[Webcast Transcript] Discovering Data Quickly in High-Stakes White-Collar Investigations

Editor’s Note: White-collar investigations can send shockwaves through an organization, demanding swift, strategic, and legally sound responses. In a recent HaystackID® webcast, experts broke down the complexities of high-stakes investigations. From handling cross-border legal challenges to leveraging AI-driven forensics, their discussion focused on why an independent, well-structured approach is essential. With corporate reputation and regulatory compliance on the line, companies must balance urgency with precision. Ensuring credibility, verifying data authenticity, and mitigating cybersecurity risks are all critical steps in managing potential crises. Read the transcript to learn how your organization can deploy a proactive approach to handle these high-stakes investigations.

Host

+ Bryan Bellack
Executive Vice President, HaystackID

Expert Panelists

+ Anna Domyancic
Deputy Chief Legal Officer, US, Scotiabank

+ Benjamin Klein
Counsel, Litigation Department; Deputy Chair, Anti-Corruption & FCPA Group, Paul, Weiss, Rifkind Wharton & Garrison LLP

+ Christopher Wall [Moderator]
DPO and Special Counsel for Global Privacy and Forensics, HaystackID

+ John Wilson, ACE, AME, CBE
Chief Information Security Officer and President of Forensics, HaystackID

[Webcast Transcript] Discovering Data Quickly in High-Stakes White-Collar Investigations

By HaystackID Staff

Imagine this: A shipping clerk in Brazil hits send on an explosive company-wide email alleging fraud at the highest levels of management. Within moments, legal, compliance, and executive teams scramble to assess the situation. Is the claim legitimate? Is the email even real? The stakes are immense—corporate reputation, regulatory scrutiny, and potential legal action hang in the balance. Every decision in the next few hours could shape the company’s future.

This hypothetical scenario was explored during a recent HaystackID webcast, “Discovering Data Quickly in High-Stakes White-Collar Investigations.” Expert panelists broke down what it takes to handle an international white-collar investigation, from the initial crisis response to the intricate details of cross-border legal compliance. The first step? Ensuring an independent and credible investigation. The usual crisis response teams may have conflicts of interest when senior executives are implicated. The panelists emphasized that companies must consider forming an independent committee, engaging external counsel, and leveraging forensic specialists to maintain integrity. The investigation must be airtight—companies should document every decision and carefully handle every piece of evidence, especially when maneuvering regulations like Brazil’s notary requirements or Germany’s worker council policies.

Beyond legal and regulatory hurdles, there is the cybersecurity aspect—was the email even authentic? During the informative program, the panelists stressed that verifying its origins is just as crucial as investigating the allegations. If an employee denies sending it, forensic teams must track access logs, audit trails, and authentication records to determine if the account was compromised. Meanwhile, AI-driven analytics and advanced forensic tools can streamline data review, uncover hidden connections, and expose bad actors. Investigations like these require more than a reactive approach; they demand a well-orchestrated strategy combining legal expertise, cybersecurity diligence, and precise communication. In high-stakes corporate investigations, one misstep can mean the difference between swift resolution and a full-blown crisis.

Watch the recording and read the transcript below to learn more about strategies for handling these types of investigations. 

Transcript

Moderator

Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.

Bryan Bellack

Hi, everyone, and welcome to another HaystackID webcast. I’m Bryan Bellack, EVP of Business Development for HaystackID. I’m also your host for today’s presentation and discussion, “Discovering Data Quickly in High-Stakes White-Collar Investigations.” This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governance, and eDiscovery objectives. We are recording today’s webcast for future on-demand viewing, and we’ll make the recording and a complete presentation transcript available on the HaystackID website. Now, today, we will take you behind the scenes with our panelists as they are confronted with a puzzle. A security incident has occurred at a major multinational organization and has raised fears of a data breach and potential fraud at the company. Our panelists will walk us through their process as they respond with insights into strategy, data collection, regulatory requirements, and new techniques for using analytics and AI to get through data quickly. With that, allow me to introduce our esteemed panelists so we can get started. This webcast’s expert moderator is Chris Wall. Chris serves as HaystackID’s Data Protection Officer and Special Counsel for Global Privacy and Forensics. In his role as Special Counsel, Chris helps clients navigate the cross-border privacy and data protection landscape, advising clients on privacy, security, and data protection issues associated with cyber investigations, data analytics, and discovery. Next, we have Anna Domyancic, the Deputy Chief Legal Officer for Scotiabank, where she oversees litigation, internal and regulatory investigations and employment matters, as well as cyber commercial contracts and legal operations. Prior to joining Scotiabank, Anna was a member of Debevoise & Plimpton’s white-collar litigation group, where she worked on internal investigations and enforcement matters brought by DOJ, SEC, FTC, state attorneys general, and other regulators. Benjamin Klein is Counsel in the Litigation Department and the Deputy Chair of the Anti-Corruption and FCPA group at Paul, Weiss, Rifkind, Wharton & Garrison. He regularly represents clients in complex commercial, regulatory, and white-collar criminal matters, including high-stakes investigations by the US Department of Justice, the SEC, and other enforcement agencies, both foreign and domestic. He’s also a member of the white-collar and regulatory defense and internal investigations groups. Last but not least, we have John Wilson, HaystackID’s CISO and President of Forensics. John is a highly motivated leader with over 20 years of experience in the information security and risk management field. John serves as an expert witness in major litigation and regulatory settings, providing expertise on matters relating to digital forensics and eDiscovery. He has conducted dozens of investigations on behalf of law firms, companies, and government agencies such as the FDIC, Senate oversight committees, the SEC, and DOJ. So now, I will turn things over to our moderator, Chris Wall, to get us started.

