7 minute read

Five Best Practices for Protecting Sensitive Information During an Investigation

5 Best Practices for Protecting Sensitive Information During an Investigation

by Jeffrey Wolff

Organizations are feeling the pinch of compliance like never before as government agencies at every level are scrutinizing their business affairs more closely and issuing more regulations. To meet their compliance obligations, smart organizations leverage internal investigations to address personnel issues, respond to employee complaints, prepare for litigation, and audit their business practices.

In most circumstances, organizations want to keep the findings of their internal investigations private, whether it’s to safeguard the company or an employee from embarrassment or to prevent an opposing party from gaining access to damaging information. That requires organizations to take proactive steps to protect sensitive information. Fortunately, there are several tools for protecting sensitive information during an internal investigation.

What Is Sensitive Information?

Sensitive information is any information that is confidential, proprietary, private, or legally protected. It can take a variety of forms. Here are some of the most common types of data that organizations need to protect: • Employee data such as Social Security numbers, dates of birth, home addresses, and health and benefits records • Financial information, including bank account and credit card numbers, revenue sources, and expenses and losses • Client and customer information, including contact details and previous order records • Proprietary information such as trade secrets or research details

• Strategic plans, including potential mergers and acquisitions, development opportunities, and internal processes • Operational details such as inventory records, pricing policies, and marketing techniques • Results of internal investigations and other information not known to the public Sensitive information is often implicated in internal investigations—and without caution, it could be intentionally or inadvertently shared outside the organization.

Why Protecting Sensitive Information Is Important

Organizations and their counsel should protect the sensitive information uncovered or generated during an internal investigation for several reasons.

Sometimes the information may be potentially damaging to the reputation of an organization or its employees. Most companies have an interest in resolving internal affairs quietly. Keeping private matters private avoids potential embarrassment and a public relations nightmare.

Protecting sensitive information can also prevent the contamination of witness testimony and encourage reluctant witnesses to come forward. If you’re interviewing multiple employees about an employee issue, you may want to keep witness testimony private until the conclusion of the investigation so there’s no possibility of undue influence. Furthermore, employees are more likely to raise concerns if they’re assured that their comments will be kept confidential.

Finally, where litigation may follow, organizations should take care to protect sensitive information so that it’s not subject to discovery by an adverse party. The failure to safeguard confidential information may put you at a serious disadvantage if the matter leads to legal proceedings.

Legal Protections For Sensitive Information

The main way to protect sensitive information is to cloak it in the attorney-client privilege.

If lawyers participate in an internal investigation for the purpose of providing legal advice, then those conversations and the materials that you share are protected by the attorney-client privilege. Similarly, a lawyer’s work product, including notes and documents, is protected from discovery so long as it’s created in preparation for litigation.

Be cautious, though. These protections don’t generally apply to routine audits or other investigations conducted in the ordinary course of business. That’s why it’s important to make sure that you’ve taken the right steps to protect sensitive information before an internal investigation even begins.

5 Best Practices For Protecting Sensitive Information

1. Involve legal counsel in the investigation: One of the easiest ways to help protect sensitive information is to involve legal counsel both before and during an internal investigation.

For example, a lawyer can establish guidelines and parameters for the internal investigation, like clearly identifying and documenting its purpose and scope. If you’ve established that the purpose of an investigation is to obtain legal advice or prepare for litigation, the results are more likely to be protected under the attorney-client privilege. An attorney can also correctly explain the attorney-client privilege and work product doctrines to the investigative team and any witnesses throughout the investigation. This ongoing reminder can help focus the investigative team during their work, keep witnesses on track, and strengthen the privilege argument during trial. 2. Keep physical work product in one location: Investigative teams may collect or create countless documents during an internal investigation. It will help if you maintain all data and documents in a designated area. While it’s helpful to have an eDiscovery solution for organizing your data and managing legal holds, you’ll also need to properly and securely store any physical documents. From an attorney-client privilege perspective, securing all of your evidence in a single access-controlled location demonstrates that it’s protected as work product. If documents are floating around the office or stored in various non-private electronic folders, a court is less likely to deem this information sensitive or covered by the work product doctrine. This means you’ll need strong cybersecurity protections and encryption for electronic work product. Haphazardly leaving work product on an unsecured network where others can access it will weaken your argument in court. Added layers of protection demonstrate the sensitivity of the information and show that the organization is proactively taking steps to prevent its disclosure. 3. Document the investigation process thoroughly: Keeping thorough documentation throughout the investigative process is essential to protecting sensitive information with the attorney-client privilege and the work product doctrine. Without thorough documentation, opposing counsel is likely to argue that protections should not apply, and sensitive information may be deemed discoverable. Counsel and internal investigators should keep written records that establish the investigation’s purpose and scope at each step along the way. This includes documenting how each action, witness interview, and document is necessary for obtaining legal advice and preparing for litigation. Counsel should also verbally inform witnesses about the investigation’s purpose—to prepare for litigation or to obtain legal advice—before each interview. At the same time, they should ensure that interviewees aren’t recording the interview, as any copies could become discoverable. 4. Use formal communication channels: In this day and age (especially in the era of COVID-19 and working from home), employees commonly communicate using informal channels, such as texts and chat messages. While these tools make it easier for colleagues to collaborate, they can also create a horrifying paper trail for lawyers during an internal investigation. During an investigation, counsel and investigators must use formal communication channels each step of the way.

Conversations over chat or text message are more likely to become discoverable during litigation because they lack the formality and protections of an in-person interview.

Furthermore, these technologies create the risk of duplication of statements, which might ultimately destroy the attorneyclient privilege. Using multiple informal communication channels also fragments information, making it more likely that an investigator will miss or lose track of documentation or testimony or that it might be intercepted or hacked. By instructing investigators to only use formal, protected communication channels, such as in-person interviews and email, a company can shield any sensitive information that the investigation surfaces. 5. Create a script for interviewers and investigators: Counsel shouldn’t expect that employees, even at the executive level, will understand the scope and purpose of the attorney-client privilege and work product or the consequences that their actions might have on future litigation. To combat the risk that investigators and interviewers will unwittingly jeopardize sensitive information, create a script for investigators to read at the beginning of each interview.

This script should include a provision for informing witnesses that interviews are recorded and verifying that they aren’t surreptitiously creating their own recording. If the interview is conducted remotely, the script should include verification that the witness is alone. Finally, the investigator should inform the witness that the purpose of the interview is to obtain legal advice or prepare for litigation.

Thoughtful Preparation Is Key to Successfully Protecting Sensitive Information

When it comes to protecting sensitive information during an internal investigation, the main takeaway is that the more thoughtfully you prepare, the more you can reduce the risk of disclosure.

A disorganized internal investigation with no clear scope or purpose is more likely to result in a leak of sensitive information or a breach of the attorney-client privilege. Before beginning the investigation, you need to plan for how you will store and document information, involve legal counsel at every step of the process, and educate everyone involved about the need to protect sensitive information. n

Jeffrey Wolff is a Certified E-Discovery Specialist who joined ZyLAB in May 2015 and serves as Director of E-Discovery Solutions. He brought with him over 20 years of experience in Information Systems and enterprise software. He has been involved in solution architecture, design, and implementation for major projects within the Department of Defense and Fortune 1000 corporations. Learn more at www.zylab.com.

This article is from: