Regulatory bodies routinely issue notices to organisations as part of their investigations and under their inquisitorial powers. Businesses are obligated by law to respond. We offer data management tips to help with this process..
Regulatory bodies like Australian Securities and Investment Commission (ASIC) and Australian Competition and Consumer Commission (ACCC) routinely issue notices to many organisations as part of their investigations and under their inquisitorial powers (Notice).
If your business is issued a Notice, it may not be because they are the subject of an investigation. It may be that they are a third party that the Regulator believes holds relevant documents - for example, an allegation of suspected breaches of the Corporations Act. Alternatively, the ACCC may issue a notice to gain better insights on a company's operations to ensure there is no improper conduct (such as cartel conduct) or if a large merger or acquisition may heavily influence the company's market share. Despite this, businesses are obligated by law to respond to the Notice and provide all documents that meet the request. Failure to do so would result in serious ramifications.
While organisations will likely instruct a law firm to review the documents (to ensure they don't inadvertently hand over privileged material), they will still need to identify and transfer the documents for review.
With the rapid pace of technology, the way businesses store their documents and engage in day-to-day correspondence is getting more complex. Gone are the days of project documents existing in one lever-arch folder in an archive room. Now, responding to a Notice that requests copies of 'all documents', could mean trawling cloud based emails; file stores; customer or project management systems; collaborative chat or mobile systems; and archived back-up drives that date to the inception of a company. It can be a complex web navigating the collation of data from these systems.
Each Notice is different, as are the organisations that receive them. But there is some commonality in the challenges they present. It is unusual for organisations to avoid being issued a notice. We've set out our top 5 tips to assist your business respond the complexity a Notice presents.
1. Identify all the potential sources where responsive data may be stored
Create a comprehensive map of the potentially relevant systems within your business where documents are created, compiled and stored. This includes everything from cloud file stores like OneDrive, DropBox, Microsoft365; desktop drives such as individuals' laptops if they're not backed-up to servers; conversation history in Skype, Teams and other chat apps; shared servers; back-up tapes and archived hard copy boxes.
Some responsive material may exist on personal devices such as in texts or call logs on mobile phones. Consider whether it is necessary to forensically extract this material (as this has cost, time and confidentiality implications).
It may take some time to pull data from archived drives or tapes, or a phone needs to be forensically imaged. It's important to identify the data sources early, so you can plan backwards from the Response date and notify the Regulator.
2. Convene a multi-disciplinary team
If the business has security measures in place to limit employees' ability to copy or send the company's intellectual property or confidential information, it's unlikely that just any employee can collate the requisite data from each source.
Organisations will need to convene a multi-disciplinary team to effectively manage the documents. For example, IT will best understand document management systems. They will know how data is saved, backed up and archived, and could discuss retrieval of documents from old systems.
Legal departments would be best placed to consider the relevance and scope of the Notice as it relates to the business. If data needs to be pulled from a variety of sources, then privileged or sensitive material may be caught up in the sweep.
Appointing a project manager or lead to coordinate the response is a good idea. This central contact (or team of contacts, for very complex Notices) can coordinate resources, track progress towards objectives and direct the flow of information between stakeholders.
Once the team is established, they need to be empowered to conduct their work. Unless the business routinely responds to Notices, it's likely that all team members will have other competing priorities within the business. Their other responsibilities don’t stop when a Notice is issued, so it's important that leadership ensures the team is given the resources and authority to effectively respond to the Notice.
3. Preserve the data by applying holds and compressing documents at their source
It's likely that live systems will contain documents responsive to a Notice. While the team is mapping and collating documents in response to the Notice, new documents will be added and some documents may even be deleted or changed (sometimes by automated document management processes). It's important to understand the processes in place, and how they might affect the completeness of your response.
Some systems have 'legal hold' features, used to restrict modification of selected documents. If legal hold functionality isn't available, it's important to ensure appropriate steps are taken to protect documents from accidental deletion or modification.
It is as important to preserve the metadata of documents within the file itself. Metadata tells the story of each document: who initially created it, when it was created, the date it was last modified and the program it originated from. To preserve the metadata, documents should be extracted in their native form using defensible copy or export processes. Native documents are the format before any conversion. A Microsoft Word document is a native file, while the PDF created when that document is digitally printed is considered a non-native file. For those responsible for collating documents, native documents should be copied, rather than moved, and collections of files should be transferred in a zip container. Never forward emails or attach loose files to an email to send externally.
Mobile enabled chat data, and archived data presents its own distinct challenges. Mobile data may not be backed up to the same location as email and file stores, so may require special treatment. Consider the probative value of backup tapes – they are likely to hold huge volumes of documents but the cost, time and business disruption of restoring and searching the tapes may not be proportionate to the value of the documents within.
4. Clarify the scope of the Notice
The Notice will broadly set out the scope of the inquiry, but it will rarely identify the specific details or internal processes followed by your organisation. For example, the Notice may request documents relating to a project that spanned five years and involved various teams which each had their own nuanced method for storing documents.
We recommend seeking clarification from the Regulator as to the timeframe (having regard to the reasonableness of retrieving documents from back-ups or storage which are over five years old) and the breadth of the personnel involved in the project, to narrow inquiries to key people.
5. Try to refine the document set and retain records of searches for defensibility
As a general rule, the more data you analyse and collect, the greater the overall cost and time needed to review and refine the set for production to the Regulator. This is where clarifying the scope will pay dividends.
Discuss potential search parameters with personnel who are most familiar with the project, and clarify whether the key people had any changes in maiden name or nicknames throughout their involvement. Remember that most document management tools support complex searches which can combine date range, Boolean search phrases (such as "phrase1" AND "phrase2") and people (such as From X to To/CC/BCC Y"). Combining these search operators is a powerful way to limit irrelevant material.
Each person within the team collating documents should keep a record of what is (and isn't) collected and why (or why not). The simplest way to do this is to keep a log of searches run, and compile the results into separate sets in a central 'response' repository. This also means the response team can quickly identify gaps in collections, or revert to original sources where data is corrupted on export.
In very large reviews, complex data analytics and review optimisation can streamline the response to a Notice. Many organisations rely on outside help for these skills, typically bundled into their legal services. It's important to consider how higher analytics and review processes such as Technology Assisted Review (TAR) will be deployed.
Data management when responding to a Notice certainly seems daunting at first. Technically defensible processes will help you conduct a Response that is comprehensive, cost effective and scalable, irrespective of the complexity of the Notice.