Christopher Wall

Hey. Thanks, Bryan. And as Bryan said, my name is Chris Wall. I’m DP, In-House Counsel, and Chair of HaystackID’s Privacy Advisory Practice. My day job is guiding clients through cross-border issues associated with cyber investigations, data analytics, and discovery. But more immediately, my job today is to help guide us through this discussion with four fantastic panelists to talk about minimizing the risk associated with cross-border investigations and cross-border white-collar enforcement. So, as Bryan mentioned, our goal in spending this next hour is to arm you with actionable information and to share relevant experience from these panelists to help you in your own practice, whether you’re in-house or outside counsel or if you’re providing third-party assistance as part of a white-collar investigation and litigation team. So before we begin, I’m going to add what has now become really a standard disclosure by saying that our panelists today are speaking on their own behalf. Their comments or any views that they express may or may not reflect the views or the positions of their respective employers or the organizations that they work for. And as we get started, and as a housekeeping matter, I want to mention a few things. First, this webinar is for you. It’s to help you make the best use of the hour and to spend with us. And so we want your input. We’re a big crowd; it looks like we’re about 200 registrants, but we want to make this next hour or so as practically beneficial as possible. So we’ll watch the chat box, and if you have a question, please drop it into the chat feature, and we’ll try to address the questions as we go. And so with that, let’s jump in, starting with the hypothetical. As Bryan mentioned, our discussion today starts with this scenario, a scenario ripped from the pages of a law school exam with got-yous, wrinkles, and all kinds of considerations that I think if they were, in fact, all rolled up into one real case, it’d bring all hands on deck and probably a lot of legal, technical, and executive resources to bear. And in this hypothetical, which is actually drawn from real-life investigations just all mixed together, we have an international company with a shipping clerk in Brazil who has apparently blasted an email worldwide. That email purports to blow the whistle on alleged fraud at the highest levels of management in offices worldwide. So we take a deep breath and ask ourselves, “Where do we start? Who is we? Where do we start?” I mean, we all got the email. Maybe we start with the who. Who do we get involved with? And I’ll start with you, Anna, and then we’ll go around, where do we want to start with this?

Anna Domyancic

Sure. This one raises a lot of questions and immediate concerns, and we’d be looking at initially engaging our internal crisis management group, whatever that may be. This might include your legal comms, cyber, and compliance. Obviously, your senior management and those decision-makers need to start to get your arms around what this is, whether it is real, and then what you do about it in terms of the various investigation channels and work streams.

Christopher Wall

Ben, is there any color you want to add here? Anna’s launched us in the right direction, reaching out to the right people and executive management. Is there any other color you want to add here?

Benjamin Klein

Yeah. And, I mean, this may be self-serving, but I think you start to think about whether, as a company, you want to start talking to outside counsel. I think there are a couple of things to note here. For instance, according to the sub-bullets, senior management may be involved here, and there may be audit issues with financial statement manipulation. That means, first, there’s a potential risk that auditors have been deceived. If it’s a public company, that financial statement needs to be restated or revised, and there might be fiduciary and other corporate governance obligations to report something to your auditor. You should know that when you do that as a company, you’re going to lose a little bit of control over the investigation. It’s often good to have an outside counsel come in and help lend an ear of credibility and independence to the review. Secondly, when senior management is involved, it becomes a question of who you trust. Who do you bring under the tent when it comes to reviewing these types of allegations? And so, again, outside counsel can help navigate that and help set you up for success.

Christopher Wall

So, Ben, if the President, CEO, or senior executive team is implicated in these allegations, what do you do then?

Benjamin Klein

The investigation takes its normal course in bringing together the appropriate stakeholders. And if senior management is involved, the first thing I’m probably doing is thinking about data preservation and data holds. If it’s a senior executive at the company or the President or CEO, then there might be some notification given to that person. If it’s somebody at a lower level, I don’t know if I would immediately jump to notifying that person of the allegation. Still, it also depends on how much credibility you want to lend from the start. Here, we have a situation where a shipping clerk is making some pretty aggressive allegations, and you start to wonder how this person even has knowledge and information about this. There are questions about how much you can trust it. And I think maybe this is getting ahead of ourselves, but I’d probably bifurcate this investigation into two parts. One is trying to figure out if this was, in fact, an email that was sent by the person who allegedly sent it, and if not if it was somebody from the inside or possibly somebody from the outside. The other is going to the substance of the allegations regardless of who we determine or try to determine who sent the email in the first place.

Anna Domyancic

Oh, sure. If I could just add there, too, when we’re thinking about the allegations around senior management, we should also be looking at whether we need to inform one of the boards or several boards, depending on how this organization is structured. Then, should it be an independent committee of that board that’s really starting to engage external counsel and run that investigation to allow for further separation in terms of independence?

Benjamin Klein

I was just going to say that I meant to say that as well. I do think that this is something that’s probably going to rise to the board level, and because of the senior management issue, it’s likely going to be a board-led investigation with the support of outside counsel.

Christopher Wall

Yeah, it was led primarily by a general counsel and the general counsel’s office. And so let me turn to John. John, you’re CISO, and you’re looking at this, and you heard Ben and Anna mention, “Hey, there’s some question about the legitimacy here.” And I know that you’ve been brought in by audit committees on boards of directors and by the general counsel’s office of multiple firms. But where do you start? What are the questions you begin to ask in this early phase?

