Disputes, Investigations and Emerging Data Sources

Disputes, Investigations and Emerging Data Sources Antonio Gesteira e Felipe Palhares
Image: Kaylee Walstad, EDRM

[Editor’s Note: EDRM is proud to publish the advocacy and analysis of Antonio Gesteira and Felipe Palhares. The opinions and positions are those of Antonio Gesteira and Felipe Palhares.]

Throw the first stone who never started a WhatsApp conversation, switched to Instagram and continued the chat via direct message on LinkedIn. At the corporate level, the same logic applies: an email exchange can continue in Teams, later the subject is discussed in a meeting via Zoom and end up in an action plan compiled in Trello.

With the evolution of technology and the increasing digitization of the work environment due to the pandemic, countless emerging data sources have emerged, which were previously not used for exchanging corporate information but have now become ubiquitous.

An emerging data source is any cloud-based database, collaboration platform or application used for business purposes. The best known are Microsoft 365, Google Workspace and chat tools like Slack and WhatsApp.

In the context of research on emerging data, there are 4 pillars that should be considered as a paradigm shift, they are: (i) shared access without user identification; (ii) chat messages with quick content removal; (iii) sharing content and documents with links and hyperlinks as an attachment; and (iv) access to several versions of files, making it difficult to see the historical content.

By nature, cloud applications are constantly changing, improving and adjusting to business and productivity needs. While the rapid pace of change can be beneficial from an end-user perspective, it is equally problematic in the context of data governance, compliance, investigations and legal discovery. When a new functionality or adjustment is performed without proper change control, new vulnerabilities emerge and specialized investigation teams work to identify, preserve, collect, analyze and review platform data.

The e-Discovery and compliance features available on certain platforms also change frequently. This may affect data export formats, and bring changes in export options, the inclusion of linked content and attachments, as well as relevant metadata.

The use of emerging data sources represents a complex challenge for litigation and investigations that require the analysis of conversations and information exchanged by electronic means. Considering the variety of technologies used daily in the corporate environment, the mere knowledge of all the applications that are used by employees of an organization already proves to be an arduous task, especially when the use of certain software has not even been cataloged by the administrator of the company’s technology resources information (a practice known as Shadow IT).

Added to the challenges is the need to collect and organize this vast amount of information, which, for the purposes of a corporate investigation or to serve as evidence in the resolution of disputes, needs to be concatenated with all other available data sources, allowing you to draw a timeline of events and properly assess the facts that occurred, based on concrete subsidies and the preservation of the chain of custody.

In the context of research on emerging data, there are 4 pillars that should be considered as a paradigm shift, they are: (i) shared access without user identification; (ii) chat messages with quick content removal; (iii) sharing content and documents with links and hyperlinks as an attachment; and (iv) access to several versions of files, making it difficult to see the historical content.

From a legal point of view, obtaining such data also encounters possible complications and limitations. Due to the rules established in the General Law for the Protection of Personal Data (LGPD), any personal data processing activities – which include the collection and analysis of information – must respect certain general principles and specific requirements, such as the existence of a hypothesis legally provided for in the legislation.

In this scenario, it is essential that organizations adopt at least the following measures: (i) have an inventory of applications used by their employees to exchange information; (ii) investigate the existence of unknown tools that are being misused; (iii) establish internal policies on the use of tools, data retention and eventual limits on the adoption of proprietary devices; (iv) are prepared to analyze data from emerging sources, with technologies that allow a sequential evaluation of events, even if collected from different sources.

In this regard, the expectation of privacy of data subjects (which include employees of an organization) is a relevant point to assess the compliance of data collection from emerging sources with the provisions of the LGPD. Although there are reasonable arguments to defend that an employee should not have a high expectation of privacy when using tools made available by their employer, the frequent adoption of bring-your-own-device policies by organizations, which allow employees to use their personal devices to carry out their corporate tasks, makes the situation cloudy.

The same difficulties are present under the prism of data protection and information security. When messages are exchanged through instant messaging applications installed on cell phones for personal use, how can one guarantee that the respective employee will not delete the entire message history, or even that he will use a secure application for the exchange of sensitive information?

In this scenario, it is essential that organizations adopt at least the following measures: (i) have an inventory of applications used by their employees to exchange information; (ii) investigate the existence of unknown tools that are being misused; (iii) establish internal policies on the use of tools, data retention and eventual limits on the adoption of proprietary devices; (iv) are prepared to analyze data from emerging sources, with technologies that allow a sequential evaluation of events, even if collected from different sources.

Without them, the proper analysis of data from emerging sources during future litigation or internal investigations may be compromised, bringing potentially irreparable damage to the respective organizations. Isaac Newton’s famous quote also applies to emerging data sources: “What we know is a drop, what we don’t know is an ocean”.

Authors

  • Antonio Gesteira

    Antonio Gesteira is a Senior Managing Director within the Technology segment at FTI Consulting, and a seasoned e-discovery and forensic technology expert with more than 20 years of experience in supporting complex investigations and litigations. He has delivered more than 300 projects spanning emerging technology, data services, information security, internal and external audit support and electronic tax consulting across a variety of industries. He has led large investigations and risk management efforts in Brazil and internationally. As the Technology segment’s leader for the Brazilian market, Antonio works with clients to address a broad range of corporate risk and respond to high-stakes legal and regulatory matters.

    View all posts
  • Felipe Palhares

    Felipe is a partner at BMA Advogados in the Data Privacy and Cybersecurity practice of the firm. He has been recognized in the 40 under 40 survey conducted by Global Data Review in 2021, and ranked as one of the best data protection Brazilian lawyers by Chambers & Partners, Latin Lawyer, The Legal 500 and Leaders League. Felipe is also the first individual in the world to have earned all current certifications and designations issued by the International Association of Privacy Professionals (IAPP), including CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, CDPO/FR, CDPO/BR, FIP and PLS. He holds a Data Protection Officer Professional University Certificate (ECPC-B DPO) from Maastricht University, and is a Certified Data Privacy Solutions Engineer (CDPSE) by ISACA. Felipe is admitted to practice law in New York and in Brazil.

    View all posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.