All posts tagged Dawn Raids

Technology, big data and the regulatory arms race

by Tracey Stretton on August 7, 2015 in Legal Developments with No comments

In 2010, the then Office of Fair Trading (OFT) launched an investigation into a suspected price-fixing cartel between aviation giants, British Airways and Virgin Atlantic. The airlines were alleged to have conspired to fix fuel surcharge prices. However, the case collapsed following the discovery of 70,000 emails that had not been disclosed to the prosecution until the last minute due to a technical error.

The collapse of the case caused the OFT to be universally criticised, with commentators describing the investigation as a “fiasco” and the OFT exhibiting “incompetence on a monumental scale”.

Fast-forward four years and both the OFT and the Competition Commission (CC) have been dissolved and replaced by the Competition and Markets Authority. Thanks to the technological failings seen in cases such as the Virgin-British Airways price-fixing case, the two authorities may have created the impression that competition authorities lack technological prowess when it comes to investigations. Yet corporations hoping that this new authority will follow in the footsteps of its predecessors in the handling of electronic evidence should take heed; the CMA has a completely different approach .

How does the CMA differ from its predecessors?

More funding

The Treasury has granted funds which have allowed the CMA to invest further in the capacity it needs to increase the number of cartel cases it can pursue and the speed with which it can do so.

Increased quality and quantity of staff

According to Stephen Blake, Senior Director of the Cartels and Criminal Group at the CMA, the CMA has doubled the size of its Cartels and Criminal Group. In addition to doubling the size of that team, the CMA has also focused on building a team with the ability to work proactively and follow an intelligence-led investigation strategy. With this in mind, the CMA have hired a coterie of senior investigators and experienced intelligence officers.

Sophisticated technology

According to an experienced competition expert in London, “Enforcement authorities have learnt a lot over the past few years. They will have seen a change in the volume of documentation that needs to be collated and reviewed and this will have driven the change in approach which is now becoming apparent in their approach to information requests and general case management. The CMA has had the benefit of the hard lessons learned by the OFT, and will be far more engaged on this topic and cautious in planning how to manage an investigation, not just in terms of adhering to best practice but also in managing an investigation to criminal standards.”

To avoid repeating incident such as the Virgin-British Airways data mishandling, the CMA has adopted the same ediscovery and investigatory tools used by law firms and corporations undergoing scrutiny. In a dawn raid scenario, this means they are now able to process very large volumes of data quickly, scan entire corporate IT landscapes and drill down and forensically examine or analyse specific trails of evidence, in detail.

More collaboration

As part of the CMA’s commitment to implementing intelligence-led detection and enforcement strategies, leadership at the CMA has promised to foster closer partnerships with the police and other criminal enforcement agencies.

What will these changes mean for corporate compliance officers and in-house counsel?

The CMA has more funding, highly-trained and motivated staff and is actively pursuing investigations, as well as addressing the cases inherited from the OFT and CC. With the technological gap between authorities, law firms and companies now closed, the best way for corporations to prepare is to take a proactive approach to compliance. This can take the form of conducting regular internal investigations, streamlining and understanding data estates and for the ultimate in preparedness, arranging a mock dawn raid.

About Tracey Stretton

Tracey Stretton is a legal Consultant at Kroll Ontrack in the UK. Her role is to advise lawyers and their clients on the use of technology in legal practice. Her experience in legal technologies has evolved from exposure to its use as a lawyer and consultant on a large number of cases in a variety of international jurisdictions.

The Life Of A Computer Forensics Consultant

by Aaron Watson on May 28, 2015 in Case Studies & War Stories with No comments

To those who don’t work in the industry, computer forensics has an aura of mystery. Portrayals on film depict a secretive world inhabited by maverick hackers and all powerful government organisations, both of whom have the capability to quickly and easily access and obtain data from any computer in the world.

Of course, whilst computer forensics is a very exciting field, we thought we’d give insight into what it’s really like to be a computer forensics consultant by getting one our experts to write about.

Aaron Watson, one of our computer forensics consultants, kindly agreed. Read his account of life in the world of computer forensics below:

Can you tell us about your job in a nutshell?