John Wilson

Yeah. So I think they’re right that you have to start that crisis management and that incident response internally. And then you have to start, first, on how we can get to a quick action of, “Hey, let’s validate. Did this email come from the individual in the organization, or was it an external threat that caused it?” Look at the possibilities around that because you have to figure out the legitimacy first. Is this the individual who actually sent it, or is this someone else who sent it using this person’s account? And often, we have clients that, “Oh, yeah, well, if we don’t think it was the shipping clerk that sent it, it’s an external threat,” but it’s not always; you have to look at internal threats. It could be somebody else, a manager of that person, who got into that account. It can still be an internal threat, so you still have to validate everything around that investigation. You really have to start with the questioning and the foundation of, “What can I validate about this? The statements that were made. Was this sent from an individual inside the company? Did we have an external threat that got into the system and compromised this individual and sent it, or was it another employee or another internal threat that did it?” And lastly, I think the big thing is sometimes you do have to get involved with the board, and you’ve got to start thinking, “Do I need to have a third party doing this investigation and not just the internal investigation?” You do have to start with some of that validation. You have to, again, raise your crisis management incident response process within the organization to figure out what might be at play. But many times, our recommendation is, “Hey, you need to engage a third party right away also, as soon as you have the foundation to believe that this is-

Christopher Wall

Just for the sake of independence, right?

John Wilson

Right. Just for the sake of independence. Because, again, if it is a high level like this, it says that it involves the high-level management and executives in the organization who are usually the people that are sitting on the crisis management and the incident response thing, so you do have to get that board involvement, get that third party involvement so that you have that independent assessment as well to validate those findings.

Christopher Wall

So, Anna, I’m going to ask you one more area. In this investigation. Do you see human resources brought in if there is no other reason to protect that whistleblower or if he is a whistleblower?

Anna Domyancic

Yes. From our fact pattern, HR also got the email in the blast. But yes, you would still want to treat that individual as a whistleblower and, therefore, afford them all those sorts of protections that they should be afforded. You would also want to ensure everyone is aware of that and what’s happening.

Christopher Wall

So, I think we discussed the really broad initial steps. The investigation team needs to consider that early defense strategy; you must get that team together. Ben and John, you mainly talked about preserving and analyzing what evidence you’ve got and then doing the actual investigation. So, how do we develop that defensible strategy for conducting that investigation without knowing what direction the investigation might go? We could talk about each of those steps we have on the screen in a little more detail, and we could do it by role within the organization. So, if we start with the GC, let’s discuss how developing that strategy would work. And so, Anna, I’m going to stick with you here for a second.

Anna Domyancic

Yeah.

Christopher Wall

Is that strategy development done in a vacuum? Do you have a playbook? How exactly should the general counsel’s office arrive at that defensible strategy?

Anna Domyancic

I’ve seen it internally, as well as working with a lot of other clients. A lot of that is to the extent you have a playbook; you need it to be flexible and able to fit the different circumstances, especially with something complicated. So you are looking at those basic steps in terms of making sure you have the right team in place like we were talking about, making sure you’re starting to think about the issues that might arise and the information that you’re looking at preserving, who are your key contacts and key groups that you need to get probably potentially on the ground to start talking to here.

Christopher Wall

And presumably, very early on, you’ve reached out to your trusted outside counsel, right? Hopefully, early on.

Anna Domyancic

Yes. Yes, yes, yes.

Christopher Wall

And so I’m going to turn to Ben. I mean, that’s your area here, Ben. The role of outside counsel, I imagine, especially in a case like this, that you’d want some independence yourselves and provide that objective viewpoint. Do you want to talk to me about what that role here as outside counsel looks like in terms of leading the investigation or coordinating with in-house counsel or others on how to develop and execute that strategy?

Benjamin Klein

Sure. So I think let’s assume that Anna and the team have assembled the relevant internal stakeholders, they brought in outside counsel, and you’re at that ground zero level. I suggest coordinating with them, gathering the information already obtained, and trying to do an initial assessment. What would be particularly important from the start is trying to engage with this whistleblower and see if we can reach out and get more information. See, for instance, if this person who claims to have evidence, in fact does have evidence, if-

Christopher Wall

And that’s done through an interview?

Benjamin Klein

So I think there are different ways that you could handle it. It just depends on whether the company wants to have a gentle touch or wants to have outside counsel handle it; I could see a situation where you have inside counsel that’s the one who responds to the email without bringing in a full force of other people, including outside counsel, to make it a more approachable environment and offers the opportunity to set up a phone call or something of that nature, see what engagement you can get, see what evidence and information, because right now, you have some pretty serious allegations. Before outside counsel starts to put together a plan, try to figure out, for instance, who the executives at issue are, the fraud scheme, and so forth. You really have to get a better sense of the landscape there. Suppose we just assume for a minute that we reach out. In that case, we get more information; there’s some plausibility to this, and it isn’t a total fiction or scam with some third party impersonating somebody. You start to think, “Okay, whose data are we going to try to preserve?” And you do the backend preservations; you’re doing the document hold notices or the litigation hold notices to make sure people know not to delete data. And then you start to think, “Okay, should we do any scoping interviews? Should we, for instance, try to speak to some of the folks that may have been involved in some of the activities and operations where the misconduct was happening, or do we fast-track to the data review to try to search for clues there?” Every investigation is fact-specific, and we try to be thoughtful and targeted so we can move quickly and efficiently in trying to get the information that we think we need.

Christopher Wall

You mentioned earlier that you might need to bring third parties in to assist. And as deep a bench as I’m sure outside counsel has for all of these things, there are times we need to bring in forensics experts, external audit financial auditors, and independent auditors. Anyway, any outside resources. Do you want to talk to us about the particular way we would want to make sure that the company papers that relationship with Anna, Ben, and John? Maybe you want to weigh in on this to preserve privilege or independence or whatever the case may be. You want to talk about that?

