[Webcast Transcript] Avoiding the Traps and Perils of Engaging in High-Profile/Public Figure Cases Successfully
Editor’s Note: On November 29, 2023, HaystackID hosted a compelling webcast, “Avoiding the Traps and Perils of Engaging in High-Profile/Public Figure Cases Successfully” featuring presenters John Wilson and Rene Novoa. This webcast provided valuable insights for cybersecurity, information governance, and legal discovery professionals supporting high-profile investigations.
A transcript of the webcast is included below, focusing on recommendations for preparing for and executing eDiscovery projects related to prominent public figures or sensitive high-profile cases. With reputation and high stakes on the line, these matters warrant thoughtful strategies to handle added pressures and evolving timelines.
By reviewing the conversation below, legal industry professionals can gain perspective on establishing the right team, workflows, and communication plans to facilitate success on deadline-driven projects in the public eye, where delays or errors could have major consequences.
Access the on-demand version of the presentation and follow along with the rich insights provided in this webcast transcript; we are confident that it will both inform and inspire your approach to high-profile/public figure investigations.
[Webcast Transcript] Avoiding the Traps and Perils of Engaging in High-Profile/Public Figure Cases Successfully
Expert Panelists
+ John Wilson, ACE, AME, CBE, Chief Information Security Officer and President of Forensics, HaystackID
As Chief Information Security Officer and President of Forensics at HaystackID, John provides consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics, including leading forensic investigations, cryptocurrency investigations, and ensuring proper preservation of evidence items and chain of custody. He regularly develops forensic workflows and processes for clients ranging from major financial institutions to governmental departments, including Fortune 500 companies and Am Law 100 law firms.
+ Rene Novoa, Director of Forensics, HaystackID
As Director of Forensics for HaystackID, Rene Novoa has more than 20 years of technology experience conducting data recovery, digital forensics, eDiscovery, and account management and sales activities. During this time, Rene has performed investigations in both civil and criminal matters and has directly provided litigation support and forensic analysis for seven years. Rene has regularly worked with ICAC, HTCIA IACIS, and other regional task forces supporting State Law Enforcement Division accounts and users in his most recent forensic leadership roles.
Presentation Transcript*
Support Moderator
Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions that you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.
John Wilson
Thank you. Good afternoon, good morning, good evening, depending on where you’re at. My name’s John Wilson, and today we’re presenting on Avoiding the Traps and Perils of Engaging in High-Profile/Public Figure Cases Successfully. Hello, and welcome to another HaystackID webcast. We hope you have been having a fantastic week. My name is John Wilson. I’ll be your expert moderator and lead for today’s presentation and discussion, and we’ve already talked about the title. This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governance, and E-discovery objectives. Today’s webcast is being recorded for future on-demand viewing. After today’s live presentation, we will make the recording and complete presentation transcript available on the HaystackID website. Our presenting experts, Rene Novoa and I, have decades of experience leading complex forensic investigations of high-profile public figure cases.
In our discussion today, we will leverage our extensive backgrounds in conducting critical investigations that are under immense scrutiny. We will share best practices for security and forensic teams striving to operate smoothly and minimize risk in these cases despite tremendous pressure, tight deadlines, and public visibility. First, a little background on both Rene and myself. As chief information security officer and president of forensics at HaystackID, I have provided consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics, including leading forensic investigations, crypto investigations, ensuring proper preservation of evidence items, and chain of custody. We regularly develop forensic workflows and processes for clients ranging from major financial institutions to governmental departments, including Fortune 500 companies and AM Law 100 law firms. Rene?
Rene Novoa
Oh, thanks, John. I wasn’t sure if you were going to read that for me, but I would love to go through this. Again, my name is Rene Novoa. I’m the director of forensics here at HaystackID. I’ve been in the industry for about 20 years doing a variety of different roles. I have a ton of experience both on the civil and the criminal side, doing a lot of support for forensic analysis, regularly conduct investigations in support of both ICAC, HTCIA, IASYS, and some HTCIA type of support as well. So I’m very happy to be here and, John, I’ll let you take it away.
