Information Governance: Preserving Data and Being Prepared for Investigation

Information Governance: Preserving Data and Being Prepared for Investigation

  • Blog Post
  • Posted on 3 March 2020

By Erick Gunawan, Global Head of Forensics

Organisations need to ensure there is someone enforcing their rules around information governance. A lot of organisations in the US have an information governance officer either in their IT, legal or risk team making sure the procedures are promoted to staff. In Australia, we have seen more hybrid roles where IT managers and record managers take on parts of the governance work.

Increasingly, corporates in Australia are ensuring their data is compliant with the local law and that critical data is preserved.

Identifying the Data

Essentially, organisations need to know where all the data is before they attempt to capture it. In the event of a litigation and investigation, the relevant data sources need to be identified.

For example, in the case of an IP infringement and possibly the loss of communication data, HR data is probably not going to be relevant. The necessary data would probably include emails and Skype chat data. There would probably be one target custodian and therefore, it would be possible to filter the investigation down to that person, so it would not be necessary to look at every staff members’ emails and Skype messages.

Collecting the Data

It’s important to have a plan in place to collect data in the most effective manner from workflow and time perspective, particularly taking into account the multiple platforms that now must be factored in, eg. social media, IOS, android, etc.

Defensibility is also essential to ensure that the evidence is admissible in court. Think about a murder case. If evidence had to be collected, it would be necessary to use gloves so the evidence wasn’t contaminated. In the same way, data needs to be collected ensuring its integrity remains intact and not altered in anyway.

It should be considered whether it is best to do the collection internally or whether to hire a third party forensics expert. Sometimes organisations underestimate the relationship between the IT department and the custodian. If they’re good friends, they may speak to each other and jeopardise the investigation, so factors such as these must be taken into consideration when making a decision.

Processing the Data

Once the data is collected, it needs to be processed before it can be reviewed. All the different data types can be difficult to review on the different platforms, eg. emails on Outlook, chat on Skype, sales data on SalesForce, etc.

Processing extracts all the text and metadata, and puts everything into one single review platform where multiple reviewers can review the data and all work product is preserved.

The Role of Analysis

The next step is to add some analysis into the review to make it more efficient and faster.

One tool is email threading which allows reviewers to only look at the last email in a chain. This means it is no longer necessary to review every single email because the most inclusive email will probably contain all the content from previous emails in the chain.

Artificial Intelligence can also be leveraged to learn the reviewing patterns of the reviewer so other material amongst the data that is relevant is prioritised according to the way the reviewer is reviewing.

Deletion analysis can let a reviewer know when emails are missing and then computer forensics can be used to potentially recover the lost emails and process them ready for review.

It is possible to do high level analysis as well, prior to review. This gives the reviewers a sense of the type of data they are working with. For example, how are two suspects communicating with each other? How often and what times are they communicating? Are there other people that need to be taken into consideration? This creates an overview of the conversation.

Email deletion analysis can also produce some information. For example, if there is a drop in the number of emails, it can argued that it is because of a holiday or maybe there was an issue with the email system or perhaps people are deleting documents to cover tracks. Then when it is time to do the actual document review, an in-depth analysis can be done using duplicate analysis, keyword searching, conceptual searching, etc.

Once analysis is completed and the relevant data has been found, the pertinent documents for court have ultimately been produced.

Another highly significant benefit, having produced those documents for court, the organisation has been through an information governance learning process about how to preserve data and prepare itself for future investigation. This may change the way an organisation looks at their protocols and how they retain documents and data.


Share this post