As a CF consultant my role involves the collection and investigation of electronic data. Both have their challenges and can be as complex and rewarding as each other. Having been at Kroll Ontrack for 4 years I have travelled to many countries, worked on hundreds of projects and collected many thousands of gigabytes of data. The role often involves responding to complex time critical situations, coming up with effective solutions to get the required results, be it collecting data in a very small time frame with a number of technical complexities or investigating unauthorised access to electronic data.

So what does a typical day as a Computer Forensic consultant look like?

I don’t think there is one to be honest! No day is ever the same and every day includes a challenge or three. At any one point in time I can be involved in a number of investigations across a number of countries working with various clients. Investigations can develop and change at a rapid pace, each having their own challenges and complexities, who knows where in the world I could be tomorrow! Mondays for the most part have some regularity in that we aim to have a team meeting to discuss on-going projects, availability and any issues. This gives us a chance to go over current projects and their requirements, but this thankfully is where the regulatory ends and the fun begins.

What does a computer forensic investigation involve?

Within the computer forensic team we often have clients coming to us with a situation which requires our investigation capabilities; some simple, some complex and on occasion, some very bizarre! The first port of call for a client is our sales team who then come to us with the general background information and requirement. An example of one of the more bizarre requests was received by my colleague, Joanna Ward. A dog owner whose third dog had died wanted to prove that the dog was ill before he purchased the dog and requested that we help to prove that the post mortem report had been electronically tampered with as it did not read in his favour. Unfortunately for him, we did not take the case due to the fact that he only had a copy of a copy of the document.

Most CF investigations conducted by Kroll Ontrack relate to employee investigations; be it intellectual property theft, access to inappropriate material or outright fraud. In most cases the investigation will lead to employee dismissal or prosecution but on the rare occasion we may act in the defence of the employee.

Forensic data collections and dawn raids

This is an area of the role I particularly enjoy and fortunately for me is the role which takes up most of my time. Clients often have a disclosure order whereby they have to disclose any and all electronic data relating to a matter. This data is often across a number of systems and depending on what country you are collecting the data from can come with local privacy regulations which can cause a number of difficulties. A data collection can start out in one of two ways, in an organised manner with time for scoping and planning or we find find ourselves in a last minute “we needed you in Romania yesterday” type of project. Let’s go with the first, a client calls our sales team requiring a data collection with a disclosure deadline three months away.

The first step for us is to have a scoping call with the client which often includes a CF consultant, a lawyer from the law firm which approached us, possibly the end client and if we are really lucky someone from the end client’s IT department. The call allows us to get an understanding of the requirement, including the number of custodians (people who have access to the data), the type of devices they have and systems they have access to. We also look to discuss logistics including the site location/s, dates/times and availability of custodians. All of this information will make for a much more efficient data collection which means less time required onsite and as a result less cost to the client.

Ultimately we do have a lot of last minute “client panicking” type of data collections. We often have to take a quick assessment of the situation and have an educated guess as to what kit we need to take and how much data storage media we may require. We then get onsite and scope the job on the ground working closely with IT which if know their IT systems well will make for a much more efficient collection. In some cases we have had no IT support available at all (in one case they had all walked out) which meant we had to scope the complete IT infrastructure in order to determine all data storage sources in order to fulfil the requirements of the disclosure requirment. All of this makes for great technical challenges which for me are a great part of the job.

 Perks and pains of the job

Thankfully there are a far more perks than pains. The biggest perk for me is the variety of work and the lack of similar days. Closely in second place is the sheer number of interesting people we meet and places we get to visit, even if only to work in an office or a data centre for the most part. As a fan of travelling, I am generally a very willing volunteer and if it’s a particularly interesting case you’ve got me! As far as pains go I think pain would be a strong word but at times we can be dealing with quite repetitive processes which can involve playing the waiting game… This isn’t Spooks; we can’t image a hard disk drive or clone a phone in a matter of seconds!

Aaron’s FAQs

What exactly is it that you do?

Hopefully I have covered that bit.

If I delete my files can you recover them?

Well, that would depend on how you have deleted them and how long ago. For the most part, yes we can recover all, if not fragments of deleted files. As a general rule, if the files haven’t been overwritten there is a good chance they can be recovered.