John Wilson
Sounds great. An overview of Haystack. We’re a specialized technology-enabled eDiscovery services firm. We assist law firms, corporate companies, corporate legal departments through our global advisory practice, Discovery Intelligence, HaystackID Core and HaystackID Global Management. We’ve already talked about myself and Rene. We’ve already talked about who we are. We’re going to talk about the evolution of the challenges that we face in this space on a day in and day out basis, and especially in relation to high-profile, large matters. Not even necessarily large matters, but large public personas and the challenges in dealing with those matters. We’ll talk about a bunch of cases that are in the news, how you handle that chaos, and then how to wrap that all up and have a successful practice. So first we’ll start with the evolution. Rene?
Rene Novoa
Yeah. Thanks, John. And I think that was a good gateway as we talk about large cases and we talk about cases in the news. And we can have these cases that are large that can end up in the news if they’re not handled right, if they’re not approached right, and if they’re not scoped right. The impact of big data, that’s been a constant term probably over the last 10 years that we’ve talked about big data. But it’s become more important when we start talking about cloud data and large data. We’re talking about large repositories. We’re not just storing one piece of information. We’re storing information from several sources, whether we’re doing email archiving or we’re doing backups from mobile devices. There is a lot of information that can be accessible remotely and it’s no longer when we talk about big data, big servers and server farms where you needed physical access.
Now we have the impact of having this big data in the cloud, which has a lot of security risk, has a lot of potential for very sensitive information to be exposed and to provide these large cases into the news very quickly. And we’re going to cover some of those large datas, big cloud data and how to handle cases like that and when you’re dealing with large information, how do we collect, how do we preserve and how do we store for the long term this type of information.
As we move into mobile data, mobile data is still considered big data in my opinion. As the mold device industry has exploded, we now have one terabyte hard drives. Because of the size … Not hard drives, but storage space. But because of the size of these data, we’re getting less data that’s being stored on your computer. We’re seeing less … Let’s say for example, iOS. Less iTunes backups. We’re seeing most of this information in the cloud. With mobile data, we have more sensitive information, both personal as well as business-related confidential information about companies, our finances, and our health, which, again, are very sensitive and can lead to very public situations. And we’re going to cover some of those in the news. We’ve had numerous celebrities who’ve had their iClouds hacked and downloaded and exposed, and it’s been very embarrassing. Maybe not financially, but to the reputation. And mobile and cloud are both sources that we need to approach on how we handle those types of cases, how we collect those cases, and how we gain access to them.
As we move into communication applications, because of how the mobile and the cloud data have worked together as we work through mobile data and store a large amount of this mobile data in the cloud, we become more productive with communication applications. The way we communicate more than just text messaging, we have ephemeral messaging services that now are deleting information after a certain amount of time or days to weeks and months. But we also have more productive components in these applications that companies are allowed with the use of MDM, some with MDM, some with not, but they’re again storing more sense of information that if that device gets lost or if they got exposed or it wasn’t secured properly, it can be traumatic for an individual and it can also be for that organization. And individuals are going to have to come up and try to really lock that down. We get into where you’re responding to a cyber threat. You come on site and you’re trying to minimize the damage. But when we start talking about cloud, and we start talking about mobile data in these communication applications, it becomes much harder to, as a forensic professional, to really lock it down, control the source, and make sure we maintain good chain of custody and forensic best practices. John, would you continue that? I’m sorry. Yeah. Let you lead-
John Wilson
No. No. Yeah. I think we have to realize the change in the paradigm. Seven, ten or even five, three years ago, mobile devices were important. Today, we live our lives on our mobile devices. Some people operate solely with a mobile device. They don’t use the computer anymore. They use an iPhone or an iPad, or an Android flip phone, and they do everything from it. So they’re looking at their work documents, they’re communicating with their colleagues, they’re communicating with clients, they’re communicating with vendors, they’re communicating across the world or moving out into the public realm.
Professional athletes or political leaders. Anybody that’s in a high-profile position. Tech leaders in the world. They live their lives on these devices. They’re communicating everything through these devices. They’re doing their social media through these devices. So when you talk about the vulnerability or the impact of that data, it is big data because everything that a person does can all be managed, controlled and housed within that cell phone. That cell phone then can be needed for a forensic investigation. It can be needed for an eDiscovery matter or it can be needed because it’s been part of an incident, a cyber incident where data was hacked or they lost control of their device. Somebody gained control of their device. They spoofed their phone, they took over their multifactor and gained access to all that individual’s accounts. And not just the accounts, but all the data within those accounts. And that all has very significant impact.
