David Carns (dcarns@casepoint.com) is chief revenue officer at Casepoint in Washington, DC, USA.
Planning for internal investigations has always been challenging, even before COVID-19. Investigations tend to unfold much less predictably than litigation, where attorneys are often able to proceed from a known set of facts and follow a reasonably clear road map to achieve a desired outcome. The scope of an investigation, by contrast, can change on a dime. Date ranges of alleged misconduct may suddenly expand, and initial custodian interviews may reveal the need to interview more people than previously thought. Legal or regulatory issues can also multiply as more evidence comes to light. These and other potential complications likely loom larger because of the pandemic, when many organizations are operating with reduced staffing and budgets. Because of these complications, legal, compliance, and risk professionals need to be vigilant in reviewing their investigation policies and be prepared to adapt standard procedures to the new circumstances.
Prioritizing complaints and full investigations
Most internal investigations proceed through five key steps:
-
The trigger event;
-
Legal hold and custodian interviews;
-
Requests for data and data collection;
-
Processing, review, and analysis of files; and
-
Recommendation of next steps, typically delivered as a written report.
Complaints to human resources alleging discrimination or harassment based on race or gender are common trigger events for many organizations. Other triggers include leaked or stolen intellectual property, whistleblower complaints alleging fraud or compliance violations, the loss or theft of physical assets, and leaked or stolen data containing sensitive or personally identifiable information.
In an age where remote work is now the norm, some companies may need to review and revise their criteria for determining which allegations or activities trigger a full investigation. For instance, employees may now have more plausible excuses to explain activities that might have caused alarm and attracted scrutiny before the pandemic. Such activities include using personal devices to conduct work, using an insecure internet connection (perhaps because a home connection is too slow), downloading large volumes of company information or files, or forwarding data to a personal email address. On the other hand, remote work may also increase the risk that employees will engage in intentional or inadvertent misconduct, which could even draw the attention of regulators. In any case, organizations should carefully reexamine their data security policies for working remotely while taking into consideration recent mandates and communicating them clearly and frequently to the workforce.
While it may be possible for organizations to delay some investigations until after pandemic-related restrictions are lifted, doing so for some can pose serious risks. Allegations that have the potential to expand into high-stakes, data-intensive regulatory or legal matters should receive clear priority over those that do not. Whistleblower complaints alleging fraud or serious compliance lapses, leaked or stolen data containing personal or sensitive information, leaked or stolen intellectual property, or sexual harassment allegations are all potential issues for which the financial and/or reputational stakes are potentially high. Even during a pandemic, these matters likely merit serious attention and require immediate steps.