Have you had to go to court?

As yet I haven’t but some might say if your findings and report are sufficient they shouldn’t need defending in court…

When travelling for work do you have any free time to explore?

For the most part no but sometimes yes. Ultimately it depends on a number of factors including the volume of work, the client and surprisingly the location. For example, the Spanish love to finish earlier in the day than us Brits. When I have some free time it’s usually in the evenings. I like to make the most of this free time and explore the local city/area with my camera in hand. On one occasion I was fortunate enough to have a free weekend when in the Ukraine. I think I made the most of this as I visited Chernobyl which I would recommend to anyone!

How did you get into the field of computer forensics?

From a young age I have had a passionate interest in computing and have always been inquisitive, some might say nosey. After finishing my A Levels I wasn’t particularly keen on University but found a Digital Forensics course which sounded like something I wanted to get into. This led me to Teesside University where I studied Digital Forensics which luckily for me got me internship with Revenue and Customs for 12 months as a Computer Forensic Technician. This was an absolutely fantastic kick-start to my career and from there I went on to work for Kroll Ontrack and here I am!

Do you like your job? Would you recommend it as a career?

I absolutely love the job but you have to have a certain mind-set and put in the hours when required to be successful. The challenges and interesting cases certainly outweigh the sometimes long hours and rare frustrations.

About Aaron Watson

Aaron Watson joined Kroll Ontrack in April 2011 and currently serves as a Computer Forensic Consultant in the London office. Aaron is involved as part of a team or as a lead consultant in forensic data collections both large and small in the UK and abroad in relation to discovery exercises and corporate and private investigations. Aaron has worked are large scale disclosure exercises and corporate investigations often for high profile clients or large corporations. These have ranged from investigations into Intellectual Property Theft, Computer Misuse, Fraud, Deception and corruption.

Agent 001 – What really happens during a “mock” dawn raid

by Thomas Cavro Dupont on October 6, 2014 in Case Studies & War Stories with No comments
Dawn raids matrix

Have you ever wondered what really happens during a mock dawn raid? I have had the opportunity to assist my forensic colleagues from Kroll Ontrack on several mock dawn raids in Europe so I will share with you what is actually going on behind the glamour and the mystery…

At dawn my four colleagues, who are forensic experts, and myself, are waiting incognito in a taxi a few hundred metres away from the premises that we are about to raid in an industrial and somewhat unfriendly location. No one apart from the CEO and Compliance Team of the company are aware of our presence and upcoming actions. My cell phone rings and we obtain the “go ahead” to enter the premises. Accompanied by external lawyers, we all enter the premises through a back door and register at a “pseudo reception” to obtain visitor passes. Then we are shown to a conference room which is where we will set up our IT and forensic equipment.

One of my IT colleagues lets out a deep sigh of despair after he realizes that we only have a single low speed network cable at our disposal and two power plugs to connect around 15 external hard drives and laptops from employees that are yet to come, but don’t panic, we brought several extension cables with us in case this should happen.

However, the single low speed network cable means that we will not be able to copy the server data from the conference room itself since that would take much too long; we have to be granted access to the central server room to connect directly to the server and copy server data rapidly. But we do not know where the server is located…is it onsite or somewhere else entirely?

We have to urgently speak to the local IT Manager, to find out where exactly the server is located. We are informed it is 25 km away from the current premises, and apparently it is up in the mountains so “it will take a while” to get there. I decide to go together with a forensic colleague to the offsite server location; we arrive there in 45 minutes after a hasty ride, to a very small and chilly room with a few server racks and many LED lights flashing intermittently. We start copying the data from the server but suddenly the server shuts down since it has detected an intrusion/hacker attack in an “Armageddon” atmosphere. Luckily, we manage to bypass the security breach in about half an hour and copy the relevant data in a couple of hours more.

In the meantime, my other forensic colleagues at the company premises have finally managed to obtain the necessary administrative rights and access from the local IT Manager. These codes will enable our forensic experts to start taking live images of the laptops from the company employees who have been selected as priority custodians (because of their role and position they are considered to be more likely to commit infringements or be exposed to competitors).