Rene Novoa
I think one thing to follow up on, when you said two-factor impact from the mobile device, most people … I mean a lot of individuals, I wouldn’t say most. But a lot of individuals have their 2FA for their businesses and other accounts that are not just related to them personally. So those are definitely something that we’ll explore later and we’ll discuss. As we get into challenges, we talked a little bit about the evolution and John mentioned the paradigm has changed dramatically, and I think we’re finding that in our world as well as forensics. How specifically for mobile, we used to do complete images. Before iPhone four we were doing full physicals and we were getting a lot of the Nokia’s and the Samsungs, and we called that full physicals because we were searching for deleted information. And it did take time. It was slow. As we evolved, we got into remote kits, screen sharing, being able to send computer kits, being able to plug in and remote in and run forensic tools. The best tools that that were able to do that we were able to collect. We were able to then understand what was there, document the process and it be repeatable.
And we’ve evolved even now with complete remote collections where we’re not even coming on site. We’re not even sending collection kits, we’re just targeting certain information. And why is this important how we’re collecting information with high profile cases? It’s going to come down to access. When we deal with high value individuals or high public individuals, we don’t always have the chance … John, just go back one more. We’ll definitely get to that.
John Wilson
I clicked the button by accident.
Rene Novoa
No problem. I fully understand. Yeah. And the reason why it’s important is because we’re going to talk about access and we’re going to talk about best practices. And in many cases, we don’t have that ability to do a full physical or a full file system or have the ability to take the phone from the individual and leave them offline for hours at a time because it is a 512 gig iPhone with 300 gigs of information. We only get one chance and we have to get to the correct data just because of the situation and what has been talked about. And some of those challenges again that we talk about access is 2FA.
A lot of the celebrities and athletes and high value individuals, many times you’re not able to actually meet that individual as much as we’d like to meet our favorite celebrities and people in the news. You’re dealing with executive assistants, you’re dealing with their agent or their lawyer who would just give you the phone and here’s a pin code. Well, we’re here to collect email as well and there’s a two-factor authentication. We are going to have to make these adaptions, and we have to be able to document these steps. And as we’re going to talk about the dos and don’ts is that you can start messing with the data because you’re given very little access to the device and you have to do some two-factor. You have to access the phone and have a text message being sent. We also have individuals where we cannot expose their personal information. And not that we’re in the business of exposing people, but there’s a high sensitivity of being able to collect only what is business related or what is only personal related and not releasing any type of company data that cannot be seen. And as we talk about further down the road about individuals being on multiple boards or being part of multiple companies and not cross collecting information that you’re not supposed to. Oh, I’m sorry. Did you want to add to that, John?
John Wilson
Yeah. No. We’re talking about the METAL-targeted services that we offer. It becomes really important because you may have a board member … And Rene was touching on this, but I think it’s really an important thing when you’re talking about these high profile, high level engagements. You may have a board member that’s a board member for five different companies and you can’t gather the data for the four other companies when you’re gathering the data for the one company that’s involved in a litigation. And there’s all sorts of privacy concerns, privilege concerns. There’s many, many factors around that. And so in the old days for mobile devices, it was just collect the whole device. Collect the whole device. That’s all we could do. That was industry standard. That was the practice. That was what the tools were capable of. But in today’s age, you have to be able to be more targeted, more focused and capture those specific items and deal with the two factor and the other data that you’re not allowed to gain access to and deal with the various types of accounts and encryption and all of that. Wanted to just bring that home for sure.
Rene Novoa
Next slide. I think with that, as the self collection has become more common as a request not to something that I support, but because of data awareness and the type of applications that we’re doing, people are becoming more self-aware of where their data is and being able to see where their data resides. And in a lot of cases when you have public figures and we’re dealing with high value individuals, they know how to collect some of their stuff and very much censor that information that you’re working with. You’re getting very limited data. You’re getting targeted data, but it’s not collected by you. And it becomes a huge problem and liability for the organization, for a company like Haystack to engage with something like that because we’re producing the data, we’re putting our stamp that we’ve collected this information, here’s the chain of custody, and this is our declaration of what was done and how it was done.
