All posts tagged Internal Investigations

Technology, big data and the regulatory arms race

In 2010, the then Office of Fair Trading (OFT) launched an investigation into a suspected price-fixing cartel between aviation giants, British Airways and Virgin Atlantic. The airlines were alleged to have conspired to fix fuel surcharge prices. However, the case collapsed following the discovery of 70,000 emails that had not been disclosed to the prosecution until the last minute due to a technical error.

The collapse of the case caused the OFT to be universally criticised, with commentators describing the investigation as a “fiasco” and the OFT exhibiting “incompetence on a monumental scale”.

Fast-forward four years and both the OFT and the Competition Commission (CC) have been dissolved and replaced by the Competition and Markets Authority. Thanks to the technological failings seen in cases such as the Virgin-British Airways price-fixing case, the two authorities may have created the impression that competition authorities lack technological prowess when it comes to investigations. Yet corporations hoping that this new authority will follow in the footsteps of its predecessors in the handling of electronic evidence should take heed; the CMA has a completely different approach .

How does the CMA differ from its predecessors?

More funding

The Treasury has granted funds which have allowed the CMA to invest further in the capacity it needs to increase the number of cartel cases it can pursue and the speed with which it can do so.

Increased quality and quantity of staff

According to Stephen Blake, Senior Director of the Cartels and Criminal Group at the CMA, the CMA has doubled the size of its Cartels and Criminal Group. In addition to doubling the size of that team, the CMA has also focused on building a team with the ability to work proactively and follow an intelligence-led investigation strategy. With this in mind, the CMA have hired a coterie of senior investigators and experienced intelligence officers.

Sophisticated technology

According to an experienced competition expert in London, “Enforcement authorities have learnt a lot over the past few years. They will have seen a change in the volume of documentation that needs to be collated and reviewed and this will have driven the change in approach which is now becoming apparent in their approach to information requests and general case management. The CMA has had the benefit of the hard lessons learned by the OFT, and will be far more engaged on this topic and cautious in planning how to manage an investigation, not just in terms of adhering to best practice but also in managing an investigation to criminal standards.”

To avoid repeating incident such as the Virgin-British Airways data mishandling, the CMA has adopted the same ediscovery and investigatory tools used by law firms and corporations undergoing scrutiny. In a dawn raid scenario, this means they are now able to process very large volumes of data quickly, scan entire corporate IT landscapes and drill down and forensically examine or analyse specific trails of evidence, in detail.

More collaboration

As part of the CMA’s commitment to implementing intelligence-led detection and enforcement strategies, leadership at the CMA has promised to foster closer partnerships with the police and other criminal enforcement agencies.

What will these changes mean for corporate compliance officers and in-house counsel?

The CMA has more funding, highly-trained and motivated staff and is actively pursuing investigations, as well as addressing the cases inherited from the OFT and CC. With the technological gap between authorities, law firms and companies now closed, the best way for corporations to prepare is to take a proactive approach to compliance. This can take the form of conducting regular internal investigations, streamlining and understanding data estates and for the ultimate in preparedness, arranging a mock dawn raid.

About Tracey Stretton

Tracey Stretton is a legal Consultant at Kroll Ontrack in the UK. Her role is to advise lawyers and their clients on the use of technology in legal practice. Her experience in legal technologies has evolved from exposure to its use as a lawyer and consultant on a large number of cases in a variety of international jurisdictions.

Agent 001 – What really happens during a “mock” dawn raid

Dawn raids matrix

Have you ever wondered what really happens during a mock dawn raid? I have had the opportunity to assist my forensic colleagues from Kroll Ontrack on several mock dawn raids in Europe so I will share with you what is actually going on behind the glamour and the mystery…

At dawn my four colleagues, who are forensic experts, and myself, are waiting incognito in a taxi a few hundred metres away from the premises that we are about to raid in an industrial and somewhat unfriendly location. No one apart from the CEO and Compliance Team of the company are aware of our presence and upcoming actions. My cell phone rings and we obtain the “go ahead” to enter the premises. Accompanied by external lawyers, we all enter the premises through a back door and register at a “pseudo reception” to obtain visitor passes. Then we are shown to a conference room which is where we will set up our IT and forensic equipment.