It is a race against the clock…as employees come into our conference room in groups of two by two we take their laptops, ask the employees to enter their passwords, sign our chain of custody form and we then run our forensic software to start the live image copying process of the laptop…all of this in just under 5 minutes per employee.

If everything goes according to plan we manage to copy data from 15 laptops in just less than 5 hours. The server data located up in the mountains has also been copied in about 5 hours. Finally my forensic colleagues run a program, which looks very impressive with plenty of zeros and ones, to check the integrity of the data and to ensure that all necessary data has been copied with nothing lost on the way. All the data has been copied successfully: mission accomplished!

These exercises can be used by corporations to test their incident response plans as part of a proactive approach to compliance, as part of an internal audit to make sure that no wrongdoing is taking place, or just to familiarize the staff with the process of a dawn raid so that nobody panics in the event of a real one. Whatever the reason for them, we try to make it as realistic a process as possible to provide the best training.

About Thomas Cavro Dupont

Thomas Cavro Dupont is a Discovery Services Consultant at Kroll Ontrack in the EMEA region and is based in Germany. He advises lawyers around Europe and their clients on how to effectively manage electronically stored documents in matters such as competition, litigation and internal or regulatory investigations. Before joining Kroll Ontrack in 2014, he worked as an Associate in leading international law firms in Brussels, Paris and Madrid advising clients on competition law issues. Thomas also worked as a Project Manager for a major ediscovery provider in London specialising in ediscovery projects in the antitrust and finance areas. Thomas, who is legally qualified in Spain and France, obtained his Law Degree from the Universidad Pontificia Comillas in Madrid and received an LL.M. in European Legal Studies from the College of Europe in 2009. His native languages are Spanish and French and he is fluent in German and English.

Data War: Annual French general counsels’ meeting

by Thomas Sely on October 11, 2013 in Pieces of Interest with No comments
Data War

Last Friday, Kroll Ontrack sponsored the Annual General Counsel meeting hosted by the Development Institute International in Paris. I was asked to give a 15 minute talk about data control in e-discovery, dawn raids and internal investigation. I have to say that I had no idea what level of interest the forty-something general counsel and the few external lawyers in the room would show in this topic.

As everyone knows, civil law practitioners – particularly those in France – don’t traditionally pay too much attention to ediscovery and legal technologies coming from common law countries.  To illustrate this, one of the speakers who opened the session – a special legal advisor to the French Minister for  Industry Arnaud Montebourg – explained how France and Europe completely lost the technological shift in the 2000’s by letting  US giants (such as Google and Yahoo, e) take control of European citizens’ data and earn profit from that. As a consequence, the French government is now thinking about solutions to help Europeans regain better control of their personal data and its €315 billion value, according to a research conducted by the Boston Consulting Group in 2011.

Handling electronic data is also crucial in legal and regulatory matters. This is what my talk focused on.  Taking the right steps to ensure data is handled properly is a real challenge for French and European organizations dealing with a US discovery requests or a regulatory investigation. The European data protection directive, local data protection and labour laws and blocking statutes form a complex legal framework in situations where companies and lawyers need to collect, process, review and produce data. Alongside legal measures which have to be taken, there are technological tools and techniques that can be leveraged at each stage in a project to ensure data is kept safe and laws are complied with..

Finally, I was pleasantly surprised to see good feedback and some interesting questions from the audience. Hearing from French general counsel who have experience in ediscovery was very interesting and made me become more aware of their challenges: a French company which is not often involved ia US litigation can’t control the discovery process and usually only rely on its US law firm to take the right decisions.  Does this foreign law firm really understand the local challenges and does it have a local team with some ediscovery experience? Anyway, French companies are definitely looking for more local support to be help them take control of their data and of the whole discovery process. This will primarily mean having their data managed at a local level first instead of sending y all the documents requested directly to their US lawyers. A global ediscovery vendor with local teams and local processing facilities can therefore be seen as an indispensable partner to achieve that.