And when we have tools like when we have the Google Takeout and we have the self collection of Snapchat … And even Facebook, and these are just very simple examples. There are a ton of these here where they want to just give me printouts and that does not work. And there has to be a very much a consultative firm stand of how we do collections and how we approach high profile cases because everything that we do is going to be scrutinized in the media, it’s going to be put into the papers as we’re going to get into later. That with these tools and the ability to do self collections and not having full access to the data, not providing the full image, not providing as much as you can can leave you open for not doing everything that you could have done. And again, it’s going to come down to documentation, it’s going to come down to your team, it’s going to come down to the things that we’re going to talk about later, what to do and what not to do as an organization or as a group that is doing these types of investigations.
John Wilson
I think that you have to realize that not all Google Takeouts are equal or the same thing with Facebook exports or Snapchat data. Like Google Takeouts, there’s a lot of different settings and depending on what settings you utilize as to what data you get and also what level of data you get. There can be some very significant impacts and understanding when you’re doing a Google Takeout, is there 10 versions of that document? Are you exporting just the latest version? Well, what if they have a file in there called weekly agenda and they update it every week with the tasks that their team’s working on that week? And you only get the latest version, you may be missing everything relative to your litigation or to your investigation, whatever type of case it may be. But that Google Takeout may be the only access you’re going to be able to get.
They may not give you backend access when you’re getting into these high-profile public figures. It may be, “Hey, I’m going to give you the export of the data.” So that’s where you’ve got to really focus on being very consultative. “Hey, when you do that Google Takeout, I need to receive these set of options. I need to receive this set of data. Make sure that this option …” And be very clear and provide screenshots and provide strong, clear, concise communication to set those expectations properly in order to meet the needs of whatever the current matter is, whether it’s an investigation or it’s eDiscovery or litigation or whatever it may be.
Rene Novoa
Why wouldn’t we be able to not just collect that Google Takeout? Why are we doing screenshots? And are we finding that individuals are not wanting to give the key to the kingdom to give them that special password that’s probably used for all their accounts. Unfortunately, it’s not best practice in my opinion. But are you seeing that as well as is because they don’t want to turn over that password. They want us to watch or provide something. Would you disagree with that?
John Wilson
Yeah. No. That’s absolutely right. They don’t want to give you the access or in the instance where it’s somebody that’s in multiple boards, but all their email data is contained within company A while it’s company C that you’re investigating right now, but all of their email is done through company A, that’s who provides the email to that individual, that’s who provides the mobile device to that individual. All that data is commingled in there and so the administrator of company A is not going to give you backend access to all of their data. So it may be you have to be consultative and work through how you’re going to collect that data.
You also have to be very cautious and make sure as an eDiscovery practitioner or the lawyer involved in the matters, being very cautious about how involved you are versus the advice you’re giving them what to collect. Because then if they do miss something and they don’t deliver something because they missed a checkbox whose liability is that going to be? Is that going to be your liability or their liability? There’s a lot of thought consideration and concern that has to be given to how you’re going to do all of these things in order to make sure that you’re properly serving your client and delivering the solution and the outcomes that you need.
Rene Novoa
All right.
John Wilson
All right. Sorry, go ahead Rene.
Rene Novoa
No. I’m good. We can move on. Just want to make sure you’re okay.
John Wilson
Let’s actually bring that home into, hey, some current cases in the news. Disclaimer, these are not cases that we are necessarily involved with. We’re just talking about things that are in the public realm that people know about.
Rene Novoa
And this is exactly what we’re talking mobile and the backups and the collections and how we gain access. And these are just screenshots from actual clips that were found in the news, Google searches on whatnot. And some of these that many of you may recognize. But the theme is the same. It’s messaging. It is our communication. But it’s not the communication that we all used to have. We aren’t using the internal text messaging app or we’re using the native match to our phones. Whether you had an internal … I believe Lotus Notes had back in the day. We were able to communicate in between individuals, but it was all recorded. There was a central way to regulate, to audit, to collect that information. And even when we had the Blackberries and the best servers, you still were able to get around that with the direct messages. There was some ways to obfuscate some communications. But that was WhatsApp, and some of these additional third-party apps always seemed like to me … It might be my age or whatnot, but it was gamers, and it was these other groups that were doing nefarious things and were only using these types of apps.
