In search of a needle in a haystack

“…In 2004 Facebook didn’t exist, Twitter was still a sound a bird made, a cloud was something in the sky, 4G was a parking spot, an application was what you sent to college, and Skype was a typo.”

This quote by Thomas Friedman illustrates just how rapidly everyday private and business life has changed. Digitalization has found its way into almost all areas of our lives. Communication takesplace mainly via e-mails, chat forums and social media. Even contracts between companies are increasingly no longer exchanged in paper form, but scanned in and sent as PDF files.

Information is now usually only available in digital form. The daily amount of data that an individual employee creates and receives via e-mail seems to be growing inexorably. Digital storage space is becoming cheaper and cheaper and is encouraging employees to store data permanently. Identical documents are often stored several times and in different locations. When relevant information needs to be extracted from this flood of data, computer forensics experts and advanced technology are needed to separate the important from the unimportant. Two different case studies are provided to demonstrate the use of IT forensics and eDiscovery procedures for compliance violations.

The world of electronic data

About 90% of all business-relevant information for a company is no longer available in written form, but in electronic form (electronically stored information, ESI for short). This stored data volume isconstantly growing; studies suggest that it doubles about every two years1. The data comes from a variety of data sources, exists in various formats and is stored in various locations, such as on servers, external data carriers and mobile devices. A distinction is made between structured and unstructured data. Structured data is business data from financial accounting, for example, stored in database systems in a defined and traceable structure. This enables efficient management and quick access –and facilitates, if necessary, forensic investigation. On the other hand, unstructured data is much harder to capture. This includes office files (text documents, Excel sheets, etc.), but also photographs, drawings, graphics and image/sound files of all kinds, including e-mail files that do not follow a uniform filing system and are stored on widely distributed, heterogeneous storage media. On business computers and notebooks, there are sometimes several gigabytes of unstructured data – for every single employee. In this way, millions of documents and e-mails quickly come together that can no longer be analyzed and evaluated without the help of technology.

Another factor of uncertainty for companies in handling their data is often the lack of systematic document retention plans. Internal guidelines do not always determine how data is handled, how it is collected, stored and finally deleted. In the event of later use in court, for example, deletion dates can be of great importance, be it routine or even deliberate individual deletions. Thus, company data in its various forms carries a considerable risk for the company if worst comes to worst.

The worst comes to the worst:

Case study 1: Request for information from the authorities

The U.S. Department of Justice is investigating a German company’s U.S. subsidiary and has been requesting information about its marketing practices in the U.S. and Germany since 2008. Twenty employees in the U.S. and 15 in Germany have been identified by the investigating authority, and they must submit all relevant e-mails, reports, calculations, account movements and other documents within six weeks. The requested data consists of nearly one terabyte of business data, although it cannot be ruled out that it may include private and confidential information of employees. The data is stored on servers, PC drives and some smartphones in Germany.

Case study 2: Investigation initiated internally

Based on anonymous information provided by a whistleblower, a company based in Germany receives specific indications of irregularities in its business in southern Germany. Price arrangements have been made with a local competitor, and bribery payments have issued to various customers. The department comprises 12 employees and the accused sales manager. The company’s legal department is conducting internal investigations.

These are not isolated cases. Nearly 50% of all companies in Germany have already fallen victim to or been involved in economic crimes2. The risk of fraudulent (company damaging) actions is constantly increasing. Complex business processes, the widespread use of new technologies and systems, poor workplace conditions or competitive pressure as well as a lack of controls and security equipment are all contributing to this trend. According to the Fraud Triangle model of sociologist and criminologist Donald R. Cressey, three factors are decisive for fraud:

• the opportunity provided by the lack of or ineffective control systems,
• the motivation, i.e. the incentive for the action, and
• the possibility of justifying the act to oneself after committing it.

No company can claim with certainty that these factors do not apply to its own employees at all.

Conducting efficient IT forensics. Practical execution of eDiscovery.

eDiscovery poses a major challenge for the company concerned. The initial uncertainty, resource planning, time management and cost control can be overwhelming. However, by setting milestones along a defined path for the implementation of eDiscovery can significantly help facilitate the process. This begins with developing the project design, i.e. determining the scope of the project, and the data sources and employees (“custodians”) to be involved. The more precisely the scope of the investigation can be defined at an early stage, the more precisely the effort and costs of eDiscovery can be calculated. In case study 2, for example, the main suspect will be examined first, and only then will the review be extended to other employees as necessary.

Another important factor is the use of appropriate IT infrastructure, especially the evaluation platform. This should be located in a controllable environment, with strictly regulated and secure access for the lawyers, forensics experts and company representatives involved in the review process.

The assignment of personnel is the most important factor influencing the costs incurred during eDiscovery. Appropriately qualified employees should be assigned to each of the various work steps. The first level review should be carried out by project lawyers, who make a pre-selection of the relevant data in cooperation with the lawyers in a specialized and cost-effective manner. A second level review is then carried out by the specialized law firm, or experienced analysts should be used to perform the final evaluation of the pre-classified documents.

In international eDiscovery cases – as in case study 1 – cross-border networking of the parties involved in the investigation is also a success factor that should not be underestimated. The German company, which must perform the eDiscovery, should be able to rely on the expertise of their partners in other countries, in our case in the U.S. Each country has its own laws and regulations, which must be taken into account if subsequent costs are to be avoided due to procedural errors.

Project management as a success factor

The success of eDiscovery depends decisively on project management. That’s why eDiscovery projects should be managed by experienced consultants who are responsible not only for scheduling, resource allocation and budget control, but also for the seamless performance of the eDiscovery process, as well as for communication between all parties involved at all stages of the investigation.

This includes transparent reporting on the basis of current data and the complete documentation of all steps and decisions. All parties with the relevant authorization should be able to directly access the results of the steps carried out. Making it possible to obtain an overview of the entire course of the project or of detailed individual questions at any time is a great advantage, especially for the internal representatives of the company concerned and for law firms. All current inquiries and their response status should be accurately documented; this is particularly important when there are personnel changes in the investigation team. Another important task of project management is data protection, particularly the protection of the personal rights of employees involved in the investigation. However, data protection does not only apply to persons, but also to secured data. All storage locations, including the review platform, are subject to the highest security standards and the most precise access regulations. After completion of the investigation, a complete and irrevocable deletion of all acquired data must be carried out in consultation with those responsible


Michael Becker is an attorney and Managing Director at CONSILIO / A First Advantage Company in Munich. He supports leading international financial and industrial companies as well as law firms in the planning and management of eDiscovery and computer forensics projects. Michael Becker is entrusted with planning and managing electronic evaluation processes in antitrust, fraud, compliance and corruption proceedings, litigation, arbitration and internal investigations. Special focus is on the various international data protection regulations and legal process outsourcing. Prior to this, he worked as a lawyer for international corporate law firms in Frankfurt, Munich, Vienna and Bucharest.

Publisher: Professional Association of Compliance Managers (BCM) e.V.

1) See also: Internal study Consilio, 2013 ( )
2) According to a study by the Martin Luther University, Halle-Wittenberg, 2014