Regulatory requests are the number one reason for eDiscovery worldwide. These requests for information and documentation from regulatory bodies or external auditors come unannounced and can be very disruptive.
Traditionally, these investigations were driven by competition and anti-trust violations. However, in recent years (new) regulators have started conducting similar disruptive requests and investigations related to other issues such as bribery, fraud, environmental or healthcare violations, data privacy and consumer protection matters, and many other regulated fields.
As a result, regulators, courts and law enforcement authorities worldwide have developed an apparently insatiable appetite for access to data held by corporations. The number and value of fines is on a steep increase, so companies need to be better be prepared. Here are 5 tips on how.
Tip #1 – Make sure your answers are complete, accurate and timely
Information seizures can vary from mandatory information productions (collected and prepared by your organization), to complex cross-border dawn raids and all have one important element in common: time is of the essence.
Most regulative authorities want you to indicate what is responsive, non-responsive or privileged within a short time range, often around 10 days. Intentionally or accidentally withholding or not providing information can lead to dawn raids and on-premises investigations.
Speed is also important for your company. The sooner you know what really happened, the sooner you can plan your own strategy, start your own investigation with your outside counsel and prepare for additional investigations from other countries and services and claims from disadvantaged parties (customers, consumers).
Tip #2 - Use technology
All companies store too much data. If you have to be certain that you have provided all relevant information, it is virtually impossible to do so manually. Even the most brilliant queries will provide too many hits and no relevance ranking scheme works perfectly all the time.
Automation dramatically simplifies the process of mining vast amounts of electronically stored information and helps you to find more relevant information, faster and using fewer resources. Register for the ACEDS webinar “Handling Regulatory Information Requests” and learn how ZyLAB ONE eDiscovery uses Artificial Intelligence and Data Science tools to limit the time and costs needed for regulatory information requests.
Tip #3 - Know what to look for
It is hard to find information when you do not know exactly what you are looking for. And if people want to cover up or even hide something, it becomes even more difficult. It is a continuous game of hide & seek, with one party trying to outsmart the other. Here are some clues on where to start your search:
- Look for individual names of suspects, partners in crime, related companies, etc.
- Find “One-on-one emails” sent to personal email accounts.
- Identify communication taking place at odd times.
- Locate emotional communication; anger, cursing or threats.
- Identify code words and hidden communication methods (Snapchat, WhatsApp, …)
- Analyze expenses, phone records and other data to find out where secret meetings took place.
Tip #4 - Protect sensitive data
Data protection and privacy are hot issues and will become even more important in the near future. By the end of May 2018, the General Data Protection Regulation (GDPR) will regulate all activities involving the personal data of EU citizens. It does not matter whether or not you are a European company; the new GDPR will bring substantial changes and compliance challenges for every organization that collects, processes, stores, and transfers personal data, anywhere in the world.
Companies will have two years to implement appropriate technical and organizational measures and ensure compliance with the GDPR before penalties can be levied beginning 25 May 2018.
If you need to disclose data from the EU to the US, make sure your use automatic Black Lining (bulk redaction) and Pseudonymization to protect personal and privileged information.
Tip #5 – Prevention is better
Proactively preventing non-compliance is preferable to preparing for investigations. The same technology you should use to answer regulatory requests can also be proactively used to search for risks, deviations, and compliance violations so you can address these risks and prevent them from happening again in the future. You can, for example, carry out a compliance run during take-overs or during an unusual economic situation. And it is good to know that (independent) audits by a lawyer (interviews and data investigations) are protected by legal privilege.