One of my IT colleagues lets out a deep sigh of despair after he realizes that we only have a single low speed network cable at our disposal and two power plugs to connect around 15 external hard drives and laptops from employees that are yet to come, but don’t panic, we brought several extension cables with us in case this should happen.

However, the single low speed network cable means that we will not be able to copy the server data from the conference room itself since that would take much too long; we have to be granted access to the central server room to connect directly to the server and copy server data rapidly. But we do not know where the server is located…is it onsite or somewhere else entirely?

We have to urgently speak to the local IT Manager, to find out where exactly the server is located. We are informed it is 25 km away from the current premises, and apparently it is up in the mountains so “it will take a while” to get there. I decide to go together with a forensic colleague to the offsite server location; we arrive there in 45 minutes after a hasty ride, to a very small and chilly room with a few server racks and many LED lights flashing intermittently. We start copying the data from the server but suddenly the server shuts down since it has detected an intrusion/hacker attack in an “Armageddon” atmosphere. Luckily, we manage to bypass the security breach in about half an hour and copy the relevant data in a couple of hours more.

In the meantime, my other forensic colleagues at the company premises have finally managed to obtain the necessary administrative rights and access from the local IT Manager. These codes will enable our forensic experts to start taking live images of the laptops from the company employees who have been selected as priority custodians (because of their role and position they are considered to be more likely to commit infringements or be exposed to competitors).

It is a race against the clock…as employees come into our conference room in groups of two by two we take their laptops, ask the employees to enter their passwords, sign our chain of custody form and we then run our forensic software to start the live image copying process of the laptop…all of this in just under 5 minutes per employee.

If everything goes according to plan we manage to copy data from 15 laptops in just less than 5 hours. The server data located up in the mountains has also been copied in about 5 hours. Finally my forensic colleagues run a program, which looks very impressive with plenty of zeros and ones, to check the integrity of the data and to ensure that all necessary data has been copied with nothing lost on the way. All the data has been copied successfully: mission accomplished!

These exercises can be used by corporations to test their incident response plans as part of a proactive approach to compliance, as part of an internal audit to make sure that no wrongdoing is taking place, or just to familiarize the staff with the process of a dawn raid so that nobody panics in the event of a real one. Whatever the reason for them, we try to make it as realistic a process as possible to provide the best training.

About Thomas Cavro Dupont

Thomas Cavro Dupont is a Discovery Services Consultant at Kroll Ontrack in the EMEA region and is based in Germany. He advises lawyers around Europe and their clients on how to effectively manage electronically stored documents in matters such as competition, litigation and internal or regulatory investigations. Before joining Kroll Ontrack in 2014, he worked as an Associate in leading international law firms in Brussels, Paris and Madrid advising clients on competition law issues. Thomas also worked as a Project Manager for a major ediscovery provider in London specialising in ediscovery projects in the antitrust and finance areas. Thomas, who is legally qualified in Spain and France, obtained his Law Degree from the Universidad Pontificia Comillas in Madrid and received an LL.M. in European Legal Studies from the College of Europe in 2009. His native languages are Spanish and French and he is fluent in German and English.

Only write the novel when you can solve the crime

A forensic mystery at Churchill War Rooms

When I first started as a Trainee Computer Forensic Analyst the sage advice I received from my manager was (as best as I can remember) “There are two types of people in this business: those that sit around figuring out how to commit a crime and the others that actually do it”.

When Tracey Stretton first suggested that my ‘creative’ imagination ought to be used for a “CF Murder Mystery” event I reeled.  Where do you start? How can I make it believable? What details are necessary for a mystery story?

By far the quote I found most helpful was from Andrew Hixson, of the James Bond short stories.

“I only write the novel when I can solve the crime”.

After the initial shock had worn off I quickly realised that I had been given a free ticket.  Without any billable time pressures I could finally, once and for all, take the time to work out from start to finish all aspects of a full ‘crime’.

The core of the plot came about in our first brainstorming session.  The event was to be limited both in time and, as alcohol was likely to be involved, complexity.  We needed a goldilocks computer security incident which was ‘just right’.