About Thomas Sely

Thomas advises French clients on the management of electronic evidence and the use of legal technology in forensics investigations, compliance audits, French & EU competition regulatory investigations and dispute resolution. He is regularly consulted on the practicalities surrounding the collection, management, processing, review and production of electronic evidence, particularly where issues of French data privacy and data protection are concerned. His clients include lawyers in IP, competition, employment and litigation practices, as well as inhouse counsel, HR, and compliance and security officers in corporations.

Dawn Raids this week: be prepared

by James Farnell on May 17, 2013 in Best Practice & Top Tips, Case Studies & War Stories with No comments

The London offices of BP and Shell were raided on Tuesday by the European Commission.  Statoil ASA in Norway also confirmed that they had been raided and were under investigation.  At the same time, our own panel of legal and technical experts was gathering to discuss the second in our series of webinars concerning electronic evidence in Europe entitled ‘Dawn Raid Survival’.  The topic and timing for this discussion could not, indeed, have been more appropriate…   If you did miss this session, there is a summary below or if you would like to listen to the webinar again in full, please see below:

Next webinar: Given the success of our last two sessions, I urge you to join us for our third webinar in this series on the 28 May at 14:00 CET: “Electronic Discovery: A Foreign Concept in Europe?”. To register please follow this link http://www.krollontrack.co.uk/webinars/electronic-discovery-a-foreign-concept-in-continental-europe/

We will be joined by Claire Bernier (partner at Altana, Paris), Santiago Gomez Sancha (Director of Information Services, Uria Menendez, Madrid), and Tina Shah (Electronic Evidence Consultant, Kroll Ontrack, London).

Dawn raid survival

In Tuesday’s raids the Commission had concerns the companies involved may have colluded in reporting distorted prices to a Price Reporting Agency in order to manipulate the published prices for oil and bio-fuel products.  For any suspected activity which negatively impacts on competition within the European marketplace, both the Commission and National regulatory authorities have power to intervene directly and ‘raid’ companies for evidence the activity.

How raided companies should respond in such volatile and high-stress situations, and what practical steps they should take was discussed by our panel which included: Dr Helmut Janssen (partner at Luther in Brussels and Dusseldorf), Julie Catala Marty (partner at Bird & Bird, Paris), and Rainer Ziener (Computer Forensic Consultant at Kroll Ontrack, Stuttgart).

Some of the main themes discussed were as follows:

Whilst the powers of the European Commission and National Authorities are broadly the same, important differences exist.  Helmut and Julie compared notes on the specifics of both the French and German authorities as compared to the Commission’s practices.  For example, Helmut pointed out that whilst the EU Competition authorities are authorized to enter premises to copy relevant information, German competition authorities have the right to physically remove property from the premises (including hard drives, phones and computers) for later analysis at the authorities’ office.  Companies should therefore take local legal advice as to how to respond in each case.

Julie provided a list of essential and practical tips companies should follow in the event of a dawn raid:

  1. Contacting a legal representative is the first thing to do, and the company should request that the investigation is not commenced before an advisor is present.  Mr Dirk van Erps (Head of Forenisc IT Group, Cartel Directorate of DG Comp) who was in attendance at our webinar clarified that the Commission would generally wait up to 20 minutes for a representative to arrive at the raided premises before commencing the investigation, but not longer.
  2. Legal advisers should check the scope of the investigation, in particular for details of the products concerned, the type of behavior and the time period under investigation.
  3. The company must keep track of the information the authorities are taking so they can collect their own copy and the legal teams can start reviewing it and organising their defence as soon as possible once the authorities have left.
  4. Informing the staff of what is going on is of paramount importance.  They should stay calm, not answer questions beyond the scope of the investigation or comment outside the company.  They must not destroy or delete documents and must remember that the company is under a duty to cooperate fully.
  5. It is also was important to keep the business running and Julie suggested the authorities could be asked if it is possible to use equipment needed to continue basic operations.

The panelists also discussed the difficulties that arise when legally privileged information falls into the hands of the authorities and how to handle the restitution of this information.

