Legal Nuances Of Collecting Digital Evidence In Internal Investigations

It is a debatable position under Indian law as to whether privilege can be afforded to a report prepared by an in-house counsel.

Discovering, recovering, and using digitally stored data in an internal investigation presents unprecedented complexities for the investigator. The complexity is enhanced because of the various permutations in which employees of a company store, use and exchange digital data. The use of personal devices for office work brings about the need to balance privacy rights of the individual with the corporate’s demand for data residing outside its direct control.

This article is an attempt to focus on a few key nuances that raise interesting legal issues in the life cycle of an internal investigation – with anemphasis on collection of digital data. For ease of the reader’s understanding, a hypothetical situation has been given below to analyse the legal position of the nuances that can develop while a company conducts an internal investigation.

Consider X Corp., a company that regularly interacts with government officials for approvals, and sub-contracts projects to external vendors. A vast amount of data related to X Corp.’s dealings is stored on its employees’ laptops/company issued devices. X Corp.’s employees also frequently use their personal mobile devices and tablets for conducting business. X Corp.’s employees permit the company to install monitoring software on their personal tablets, but not on their personal mobile devices. Following an anonymous whistleblower complaint regarding potential facilitation payments made by certain X Corp. employees, X Corp. urgently needs to launch an investigation to undertake damage control and disciplinary action. It also urgently needs this information to prepare for its defence in the event an investigation is initiated by a law enforcement agency.

Choosing the investigator

Initially, it is relevant to digress and understand the nuances of selecting an investigator. In the present example, X Corp. has three choices — (a) an internal team, generally comprising of members from legal and compliance departments; (b) external counsel, such as a law firm; or (c) a professional forensic investigation firm.

While considering the options, it is the most convenient choice to run the investigation through an internal team. However, it is a debatable position under Indian law as to whether privilege can be afforded to a report prepared by an in-house counsel. The Indian Evidence Act, 1872, is not clear as to whether communication between a lawyer employed in a legal department (not a practicing advocate) and his/her employer (the company), will be protected by privilege. Further, in a multinational corporation, such investigation teams are often located abroad, which comprise of lawyers not recognized as advocates under Indian law. In these situations, there is a significant risk that an investigation report prepared by the internal team may not be considered privileged from an Indian perspective; and its contents could be used in litigation. The same risk arises when a forensic investigation firm submits its findings directly to the client.

In the above context, engaging an external counsel/law firm is often the preferred option. The firm can, in turn, engage an investigation specialist for forensics, if needed. The report and advice provided by the external counsel would be covered by privilege. In large corporate law firms having several specialist partners, there is an interesting issue of debate — whether the same firm can be engaged to defend the client in litigation where one of the partners was an investigator and could potentially be called as a witness to justify the report. The Bar Council of India Rules (BCI Rules) prohibit an advocate from accepting a brief where the advocate anticipates that she/he may be called upon as a witness. Pertinently, the definition of an advocate applies to a natural person. As things stand, the BCI Rules do not prescribe a code of conduct for a firm of advocates. Therefore, technically it is possible that a ‘Chinese wall’ may be drawn between the investigation and litigation partners. However, it would be an unprecedented situation where a partner of the firm is counsel while the other appears as a witness.

Collecting digital evidence

Data in a company could reside in the following manner with its employees — (a) company owned data on a company owned device; (b) private data of the employee on a company owned device; (c) company owned data on a private device; and (d) private data on a private device.

In the first scenario, the company will have full control and absolute right over the data. It does not require the permission of an employee to take possession of the device and run a forensic search on the data.

In the second scenario, an employee would have stored his/her private data on a company issued device. Anticipating this situation, employers often include in the employment contract, provisions prohibiting storage of personal data on the employer’s device; and an agreement on the rights of the employer to review all data stored on the company issued device regardless of its ownership. In this case, first the employer uses the contract to prohibit storing of personal data; and second obtains a no-objection for review of such data, in the event an employee disregards the warning.

In the third scenario, the company will need express permission of the employee to access the business information that may have been stored on his/her personal device. Most employers prohibit, under employment contract, the transfer or storage of work-related data on a personal computer or cell phone. Nevertheless, if it were to happen, it is advisable to obtain consent to access and audit a personal device.

In certain cases, an employer and an employee may agree for audit rights of the employer over any device that an employee identifies that he/she will use for work purposes. There are examples where an employer and employee agree in advance for the installation of surveillance software on a personal device, which actively monitors the employee’s activities on the device. This software can be used to extract historical data in case of an investigation. Few employers also require employees who use personal devices for office work, to create separate work and personal profiles, where data generated under either profile cannot be stored in the other. This provides a relatively cleaner mechanism for an employer to undertake a surgical review while guaranteeing protection against access to the employee’s personal data.

That said, these methods may not work, for example in the last scenario, if business communication happens between employees / vendors using applications such as Snapchat, disappearing messages facility under WhatsApp, etc. Such communication would often contain the clinching evidence of wrongdoing that is unlikely to be accessible in an internal investigation. In such a scenario, the employer will have limited ability to access the data as a matter of right or to demand an audit of the employee’s personal device(s). This is considering the protections regarding the storage of ‘sensitive personal data and information’ and ‘personal information’, which are protected categories under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

Usage of data and maintaining chain of custody

A relevant aspect throughout the investigation is to maintain the integrity of the digital evidence by ensuring that the data is untampered and unaltered. A chain of custody (CoC) form, maintained by compliance/ software security teams serves this purpose well. The CoC form creates an audit trail for the digital evidence, allowing investigators, attorneys, and the court to trace its movement and handling from the initial collection to its presentation as evidence.

Pertinently, Indian law does not subscribe to the principle of ‘fruit of the poisonous tree’, in relation to evidence that may be collected in violation of law, because courts in India give precedence to the relevance and probative value of evidence over the manner of its collection. Nevertheless, the aggrieved party could initiate separate action against the employer for obtaining data in violation of law.

Conclusion

In sum, each step of the investigation requires thoughtful decision making by the investigator to be certain that the collection of data is done under an appropriate protective mechanism, which reduces the risk of pushback or liability incurred either by the investigator or the client. This article covered a few of such nuances that develop in the relatively unchartered subject of internal investigations. It is expected that the provisions of the Digital Personal Data Protection Act, 2023, once notified, will be a step forward in bringing more certainty on the subject.

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.