The simplest story is often the most believable, so it’s no surprise that we went with good old fashioned larceny.  After all, barring the consequences, we all can think of a way to steal data.

Between myself, Julian Sheppard and Tony Dearsley we collectively had enough stories about thieves and experience with thefts to provide a whole mini-series, not just one evening.

One of the more entertaining ideas we came up with was the discovery of a USB key found in the Channel Tunnel, equally laid on a rail across the Anglo-Franco border (The Discovery).  Unfortunately Sky Atlantic beat us to it and unveiled The Tunnel.  I still maintain that they took my idea and filmed an entire series in two weeks, just to throw me off!

Writing up the suspects and their backstory caused the most concern.  Each time I mentioned the name of an obscure fictional British or American spy there would be worried looks between colleagues.  “Is he day dreaming again?”, “What has this got to do with The War Rooms?”, “Why aren’t you on billable work?” was often asked.

Working out the details was easy once we had realistic characters.  Ultimately, for each of our suspects we laid out their motives and opportunities so as to leave a trail of clues to be picked out by our guests.  The plot becomes something far more interesting when we cheat and use the imagination of others to fill in the gaps.

In the words of Tolkien “Good stories deserve embellishment”, so it was decided that in order to describe a unique story we would need a unique visual guide.  This was Dial D for Data Theft, not Death by Powerpoint!

With judicious use of motion sickness inducing Prezi we were able to develop an interesting, if quirky, set of ‘slides’.

And then suddenly it was time for us to set out to the Cabinet War Rooms!

What a night it was! A perfect combination of story, location and audience.  Indeed the audience participation was, as I expected, the most inventive part of the presentation.

When asked why they thought a particular culprit was guilty, some of the answers were not exactly scientific:

Shifty Eyes”
“He owns a Porsche.”
“She reminds me of my ex-wife”

However, my favourite quote of the night goes to the guest who wrote on his guessing card:

“It was Felix [because] his shirt is far too tight and he’s a liar!  There’s no way he’s 6’10”! 5’11” at MOST“.

Then, with a bottle of something nice to the winning entry from our audience (none of the above were winners, sadly) we wrapped up the evening with an exciting dénouement and final farewell.

Data War: Annual French general counsels’ meeting

Data War

Last Friday, Kroll Ontrack sponsored the Annual General Counsel meeting hosted by the Development Institute International in Paris. I was asked to give a 15 minute talk about data control in e-discovery, dawn raids and internal investigation. I have to say that I had no idea what level of interest the forty-something general counsel and the few external lawyers in the room would show in this topic.

As everyone knows, civil law practitioners – particularly those in France – don’t traditionally pay too much attention to ediscovery and legal technologies coming from common law countries.  To illustrate this, one of the speakers who opened the session – a special legal advisor to the French Minister for  Industry Arnaud Montebourg – explained how France and Europe completely lost the technological shift in the 2000’s by letting  US giants (such as Google and Yahoo, e) take control of European citizens’ data and earn profit from that. As a consequence, the French government is now thinking about solutions to help Europeans regain better control of their personal data and its €315 billion value, according to a research conducted by the Boston Consulting Group in 2011.

Handling electronic data is also crucial in legal and regulatory matters. This is what my talk focused on.  Taking the right steps to ensure data is handled properly is a real challenge for French and European organizations dealing with a US discovery requests or a regulatory investigation. The European data protection directive, local data protection and labour laws and blocking statutes form a complex legal framework in situations where companies and lawyers need to collect, process, review and produce data. Alongside legal measures which have to be taken, there are technological tools and techniques that can be leveraged at each stage in a project to ensure data is kept safe and laws are complied with..

Finally, I was pleasantly surprised to see good feedback and some interesting questions from the audience. Hearing from French general counsel who have experience in ediscovery was very interesting and made me become more aware of their challenges: a French company which is not often involved ia US litigation can’t control the discovery process and usually only rely on its US law firm to take the right decisions.  Does this foreign law firm really understand the local challenges and does it have a local team with some ediscovery experience? Anyway, French companies are definitely looking for more local support to be help them take control of their data and of the whole discovery process. This will primarily mean having their data managed at a local level first instead of sending y all the documents requested directly to their US lawyers. A global ediscovery vendor with local teams and local processing facilities can therefore be seen as an indispensable partner to achieve that.