Benjamin Klein

Yeah, happy to jump in with a quick comment. I think any third parties that are engaged should be engaged by counsel. Obviously, this is done with coordination and the decision as to the best party being made by the client. But if counsel does the engagement, then all the subsequent work product and communications and so forth can be protected. Depending on the nature and geographic scope of the misconduct, you may want to look for a third party that has the reach to work not only within the obvious countries but maybe some of the others. So we know Brazil’s one of the markets, but there may be others because you’re going to have data collection and data privacy issues that you need to navigate, which may dictate, in some cases, putting data on servers. This is not just about bringing all that data into the United States but also keeping it on servers in other countries around the world.

Christopher Wall

Definitely, I mean, that’s a consideration for privacy, of course, but then also whether you want to subject that data to another country’s jurisdiction if you were to remove it. Right? Anna, is there anything you want to add about those relationships with third parties?

Anna Domyancic

I think that’s right. The other thing would be to consider whether you might need additional local counsel or other things in some of these jurisdictions, especially starting, I think, in Brazil with where the supposed whistleblower is coming from. There could be other sorts of labor and employment issues, too, that we would also need to be sensitive to here in dealing with the employees down there.

Christopher Wall

Yep. Yeah, I mentioned privilege before, too, and if this is in multiple jurisdictions, of course, the privilege doctrine isn’t necessarily the same outside of the US as in the US. And so, in your experience, do you typically paper these relationships with these third-party experts and outside counsel to preserve that privilege?

Anna Domyancic

Yes. Yes. The expectation would be to have external counsel hire those different forensic and other sorts of third-party investigators that we might need and also to look at whether those vendors would be vendors that otherwise might have relationships with the company and whether we want to think about, again, for this conflict of interest independence piece, using a vendor who doesn’t normally do work with this shipping company.

Christopher Wall

So, to round out that legal team, we need that bridge between the GC and the CISO, and we have a forensic specialist, especially in this particular situation. Right? And so, John, do you want to talk to us about the forensic specialist role here?

John Wilson

Yeah. Well, I mean, yeah, it’s certainly really critical to have that understanding. Brazil is a great example. In Brazil, if you introduce any evidence in court, you must have data collection and observation through a notary. It’s not a notary like you think of in the United States. It’s the particular legal process where somebody says, “Yes, this is valid evidence for court,” so you have to do that introduction through that notary process. And so a big part of this whole discussion really starts with what is the company’s experience with litigation investigations and those things, because that’s going to really drive how sophisticated you need to go with that outside counsel’s selection of third parties to accomplish these tasks because they can get really challenging. There are many things to think through just from the forensics perspective, just as how we properly consult in this jurisdiction to provide assistance because you have to understand that localized climate you have to deal with there. And maybe it’s five different climates because, again, we’re looking at an international incident. We have offices in Germany, where you have to deal with the workers’ council, and you have Brazil, where you have to deal with the notary process. There are all these different factors you have to contemplate and think about and figure out how they will interplay across that global span.

Christopher Wall

So that’s a lot of global expertise, and I will throw this to all three of you here. Who pulls all that together? Ultimately, somebody has to be responsible for keeping track of the various hurdles in conducting a cross-border investigation like that. To whom does that usually fall? I’ll lead off with Anna. Sorry.

Anna Domyancic

Yeah, I think for a lot of that, you need an experienced external counsel who is tracking all of that and has a pretty intensive project management style way almost, where you’re making sure you’re thinking through all of these different issues for each jurisdiction. They would be keeping the internal client aware and informed and whatnot, but they would need to be tracking all that stuff.

Christopher Wall

Yeah. John, any insight from the forensic specialist’s standpoint?

John Wilson

Yeah. I mean, yeah, I think you’re absolutely right, Anna. It usually is that outside counsel that’s got that field of expertise and understands the international implications of the investigation process. You have vendors with localized jurisdiction or a vendor third party with international experience and the depth of knowledge to go into 10 different markets and handle things. So it’s a bit of a challenge and usually solved case by case. So there’s not really a great rule of thumb: “Hey, do I get one vendor that can do all of these jurisdictions, or do I really need a localized vendor in each of these jurisdictions because there are specific requirements that drive that?” And I’d love to say, “Hey, you just go to the big vendor with that deep experience,” but that’s not always the right way.

Christopher Wall

No, I think it’s a team effort. And, look, Ben, I think all fingers are pointing towards outside counsel here.

Benjamin Klein

Yeah. I mean, that’s usually the case, and that’s part of our role. We typically are quarterbacking the investigation, all the different work streams. It doesn’t mean that we’re required to be involved in every single move. Still, oftentimes, these investigations have multiple work streams that are happening in parallel, so you’re coordinating with the client to try to get access to people to interview in data, you have a vendor who’s working on collecting the data, and that could be custodial records as well as financial information to do transaction testing, you have outside counsel who’s advising on employment issues, data privacy issues, and so forth, and then you have the law firm that’s just working to come up with this strategic recommendation with how to proceed with the investigation.

Christopher Wall

I’m glad you mentioned those multiple work streams. And we have a good question about one of those considerations for bringing this data together to the extent that you can or want to. So we talked about moving data across borders and jurisdictional concerns, and I think I mentioned privacy concerns or data protection concerns for moving that data across borders. But you want to talk to us a little bit about moving that data across borders from a data projection standpoint. We know that if you’re bringing data out of Europe, for instance, the GDPR presents certain obligations on the data exporter, or the data controller anyway, from the data leaving the EU to another jurisdiction to make sure that adequate protections are placed on that data before it leaves and especially for where it’s going. Where does that consideration come in? It’s not just the EU, of course, that has its data transfer protocols that you need to meet before you make the transfer. There are over 100 different jurisdictions around the world that have varying, well, similar to one degree or another, restrictions on data transfers. Do you guys want to briefly discuss where that analysis comes in here?