In terms of the IT aspects of raids, Rainer Ziener of Kroll Ontrack emphasized that different types of data storage media and IT architecture make the job of extracting information quickly quite challenging.  Being prepared ahead of a raid by having a data map and inventory of hardware was strongly recommended.  This ensures both that cooperation with the authorities can take place, but also facilitates the rapid formulation of a legal strategy and defence once the authorities have left.  It could take significantly more time to assist a company after a dawn raid if it does not have a detailed knowledge of the firm’s IT infrastructure.

Julie emphasized that Mock Dawn Raids help reduce the risk of mistakes during an actual raid (which can be extremely costly).  They test the reflexes of the business and help assess the risk of company infringing the law.

About James Farnell

Qualified solicitor (commercial and intellectual property law) with four years international business development experience following four years of legal practice. Experienced in analysis and research of new business opportunities and developing new business strategy. Excellent project and people management skills. Successful record in developing new business products and revenue streams within the legal sector.

Electronic Health Checks for Companies

by James Farnell on May 8, 2013 in Pieces of Interest with No comments
Electronic Health Check

The first in our series of webinars about the use of electronic evidence in Europe started with resounding success last week.  We had over one hundred attendees from 21 countries to listen in to the live panel discussion of Till Kleinhans (Head of Business Integrity at Allianz), Hugues Valette Viallard (partner at Latham & Watkins in Paris and Brussels) and our own electronic evidence consultant Thomas Sely (Kroll Ontrack, Paris).

The discussion focused on the conduct of internal investigations in terms of ‘staying a step ahead of the regulators’ (which was the official title of the webinar) and identifying wrongdoing within a company at an early stage so that remedial steps can be taken.  The role of electronic evidence was discussed in this context in terms of assisting both internal compliance departments and law firms to efficiently and quickly seek out evidence of prohibited activity.

We were particularly pleased to have Till Kleinhans and Hugues Valette Villard contributing to this topic.  Both have extensive experience in their respective fields and were therefore able to bring some valuable insights to this discussion.   An overview of the discussion is set out below, but if you would like to listen to the discussion in full, please use the following link: http://www.youtube.com/watch?v=8wlmS2lTda8&list=UUTuIqMZrl9xCQMqY9IJl0RA&index=1.

Staying a step ahead of the regulators

Till provided some interesting insights on the internal systems Allianz use to monitor a very wide range of issues including internal fraud, corruption, antitrust activity, harassment, security and blackmail, and how such investigations are handled.  For investigations of a serious nature Allianz generally require the external support of lawyers and IT specialists to manage the electronic evidence aspects of the investigation.  Indeed, Till made the point that for ‘up to date’ knowledge in such matters he believed it was necessary to involve outside IT specialist providers.

Hugues who has a very wide range of experience assisting his clients in investigation situations stated that company ‘health-checks’ were on the increase because the tools are now available to take appropriate action (supported by legal advice) on the basis of the evidence that is found.  Hugues emphasized the importance of companies being ready and having a proper system in place to run internal investigations.  The robustness of evidence gathering was mentioned as a key point: any data being used for an investigation has to be correctly imaged in accordance with relevant data protection laws (which vary in each country).  The paramount importance of data being correctly captured, stored and managed emphasizes the need for expert external IT teams.

As the IT landscape continues to evolve, electronic evidence providers need to adapt their processes to be able to extract data from a wider and wider range of electronic devices.  To have the best chance of locating the ‘smoking gun’ early collaboration with IT providers is increasingly necessary.

Don’t miss our next webinar on 14 May which focuses on Dawn Raid Survival.  Practical tips will be discussed and shared amongst our panel of European experts including Dr Thomas Kapp (partner at Luther, Stuttgart), Julie Catala Marty (partner at Bird & Bird, Paris), and Rainer Ziener (Computer Forensic Consultant – Kroll Ontrack, Germany) so do join us again on May 14th!

About James Farnell

Qualified solicitor (commercial and intellectual property law) with four years international business development experience following four years of legal practice. Experienced in analysis and research of new business opportunities and developing new business strategy. Excellent project and people management skills. Successful record in developing new business products and revenue streams within the legal sector.