We’ve seen a large increase that these third-party apps are really coming mainstream and using into financial institutions, brokerage houses and how people are communicating because it’s not being recorded, it’s not being monitored unless we are collecting the phones and we’re not getting access to every individual’s phones and having to look at all that data. Especially when you look at a brokerage house or a Wells Fargo, for a financial institution, I’m not specifically on anyone, but they may have thousands of users and thousands of phones in different locations. What is it going to take for an organization to collect all that information to then do the analysis and cross reference?
And right now we don’t know in real-time what damage is done on the type of information before trades, before loans, before interest rates go up or down. These are huge things. And I think the courts in the law, it’s still far behind, but part of the condition of bails is to stop using signal and making sure that data was still there because they know once it’s deleted, it’s gone. There is no way to recover. As my background being in data recovery for 17 years, knowing that stuff in the ones and zeros, once that database is gone and it’s not up in the cloud, there is no coming back from that. And it’s easier to take the spoilation, I would think, punishment than actually releasing some of this information. That’s not good advice. I’m just saying when we’re dealing with these large cases, large amount of information, how do we hide it and how do we collect it?
John Wilson
Yeah. And you look at the very top article here. 1.8 billion in punishments is pretty strong when you’re talking about private messaging applications that aren’t being monitored for that regulatory compliance. And it’s difficult because those applications come and go on a monthly, weekly, daily basis. Apps that were being used last month are not the same apps that people are communicating on this month so how do you stay on top of that? How do you stay ahead of that? There’s some real challenges around that. Being able to understand what applications are actually being utilized and how they’re being utilized. And that becomes even more complicated and even more important in these high-profile cases that we deal with where they’re trying to stay on the very cutting edge. You’re talking tech mobile to the head of large companies. They’re trying to stay on the bleeding edge. They’re using apps and they’re trying not to be monitored intentionally.
As the business side of it, you have to figure out how you’re going to rein that in, how you’re going to collect that information, how you’re going to even be aware that that information exists. Which I think is probably a great lead in for the next topic really. What is a high-profile case? I keep saying high profile, public figure. What is a high-profile case? And it can be a very different thing for all of us. It can be a very different thing for me this week versus next week. It can change very radically, very quickly. Rene?
Rene Novoa
Yeah. I think what I think is high profile is definitely different from other individuals. Because even if it’s not in the news, it has tremendous amount of effect as a business, as stakeholders. And the people involved in that company, if you do have some sort of breach or you do have an investigation, it could be detrimental to layoffs, to people’s livelihood. I was involved in a utility case. And there’s several incidents and unfortunately there’s a lot of lawsuits surrounding utility companies and usage. I’m here on the West Coast. As an example we have a lot of fires and a lot of responsibility and a lot of people were devastated by those and there’s going to always be an investigation. And to be clear, I’m just saying on my location, it’s not something that I was involved in. But how we would approach a utility company, something like that.
You may want to go back. What is involved in that? So in the cases that I was a part of, it was there was an incident, there was an investigation and not only did the stakeholders and certain individuals have to be preserved and do the analysis, but just for regulatory and compliance, they needed everybody that was any involved or a certain amount of years to be preserved. And that’s everybody. Now we’re not just talking about the office individuals or the C-level individuals. We’re talking about the people on the field. People that are working remotely and over a vast amount of a territory. And in this case, we definitely had to be creative. I know we’re coming into the holiday seasons and we have these pop-up stores, but we definitely had to have pop-up forensic labs to be able to accomplish a task like that.
And in this case, we had people out in the field that had to be collected. They both had computers and they both had mobile devices. Now, you cannot take an entire business like a utility company, whether it’s electrical, gas or whatever it may be, you cannot take an entire group just offline for weeks at a time while you do your investigation, while you do your collection. So in this case, we did have a pop-up forensic lab where the individuals in the area would have to drive after work, drop off their laptop and their mobile device and pick it up by the morning, which means that individuals showing up that work had to be done over the weekend. You had to handle those challenges. You would have to make sure that your documentation, your questions, your interview while you collected that information was on point because there wasn’t that, “Oh, I don’t have the right … I don’t have this. I don’t access.”