Benjamin Klein

I’ll make it quick. As soon as we get engaged in outside counsel, we start thinking about, “Okay, where’s the data held?” Sometimes, you have an operation in Sao Paulo, but the data is all on servers in the States. And sometimes, even if the data is on servers in the States, you need to start thinking about the paper records and sometimes the local files that may still be stored in Brazil. Typically, I mean, we have teams at Paul, Weiss that are subject matters in this area, but sometimes we engage outside counsel just for the purposes of understanding what the local data privacy laws require and whether we should be focusing on consolidating all this information onto a particular set of servers or having multiple servers to host the data for the review collection or-

Christopher Wall

That’s a great point. And I’ll just throw in here, too, that if you retain an outside vendor to do that work, whether it’s the forensics work, the eDiscovery work, or whatever it might be, make sure that that vendor understands the cross-border requirements. Your outside counsel needs to meet those same requirements, by the way, if they’re accessing that data. And then I know everybody wants a one-size-fits-all solution for these cross-border data transfers, and there really isn’t, but there is probably a leading practice here is at least solve for the most restrictive of those data transfer requirements and then go from there. And oftentimes, those most restrictive data transfer requirements might be the GDPR, and you solve for those. Then, you solve for additional wrinkles you might find under the LGPD in Brazil or from other jurisdictions, wherever you might be moving the data. Let’s talk about some more of those technical issues here. When we look at our hypothetical scenario, we’ve got an email that came out of the blue from an employee who isn’t necessarily involved or wouldn’t necessarily have any insight into global fraud. Does that raise suspicions from an IT standpoint, Ben? And I think we touched on this already, but either it’s legit, or some bad actors have sent it to make waves. Right? Maybe I can lead. Well, maybe we’ll lead with John here. When you see something like that, where do you start, and then where do you determine or how do you determine whether that email was legit or if it came from some outside actor looking to make a splash?

John Wilson

Yeah. Well, there’s quite a bit here that you have to delve into. So, first, you have to validate whether this email is authentic. Did the individual send it, or did somebody else send it on their behalf, or was it an external threat that just mimicked them or compromised that individual and sent that email? And you also have to start looking at… So you’ve got that phase, that’s that internal incident response; you’ve got to validate the email itself. Then you have to start moving into, “Hey, this is a low-level shipping clerk who has made all these allegations about financial fraud, and how would you even know these things? What collaborators might be involved? Where do I start looking to figure out how this person could have information or potentially have evidence about all of this?” You have to start looking in that avenue as well. Are there collaborators, or is he getting the data source because he has too much access to some systems that he shouldn’t have access to? So, again, back to that investigation, that incident response. You got to start looking at the activities of that individual, what system they’re getting into, what things they’re accessing, who they’re talking to, so you can figure out that collaborator problem, and bringing all that together into that forensics evidence and starting to build that evidence picture that says, “Hey, yes, this was an authentic email from this individual. We’ve identified they’re talking to five different people. Here are the people on the tree who could have potential access to some evidence about these accusations,” or “Here are the systems that they accessed that could have information about these accusations.” You have to do that deep dive investigation to figure out, first of all, what you need to preserve, and then how do you preserve those systems technically, how do you go get them, how do you make evidence of it, how do you get that evidence preserved so that you can move the matter forward, provide that to the outside counsel or the board or to the organization via reports to say, “Hey, this is what we’ve discovered. We think it was not the individual we suspected, but somebody else sent it on their behalf. That person that sent it on their behalf has access to these areas, was getting access to this data that he shouldn’t have had access to,” or “Was dealing with these collaborators that were providing information that they shouldn’t have shared; they had an obligation not to share,” et cetera.

Christopher Wall

But it starts, I’m sure. Well, actually, it probably starts with your interview. Let’s say during that interview, the employee actually said he didn’t send the email, right? Anna, Ben, if he makes that statement up front, where do you go from there?

Anna Domyancic

I think, yeah, it’s a lot of those steps that John was talking about that you’re looking at, forensically, in the data, who could have accessed that, how did they send that email, how did they compile this information? And you’re trying to run through that forensic data, audit logs, access logs, and other things. You can already see the different work streams in which this investigation would expand into a lot of different areas and things that you’d want to look into as an organization even after you resolve these initial questions.

Christopher Wall

I imagine this takes a different tenor at that point, right? A different tone. Rather than just being in a potential whistleblower situation, you’re now looking at cyber response, right? Hopefully, your organization has a cyber response playbook or an incident response playbook that you can turn to and draw from. Do you have to turn to that cyber playbook in this context? Maybe you can talk to us about how you identified it and how that came about. And I know, John, you touched on this; perhaps this is a good place for you to jump in and talk about that, too.