Dawn Raid? Don’t Panic! – Top 10 Tips

by Tom Alexander on April 16, 2013 in Best Practice & Top Tips with No comments
Dawn Raids

The phrase ‘Dawn Raid’ conjures up images of dramatic drug busts with hordes of law enforcement officers battering down doors and descending on unsuspecting criminals and the mad panic as they try to escape by jumping from a second floor window.

A corporate dawn raid may be a little more composed, however the risks for companies are just as real. The surprise can cause people to behave unpredictably, especially when technology is involved.

The harsh reality of today’s difficult economic conditions means that companies are more at risk than before. They need to be prepared for unannounced visits from agencies such as the OFT, FCA, SFO or the EC.

Authorities will often have the power to question company officials and take away information from paper files, and also electronic evidence stored on personal computers, servers and other digital devices.

Here are my top 10 tips for dealing with a corporate dawn raid from a technology perspective:

Before

1. House in Order
Know where your data is: create a data map. Ensure compliance with a company backup policy and securely destroy old data outside of that policy. Keep individual data access to a minimum. Regulators can fine for poor data access controls so ensure suitable encryption exists. Conduct internal audits to uncover potential breaches. Finally, consider the implications of using personal devices for work purposes.

2. Be Prepared
Attend training on how to handle a dawn raid and conduct a mock dawn-raid to test the effectiveness of compliance procedures. Have you created Dawn Raid procedures and assigned a response team?

During

3. Inform Management, Lawyers & Advisers
Be polite to investigators and, if possible, wait for the lawyers to arrive to check the warrant or search order although depending on the circumstances there may be nothing to stop the investigators proceeding immediately. Enlist the help and advice of a forensic technology consultant to shadow the investigators to ensure that they stick to the scope of the warrant and following proper procedures. Handle communications within the firm to ensure there is compliance with the investigation and that your reputation is protected.

4. Know your IT Administrators
Get your IT people involved early on, to grant access to electronic data and individual custodians. Investigators might require Internet access, LAN access and USB access to install and run their forensic imaging software. Make sure that the tools they are installing are forensically sound and virus free. Passwords may also be required for any encrypted hardware, software, folders or documents.

5. Co-operate
Ensure all members of the company are aware of their legal obligations. Do not turn off computers as investigators might request access to Random Access Memory (containing passwords, clipboard content etc.) which would disappear upon loss of power. Protect any seals (e.g. tamper proof evidence bags, locks on doors) left by the investigators or risk hefty fines. Do not delete data – deleting data can leave a trace and lead to uncomfortable enquiries.

6. Negotiate
Business continuity is important. Is it necessary for whole computers to be seized or for servers to be taken off-line? Highlight individual areas of potential relevance and consider approaches to ensure known privileged documents are not seen by investigators such as sealing disputed documents for review by an independent lawyer.

7. Take Copies
Take copies of everything seized or copied or seen. This may or may not be possible during the course of the execution of the warrant. As a rule, investigators are obliged to provide a list of seized items but not copies. A forensic technology consultant will be able to assist you using forensic software to ensure that source data copied is not altered in any way and that crucial meta data remains intact.

8. Monitor
Have the investigators taken adequate steps to secure data to ensure data protection and data integrity? Are they taking documents outside the scope of the investigation or documents with privileged information? Are they using suitable software, tamper proof evidence bags and maintaining chain of custody? Are they creating an inventory of recoveries, clearly labelling data and avoiding cross-contamination? One of the most important things during the course of a raid is to take copious notes of what they are searching for and on which machines. This will allow a forensic expert to reconstruct what has been searched or copied.

After

9. Stay Ahead
Consider a further internal audit, in order to preserve more data than the regulator, which might strengthen your case.

10. Review
Use a legal technology provider to setup an Early Case Assessment database of all the documents seized by the regulator plus any further documents identified. Filter and prioritise documents for review using the latest technology to quickly assess the company’s exposure and asses it’s legal strategy for responding. In the race for leniency technology can help you work out what happened fast.

Final Thought

Dawn raids can have a significant impact on business, with the possibility of severe penalties and reputational damage associated with corporate wrongdoing. In addition to companies preparing themselves for a raid, the most prudent approach is to carry out routine internal audits to uncover problems ahead of a knock on the door from the authorities.

About Tom Alexander