation (maintaining the chain of custody).
Failure to conduct data security measures appropriately can compromise the probative value, giving rise to allegations of data manipulation or contamination. Access to company-owned notebooks, smartphones, and tablets becomes imperative when there is reason to believe that these devices contain information not centrally stored. For instance, in a competition law case, critical information about prices was exchanged within a WhatsApp group.
6. Home Office/Teleworking
Conducting internal investigations in a home office setting presents unique challenges. While employees are obligated to submit all work products, including documents in their private spaces, the employer lacks the right to enter the employee's private premises. Effectively checking this obligation, especially when an employee claims not to possess the required documents, proves practically impossible.
The process of handover for company-owned notebooks and smartphones requires different considerations. Here, the risk lies in the employee becoming aware of the investigation and, due to their absence from the company premises, potentially delaying the employer's physical access to the devices. This time lapse could be used for data deletion or destruction. The success of evidence preservation hinges largely on the investigative leader's skill in structuring the process to ensure access to hardware in a manner that prevents temporary retention or deletion.
7. Bring-your-own device (BYOD) and Personal Use of Company Resources
Employers are not allowed access to private IT devices, with an exception being a business-defined area on the device, granted access to this area was agreed upon for an investigation. However, relying on Bring Your Own Device (BYOD) solutions is not advisable due to the associated security risks. Moreover, in the absence of cooperation from the employee, BYOD devices are excluded from the investigation.
A recommended practice is to not allow the personal use of company IT devices. This not only heightens security risks but also complicates evidence preservation and analysis. Mixing business data with personal data in the event of an investigation can present challenges, emphasizing the importance of maintaining a clear distinction between personal and business use.
8. Austrian Labor Constitution Act
In the context of internal investigations, there is often a suggestion that the works council must be involved. While voluntary engagement in specific cases may align with corporate policy considerations, it's important to note that there is no legal obligation for mandatory involvement. Section 96 (1) of the Austrian Labor Constitution Act (ArbVG) stipulates that certain operational measures, including control measures that affect human dignity, require the works council's approval. However, it's crucial to differentiate between data securing and monitoring employees. The mere securing of data is objectively not deemed monitoring under the Labor Constitution Act. Monitoring, in this context, involves data analysis. Moreover, control measures necessitate a certain permanence, which is not the case in time-limited investigations. Even if data were to be analyzed, it would not alter the outcome, as the term 'control measures' pertains solely to general, not individual, measures. Consequently, investigation measures only fall under Section 96 ArbVG if they encompass collective controls related to the company. However, this is not the case when individually investigating allegations against specific employees.
9. Data Protection
Securing communication data falls within Article 4 of the General Data Protection Regulation (GDPR). Even without subsequent data analysis, the act of securing data constitutes the collection and/or storage of personal data. The primary objective of this data processing is to investigate suspicions of legal violations.
It is important to note that since the processed data were initially collected for different purposes, such as managing a supplier relationship, utilizing this data for an internal investigation constitutes a change of purpose. Consequently, processing this data necessitates a (new) justification under Article 6 of the GDPR. Before commencing an investigation, a thorough examination and documentation of the justification under Article 6(1) (a to f) of the GDPR must be undertaken on a case-by-case basis.
Entities like IT service providers, experts, and lawyers engaged in securing and later analyzing personal data on behalf of the company are considered data processors. It is imperative to establish a data processing agreement with them. Data processing is deemed permissible if at least one of the justifications listed in Article 6(1) of the GDPR applies. Particularly relevant is Article 6(1)(f) of the GDPR, allowing data processing if it is necessary to safeguard the legitimate interests of the data controller or a third party, provided the interests or fundamental rights and freedoms of the data subject do not override. A balancing of interests must be conducted in the specific case. Additionally, affected individuals must be informed, although this obligation does not have to be fulfilled immediately if immediate notification could impede the purpose of the investigation. In such instances, notification should be made as soon as possible without compromising the investigation. Furthermore, the internal investigation must be documented in the company's and the data processor's data processing records. If data analysis follows, the company, acting as the data controller, must undertake a data protection impact assessment.
10. Criminal Law
Individuals affected by the investigation typically focus on potential labor law consequences. However, if employees attempt to obstruct the investigation by destroying documents and data, criminal consequences may also come into play. This is particularly relevant when authorities are involved in the investigation, where offenses such as data damage, suppression of documents, suppression of evidence, and forgery of evidence may be considered.
11. Documentation
The secured and analyzed data serve as a pivotal foundation for the investigative report. It is crucial that the established facts are logically traceable to the evidence collected. Even if the evidence is not intended for a court proceeding, clarity on why specific evidence was collected and why certain aspects were omitted remains essential. This transparency is particularly crucial as the report may be scrutinized, even outside of a legal proceeding, by affected employees.
It is recommended to conduct the preservation, analysis of evidence, including evidence evaluation, and the preparation of the report in accordance with the principles observed in civil or criminal procedures. Despite the absence of a specific legal framework for internal investigations, the quality of a report becomes evident when it serves as the basis for employment measures or becomes subject to complaint. In such cases, the investigation may undergo indirect review in a legal proceeding.
Given that the report may include statements that could be damaging to an individual's reputation, yet may not be directly linked to evidence, it is imperative that internal investigations be led by individuals with not only corporate experience but also a background in court proceedings. Ideally, a report should be drafted in a manner that, if treated as a court decision, would be robust against challenges.
Vienna, November 2023
Robert Eichler / Gernot Schmied
Dr. Robert Eichler is a distinguished expert in the fields of compliance, corporate governance, internal investigations, and management disputes. With a wealth of experience gained during his tenure as Senior Vice President Internal Audit & Compliance at OMV, he brings comprehensive expertise to these areas. Over the course of more than 10 years at OMV, Robert Eichler spearheaded numerous investigations and global audit reviews. His responsibilities extended to providing ongoing guidance to executive board and supervisory board members on matters related to compliance and corporate governance. Before joining OMV, Robert Eichler was a partner at Wolf Theiss Rechtsanwälte, an established European Lawyer in Bucharest, and a Foreign Lawyer at Covington & Burling in New York. From 2008 to 2010, he successfully managed the defense against mass lawsuits brought by around 50,000 employees against their company. Robert Eichler gives regular lectures, served as an external lecturer at the Institute for Corporate Law at the Vienna University of Economics and Business, and as a Visiting Lecturer at the U.N. Anti-Corruption Academy.
IT Civil Engineer and Court Expert DDipl.-Ing. Mag.rer.soc.oec. Gernot Schmied is an IT expert, physicist, business economist, certified compliance officer, and auditor with 23 years of experience as a freelancer. Many of his activities lie at the intersection of technology and law, focusing on answering challenging questions in expert opinions on digital forensics, consulting, interdisciplinary forensic support for internal investigations, and reviewing preventive measures ("forensic readiness"). Additionally, Gernot Schmied is one of the few internationally active experts in multimedia forensics (audio, video, photo, and screenshots).
Σχόλια