John Wilson

Yeah. I mean, absolutely. Having that sound cyber or incident response plan allows you to take those quick actions and look toward the systems and processes your CISO or your security team has implemented within the organization so that you have historical logs. Because in this hypothetical, you say we’ve gone, and we’ve interviewed, the shipping clerk says, “Hey, I didn’t do it,” and now you’re doing that investigation, now you figure out, “Hey, maybe there’s a third party got in, that his account was compromised.” So you have to start with that investigation. You have to look at that compromise of that individual, how they got compromised, what got compromised, how they escalated into other areas of the organization, and what path that compromise has taken. You really have to follow those incident response plans and ensure that the organization has a well-defined incident response plan because these are not things you want to figure out in the heat of the moment. You’ve got to have that plan that says, “Hey, here’s where we have all of our authentication logs; they’re preserved, and we have them for 180 days,” or whatever your preservation requirements are in your organization, and building out that playbook and that logistical plan to say, “Hey, okay, now we have to go look at the authentication logs. We have to look at data stores. We have to look at email, messaging, and MFA platforms. Did the person get compromised with a man-in-the-middle attack?” You’ve got to have that whole roadmap pre-built and ready. And so I really advise having that, but that’s not the point of being here. That’s really what has to happen. You’ve got to sit there and look at where this is going to divide because, again, we have the scenario where the person says, “Hey, it wasn’t me.” We figure out that there was a compromise, and you have to start looking down that tree, or you have a situation where the person says, “It wasn’t me.” You find out that somebody else impersonated him or another person came and logged into his system because he left it, logged in, and sent the email from his account. And so you’ve got to be able to take those different tracks, and that’s where these investigations tend to just… That’s why there’s not a single “Hey, here’s the easy button,” I just push this button, and it figures it all out. All of these things run in really many tracks, and you’ve got to figure out, is this an individual-

Christopher Wall

Well, John, I thought the easy button was calling on our outside counsel, Ben, to say, “Here, just take care of this for me.” I thought that was the easy button.

Anna Domyancic

Yeah. Even if you interview the person and they say they didn’t send it and you start looking at that, that is separate from whether those allegations that were made in the email have validity. So that investigation would still need to continue while you’re also now dealing with this cyber circumstance and trying to run down all of those tracks as well.

John Wilson

Great point, and I’ll make it even more complicated because we had one of these in recent months where we went to the person who was the whistleblower, and that person said, “It wasn’t me,” the investigation proved it was them, but also turned up that there was an incident response, there was an external threat that had gotten into the system and was feeding bogus information to the individual, it just makes it so much more fun and complicated. It gets really insane when you start thinking about, “Now I’ve got a person that’s a whistleblower that says they weren’t the whistleblower, but they were the whistleblower, but then they were being fed false information because of a third party exploits to the system adding to those deeper levels.” And you still have to have those investigations to say, “Hey, did the fraud occur or did the fraud not?”

Christopher Wall

Yeah, I think Ben and Anna both mentioned that you do have to bifurcate this investigation. One is the technical potential IR incident, and the other is the actual fraud or the actual allegations themselves to see whether there’s anything there. Regardless of whether that blast was an actual whistleblower or an outside hack, one of the places the investigation will have to turn is the company’s data overall, right? Regardless. So often, I think we think about email when it comes to investigations like this. Still, statistically speaking, the volume of unstructured data like email is far outweighed, in most organizations anyway, by structured data or data that’s essentially stored in rows and columns in databases. That data can readily be mined for trends and patterns that often point to fraud, illegal activity, or things like that, which we usually call just big data. And so I’ve seen structured data put to really effective use in cartel investigations where publicly available data along with internal production pricing or capacity or other data are combined using tools like Spotfire or Tableau that allow you to tweak one data point or another to demonstrate the effects that such a change in pricing or capacity or whatever can illustrate trends in that data. And so you can put that structured data into all kinds of good use by visualizing it and demonstrating what’s going on with the business itself, not just what’s going on with the data, but with the businessitself. I always say drawing a picture is always better than just telling enforcement about it. In a preventive vein, if we take that structured data, apply analytics to it, and apply it in as close to real-time as possible, we can often detect compliance issues or trends or patterns that indicate actual or potential compliance issues. And so that’s me, just ruminating, sorry, on advanced data analytics, but I’m going to ask Ben, Anna, and John, how have you seen structured data used in this investigation or for enforcement or regulatory compliance more broadly?

Benjamin Klein

So, I mean, this is where it really helps to have a company, an outside vendor that can do data analytics and potentially forensic accounting to dig below the surface and look for trends that might not be obvious to the naked eye. And there are lots of ways to do that. I just want to add, though, that even on our side, the outside counsel side, which typically involves custodial data reviews, there are AI tools that exist there as well. Increasingly, we’re using them with incredible effectiveness to shorten the timeline for reviewing documents and doing it in very thoughtful ways with tools like Relativity aiR for Review. For one investigation, we got through 120,000 documents in four days for our first-level review. It short-circuited the review to about 3,000 or so documents per second-level review, which attorneys at the firm would do. It saved the client an enormous amount of money and let us jump to interviews weeks faster than we otherwise would have.

Christopher Wall

I think that’s a really important point. And, look, I’ll boil it down. When you use something like Relativity aiR, you effectively take unstructured data like email and put it into a structured form. And I think that’s a fantastic way to approach it. Anna or John, do you want to add anything here?

Anna Domyancic

No, I think the cost piece, especially as the requisite in-house person here, is always something. Especially in these white-collar investigations where there’s this fear of endless document review and all sorts of other horror stories, the use of AI, analytics, and other technologies to crunch through a lot of data quickly, efficiently, and in a cost-effective manner is extraordinarily valuable.

Christopher Wall

And, look, I’ll mention one… Go ahead, John. Go ahead, John.

John Wilson

I was just going to say I’ll even add on the forensics front that we’re doing things like using AI and analytics to figure out who the possible collaborators are. We’re starting to look through their communications. We’re using AI and analytics to say, “Hey, who are they possibly talking to? Where is the possible source of this data,” or various things around that. But using that intelligence to really help understand the who, what, when, where, and how of the data really helps us guide where we have to go in the investigation in a much faster timeframe than previously.