About Thomas Sely

Thomas advises French clients on the management of electronic evidence and the use of legal technology in forensics investigations, compliance audits, French & EU competition regulatory investigations and dispute resolution. He is regularly consulted on the practicalities surrounding the collection, management, processing, review and production of electronic evidence, particularly where issues of French data privacy and data protection are concerned. His clients include lawyers in IP, competition, employment and litigation practices, as well as inhouse counsel, HR, and compliance and security officers in corporations.

Dawn Raids this week: be prepared

The London offices of BP and Shell were raided on Tuesday by the European Commission.  Statoil ASA in Norway also confirmed that they had been raided and were under investigation.  At the same time, our own panel of legal and technical experts was gathering to discuss the second in our series of webinars concerning electronic evidence in Europe entitled ‘Dawn Raid Survival’.  The topic and timing for this discussion could not, indeed, have been more appropriate…   If you did miss this session, there is a summary below or if you would like to listen to the webinar again in full, please see below:

Next webinar: Given the success of our last two sessions, I urge you to join us for our third webinar in this series on the 28 May at 14:00 CET: “Electronic Discovery: A Foreign Concept in Europe?”. To register please follow this link http://www.krollontrack.co.uk/webinars/electronic-discovery-a-foreign-concept-in-continental-europe/

We will be joined by Claire Bernier (partner at Altana, Paris), Santiago Gomez Sancha (Director of Information Services, Uria Menendez, Madrid), and Tina Shah (Electronic Evidence Consultant, Kroll Ontrack, London).

Dawn raid survival

In Tuesday’s raids the Commission had concerns the companies involved may have colluded in reporting distorted prices to a Price Reporting Agency in order to manipulate the published prices for oil and bio-fuel products.  For any suspected activity which negatively impacts on competition within the European marketplace, both the Commission and National regulatory authorities have power to intervene directly and ‘raid’ companies for evidence the activity.

How raided companies should respond in such volatile and high-stress situations, and what practical steps they should take was discussed by our panel which included: Dr Helmut Janssen (partner at Luther in Brussels and Dusseldorf), Julie Catala Marty (partner at Bird & Bird, Paris), and Rainer Ziener (Computer Forensic Consultant at Kroll Ontrack, Stuttgart).

Some of the main themes discussed were as follows:

Whilst the powers of the European Commission and National Authorities are broadly the same, important differences exist.  Helmut and Julie compared notes on the specifics of both the French and German authorities as compared to the Commission’s practices.  For example, Helmut pointed out that whilst the EU Competition authorities are authorized to enter premises to copy relevant information, German competition authorities have the right to physically remove property from the premises (including hard drives, phones and computers) for later analysis at the authorities’ office.  Companies should therefore take local legal advice as to how to respond in each case.

Julie provided a list of essential and practical tips companies should follow in the event of a dawn raid:

  1. Contacting a legal representative is the first thing to do, and the company should request that the investigation is not commenced before an advisor is present.  Mr Dirk van Erps (Head of Forenisc IT Group, Cartel Directorate of DG Comp) who was in attendance at our webinar clarified that the Commission would generally wait up to 20 minutes for a representative to arrive at the raided premises before commencing the investigation, but not longer.
  2. Legal advisers should check the scope of the investigation, in particular for details of the products concerned, the type of behavior and the time period under investigation.
  3. The company must keep track of the information the authorities are taking so they can collect their own copy and the legal teams can start reviewing it and organising their defence as soon as possible once the authorities have left.
  4. Informing the staff of what is going on is of paramount importance.  They should stay calm, not answer questions beyond the scope of the investigation or comment outside the company.  They must not destroy or delete documents and must remember that the company is under a duty to cooperate fully.
  5. It is also was important to keep the business running and Julie suggested the authorities could be asked if it is possible to use equipment needed to continue basic operations.

The panelists also discussed the difficulties that arise when legally privileged information falls into the hands of the authorities and how to handle the restitution of this information.