Christopher Wall

Yeah. In that same vein, I’ll mention our last bullet point in this slide. And because I’m the privacy guy, and because we had a great privacy or data protection question earlier, I’ll mention that AI is a fantastic tool that we’re using today to help identify personal information so that we can de-identify the document; we can take the PII out of these documents and reduce privacy risk or data protection risk before that data crosses borders, or even if you keep that data within a jurisdiction, you’re reducing that privacy risk by de-identifying it.

John Wilson

Yeah. Well, I’ll even add using it to get to the point where you can do entity recognition because now you’ve figured out that it was a third-party incident, and you have to do notifications and all those things. So, use it to identify things that are opposite to what you were just talking about.

Christopher Wall

Yeah. And again, I’m going to stick with privacy here, but anytime we talk about cross-border investigations, especially if it involves electronic data, we have to think about data protection. In this hypothetical scenario, if we need to bring data from Brazil, the EU, or other jurisdictions around the world, we have to make sure that we comply with data transfer rules under all data protection regulations in those jurisdictions. And, as I said, there are a lot of real risks in moving personal information from one jurisdiction to another, especially if that destination is the US. Again, there are well over 100 countries around the world with data protection laws in place. And a lot of those jurisdictions have restrictions on what data you can take from their country. Speaking of these different jurisdictions, data privacy and data protection regulations aren’t the only reasons you may not want your data being moved from one jurisdiction to another. We talked about this briefly earlier; simply moving that data to another jurisdiction may well subject that data to the jurisdiction of the destination country. Ben, Anna, John, anything you want to comment about on that brief point?

Anna Domyancic

Well, yeah, I think we’ve assumed that that email went out at some point in… Did it make its way to the government? Have any governmental authorities from these countries issued a subpoena or contacted the company or an inquiry? Or even if they haven’t, that has to be something the company and its counsel are all thinking about as a possibility. Then, I will think about all the follow-on implications of that. And, of course, if you’ve transferred all your data in a rush to the US or somewhere, you can’t unwind that clock once it’s here.

Christopher Wall

Yeah. So if we look at that little bottom purple icon on our slides, if we’re looking at potential enforcement actions by government agencies in multiple jurisdictions, we want to make sure that there’s seamless coordination among your global and local teams. So, Ben, what does that look like? Or, Anna, John, what does that look like? How do you make sure that you have clear communications? How do you keep all of the teams apprised of how things are developing, and how do you collaborate with local enforcement authorities if necessary while trying to maintain the investigation’s integrity?

Benjamin Klein

Yeah. Well, just to jump in here, I had an investigation very similar to the hypothetical presented here a couple of months ago in Latin America. One of the risks we had, which we identified only after some closer forensic review of the email, was that in addition to being sent out to a very broad audience of people within the company, there were also media contacts at investigative newspapers as well as an outside auditor that was involved. And when you have outsiders getting communications about misconduct, you always have a risk that will get amplified by others. Then, ultimately, the regulators will catch the attention. You’d want to do that assessment upfront about the possibility of this through media reports or otherwise landing in the inbox of enforcement bodies. You also have, of course, the potential risk of somebody going directly through a whistleblower action. So, you want to be thoughtful about those risks so you have stakeholder engagement from the start when dealing with potential crisis management. Hopefully, you ultimately won’t have to interact with those enforcement bodies. Still, outside counsel is likely your best conduit for helping manage and navigate any interactions you have to have if that ultimately ends up being the case.

Christopher Wall

Yeah. Thanks. Anna or John, anything you want to add there?

Anna Domyancic

Yeah, I think that that makes sense, having that consistent information flow to the extent possible, though; Ben just added a bunch more wrinkles, but consistent information flow so that you’re being as accurate as possible and consistent when communicating across these regulators.

Christopher Wall

Anna, I’m curious about your perspective and how you like to be informed. If you’ve got essentially a global investigation here, how can outside counsel keep you apprised without burying you in the minutiae of this investigation? You want to be informed, obviously, of all the developments, but how do you prefer to be kept abreast, anyway?

Anna Domyancic

It can really depend. In something like this, I think we’re probably having a daily-ish call or something walking through at the end of the day, especially at the start to [talk about] where things are, where we’re moving, and what’s going on tomorrow. Internal counsel also has a lot of stakeholders that they’re updating and clamoring for information. So figuring out if these are calls or short-written summaries that I can then take and provide to the different internal stakeholders I need to talk to can depend. There’s a ton of minutiae, especially as you start engaging all these other vendors, and it’s potentially an avalanche of emails and other things. So that is typically not a way that I like to be kept in the loop with my counsel, but these are more like, “Here’s what happened today. Here’s next on deck tomorrow,” and we can work through that and plan for it.

John Wilson

Yeah. So, for me, it’s usually regularly scheduled, whether daily, bi-weekly, or weekly conversations, because we’re talking about one of the things that get real interesting. So I sent an email saying, “Hey, we’re starting to investigate if there was a third-party breach activity related to this incident.” Well, if you send that in the email report to the client, a regulator will request all the emails, and they will see that. Then, all of a sudden, it’s taken out of context to say, “Hey, wait, now there was a third-party breach. Now there was an incident. It wasn’t just an insider whistleblower,” so you have to be very intentional in the discussions and the information-passing because you have to think that a lot of these emails, even though we work very hard to make sure that privilege is maintained. Those things, messages can be taken out of context if you’re not framing them properly, stating them properly and clearly, and with the right confines. The communication of that information does become very critical, and having that regular cadence, like I said, generally for our team, we do them through conference calls or calls because we don’t want that information to be taken out of context. You have to think about all those things, but you also have to think about them, especially when discussing a third-party incident. But even when you don’t know if it’s a third-party incident, starting to monitor the dark web and looking at those things, engaging your providers that can provide that ability to look for mentions of the organization or mentions of the whistleblower or those activities or regulatory involvement and all those things. You’ve got to be monitoring the dark web, news media, social media, and all those different channels.