In terms of the IT aspects of raids, Rainer Ziener of Kroll Ontrack emphasized that different types of data storage media and IT architecture make the job of extracting information quickly quite challenging.  Being prepared ahead of a raid by having a data map and inventory of hardware was strongly recommended.  This ensures both that cooperation with the authorities can take place, but also facilitates the rapid formulation of a legal strategy and defence once the authorities have left.  It could take significantly more time to assist a company after a dawn raid if it does not have a detailed knowledge of the firm’s IT infrastructure.

Julie emphasized that Mock Dawn Raids help reduce the risk of mistakes during an actual raid (which can be extremely costly).  They test the reflexes of the business and help assess the risk of company infringing the law.

About James Farnell

Qualified solicitor (commercial and intellectual property law) with four years international business development experience following four years of legal practice. Experienced in analysis and research of new business opportunities and developing new business strategy. Excellent project and people management skills. Successful record in developing new business products and revenue streams within the legal sector.

Electronic Health Checks for Companies

Electronic Health Check

The first in our series of webinars about the use of electronic evidence in Europe started with resounding success last week.  We had over one hundred attendees from 21 countries to listen in to the live panel discussion of Till Kleinhans (Head of Business Integrity at Allianz), Hugues Valette Viallard (partner at Latham & Watkins in Paris and Brussels) and our own electronic evidence consultant Thomas Sely (Kroll Ontrack, Paris).

The discussion focused on the conduct of internal investigations in terms of ‘staying a step ahead of the regulators’ (which was the official title of the webinar) and identifying wrongdoing within a company at an early stage so that remedial steps can be taken.  The role of electronic evidence was discussed in this context in terms of assisting both internal compliance departments and law firms to efficiently and quickly seek out evidence of prohibited activity.

We were particularly pleased to have Till Kleinhans and Hugues Valette Villard contributing to this topic.  Both have extensive experience in their respective fields and were therefore able to bring some valuable insights to this discussion.   An overview of the discussion is set out below, but if you would like to listen to the discussion in full, please use the following link: http://www.youtube.com/watch?v=8wlmS2lTda8&list=UUTuIqMZrl9xCQMqY9IJl0RA&index=1.

Staying a step ahead of the regulators

Till provided some interesting insights on the internal systems Allianz use to monitor a very wide range of issues including internal fraud, corruption, antitrust activity, harassment, security and blackmail, and how such investigations are handled.  For investigations of a serious nature Allianz generally require the external support of lawyers and IT specialists to manage the electronic evidence aspects of the investigation.  Indeed, Till made the point that for ‘up to date’ knowledge in such matters he believed it was necessary to involve outside IT specialist providers.

Hugues who has a very wide range of experience assisting his clients in investigation situations stated that company ‘health-checks’ were on the increase because the tools are now available to take appropriate action (supported by legal advice) on the basis of the evidence that is found.  Hugues emphasized the importance of companies being ready and having a proper system in place to run internal investigations.  The robustness of evidence gathering was mentioned as a key point: any data being used for an investigation has to be correctly imaged in accordance with relevant data protection laws (which vary in each country).  The paramount importance of data being correctly captured, stored and managed emphasizes the need for expert external IT teams.

As the IT landscape continues to evolve, electronic evidence providers need to adapt their processes to be able to extract data from a wider and wider range of electronic devices.  To have the best chance of locating the ‘smoking gun’ early collaboration with IT providers is increasingly necessary.

Don’t miss our next webinar on 14 May which focuses on Dawn Raid Survival.  Practical tips will be discussed and shared amongst our panel of European experts including Dr Thomas Kapp (partner at Luther, Stuttgart), Julie Catala Marty (partner at Bird & Bird, Paris), and Rainer Ziener (Computer Forensic Consultant – Kroll Ontrack, Germany) so do join us again on May 14th!

About James Farnell

Qualified solicitor (commercial and intellectual property law) with four years international business development experience following four years of legal practice. Experienced in analysis and research of new business opportunities and developing new business strategy. Excellent project and people management skills. Successful record in developing new business products and revenue streams within the legal sector.