Christopher Wall

All right. Thanks, John. I know our audience joined because it’s an important topic, and they want to learn more. And I’ll just mention one more great resource for our listeners in addition to these fantastic panelists, of course, and that’s the Sedona International Investigations Principles. I spent several days last week with Sedona Working Group 6, discussing those principles that involve cross-border investigations and discovery, and I cannot recommend that white paper strongly enough. As we wrap up here, let’s leave our audience with a few final thoughts. And a question that I’ll put to each one of you, as our audience leaves the webinar and recognizes that they’re coming to us from a lot of different industries, what’s one thing that they can do today to prepare for fraud or other white-collar investigation? And I’ll start with John.

John Wilson

Yeah. From my perspective, it’s having that crisis management incident response plan in place and tested. So a lot of people go out and just build a plan, but they don’t actually test and validate, “Is this going to actually flow? Can I reach these people? Can they reach the things they need to reach?” So table-topping those incident plans, crisis plans, and media plans is really critical.

Christopher Wall

Proper preparation prevents poor performance. I appreciate that. Thank you, John. Anna?

Anna Domyancic

Yeah, that’s a good one, John. Knowing where all your data is, and especially as there are more and more data sources and different technologies that companies are constantly coming online, knowing where those are and how you’re going to get those if you ever needed them for an investigation, for litigation, et cetera.

Christopher Wall

Awesome. And, Ben, I’m going to give you the last word here.

Benjamin Klein

I would say to start thinking about the potential of harnessing AI. I know a lot of companies are starting to think about AI in broad terms. In the context of compliance and investigation, I think it’s exceptionally right. And I think rather than trying to figure it out on the fly when a time-sensitive investigation pops up, start to think about it in advance, and I’m sure your outside counsel can be a great resource to you to try to understand how you can use it to cut costs and speed up reviews.

Christopher Wall

Absolutely. All great tips. Thank you, all three. And with that, I’m going to pass it back to you, Bryan. And Bryan’s on mute there.

Bryan Bellack

Oh, apologies. Thank you very much, Chris. And thanks to everyone for joining us on today’s webcast. Our panelists covered a lot of ground, but I hope we demonstrated the complexities emerging more consistently on white-collar matters and investigations and the methods available to reduce the associated risks around discovery. You’ll see our contact information on the deck, and you can also reach me anytime at [email protected]. We truly value your time and appreciate your interest in our educational series. Don’t miss our workshop with the EDRM next month on April 16th titled From Summation to AI Tokens, A Journey Through E-Discovery’s Most Transformative Shifts, where expert panelists will examine e-discovery’s past, present, and future, sharing how technology has reshaped workflows, what skills will be critical in the next phase, and how professionals can embrace what’s to come. Check also our website, HaystackID.com, to learn more about and register for this upcoming webcast and explore our extensive library of on-demand webcasts. Once again, thank you for attending, and we hope you have a wonderful day.

Moderator

Thank you all for joining us today. Special thanks to our speakers, Ben, Anna, Bryan, Chris, and John, for their time and efforts in preparing and delivering this session. As mentioned earlier, this session was recorded, and we’ll share a copy of the recording with you later today. Thank you once again, and enjoy the rest of your day.

Christopher Wall

Thanks.

Host

+ Bryan Bellack
Executive Vice President, HaystackID

In his role as the Executive Vice President of Business Development at HaystackID, Bryan Bellack is responsible for global sales and business development of HaystackID’s eDiscovery, Cyber Incident Response, White Collar and Investigations solutions. Before joining HaystackID, Bellack was a Managing Director in BDO’s Consulting practice where he led sales for their Forensic Technology Division. Bellack earned his B.A. from the University of Michigan, his law degree from the Maurice A. Deane School of Law at Hofstra University and is licensed to practice law in New York State. In addition, Bryan serves as an Advisory Board Member to Guardrail Technologies, an AI Risk Management Platform. Bellack has also attained the following certifications: Certified E-Discovery Specialist (CEDS) from ACEDS; Cybersecurity: Managing Risk in the Information Age from Harvard Online; and Data Analytics Foundations: Business Analytics from eCornell.

Expert Panelists

A counsel in the Litigation Department, Ben Klein is Deputy Chair of the Anti-Corruption & FCPA Group. Ben regularly represents clients in complex commercial, regulatory and white collar criminal matters, including high-stakes investigations by the U.S. Department of Justice, the U.S. Securities and Exchange Commission and other enforcement agencies, both foreign and domestic. He is also a member of the White Collar & Regulatory Defense and Internal Investigations groups. Ben has conducted investigations and counseled clients on matters involving the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act 2010 (UKBA) and other anti-bribery/anti-corruption laws, as well as the False Claims Act and Anti-Kickback Statute. He has handled cross-border investigations, risk assessments and compliance reviews in over two dozen countries and on practically every continent, including Africa, Asia, Europe, the Middle East and Latin America. Ben also routinely performs anti-corruption compliance due diligence for acquisitions, joint ventures, equity investments and other transactions. Ben regularly advises clients across diverse industries—including the life sciences, energy and technology sectors—on the development and strengthening of corporate compliance programs, and he has drafted numerous compliance policies, operating procedures and codes of conduct. He also conducts compliance trainings, including trainings for officers, directors and corporate executives.

Assisted by GAI and LLM technologies.

SOURCE: HaystackID