There has to be a strategy, there has to be a plan on how we approach a pop-up type of forensic lab. And I’m using the term very loosely. There’s a lot of security that goes into it, a lot of thought, overnight guards, protection of the information, full documentation. There’s a lot that goes into it. But in this case, we had thousands of devices to collect in a short amount of time, and it does require a lot of individuals and you can’t just hire temps in a sense. You can’t just get employees to do this. So it has to be something that is very strategized. You work through. You have to be creative. You have to think outside the box. But at the same time maintaining good forensic best practice because again, this is going to be scrutinized. If it’s going to be in the courts, if it’s going to go and be challenged, you want to make sure the challenge is not going to be on your process.
John Wilson
And it’s not just the court, it’s also in the court of the public eye because you’re talking very high profile, very public matters. A lot of people watching and paying attention. And then just talking about the complexities of it. You said it absolutely right. We were having to do hundreds of devices over a weekend and it was the computer and the phone for these individuals. And some of these individuals were very low-level employees. All they had was the computer and the phone, and that might’ve been the only cell phone that that user had or carried. So you had to figure out logistics around, “Hey, we’re going to take your devices. How are we going to get back in touch with you to return your device?” Or to say, “Hey, we ran into a problem. Your pin’s not working, your backup code’s not working.”
You have to really think through a very substantive amount of logistics because not only were you doing hundreds of devices over a weekend, it’s your only chance of getting at these people. The timelines were very tight for doing the work. The people’s availability. Again, it was careful logistical planning for thousands of people. And that logistical planning was because you have key employees that are providing a utility service that you can’t have all the people in a single group down. So you had to have it very logistically planned to make sure those single individuals, the balance … If there was five people within a group for instance, you could only do one of the people in that group at a time or maybe two, whatever it was. We had to figure out those logistics. What risk you could take of taking people out of the loop to be able to provide emergency response and things of that nature.
Rene Novoa
Yeah. That’s a good point. And also as you’re exchanging hardware and equipment and there’s a line of people returning the correct equipment, understanding who the individual is, making sure the logistics and setting up appointments, there’s a lot that goes into it. But it also is you don’t want to be the reason why there’s additional lawsuits for mishandling information. They didn’t have the device back at a certain time and another incident happened. So a lot of moving parts when you do something that is like a utility company, like something of an organization that has three to 5,000 possible endpoints that are scattered across. That are in the field, that are in the office and still trying to organize chaos.
And that brings me up to the next point, when we’re talking about chain stores, one of the other cases that I worked on. This, we’re talking about a lot of individuals. You mentioned from high-level to low-level individuals, but we’re talking about people. People that we can communicate with and there’s a great knowledge about … They may have knew that something was going on, they were ordered to see us so we do have some cooperation. But in another case where it was doing a chain store, well, it’s a chain. Where there was some investigations. They wanted to look into some finance. And they had all that stored in the cloud, which is fantastic. They had all these kiosks’ information. I think it was about transactional information. But they had all this transactional information up in the cloud about the company over all of the stores. And I believe there was, I think 150 outlets. And they were doing the investigation. But the question came at us, are we preserving the source? Well, the source were kiosks that were recording information, were recording all the transaction, everything was just backed up to the cloud.
So if there was ever a problem with any of the information backed up, was it really backed up? Was it all the information? We had to gather those sources. But at this time, all the kiosks had been changed. The old ones had been removed and new ones had been put in place. But we were ordered to preserve the old kiosks. Now where were those kiosks? They were in the closet right next to other supplies. And we can’t have that, especially if a investigation’s going to go over maybe more than months to years. So the task was to go to every chain place and collect those kiosks. Now it’s not something I can just pull up in my truck, in my Ram and just throw a bunch of kiosk in there. There’s definitely, again, more logistics, more responsibility as to make sure that the individuals that you’re showing up to and understanding what you’re taking. The documentation, serial numbers, photographs. And it’s not something when you’re talking about kiosks, are not so easily to image on site. It’s not something that you could image and then destroyed because we’re also talking about proprietary information. It’s not going to be normal Windows or iOS operating systems or even Linux for that matter.
A lot of these kiosks are built on different platforms and how we gather that information, whether we image it, how do we parse it or how do we view it? And given the time parameters, the best solution was just to grab the actual source media. And again, you have to take a lot of responsibility and it has to be planned out carefully. As an organization like a haystack or any other type of forensic company, you take a lot of liability, a lot of responsibility of one, to show up, to document correctly and then store and preserve those source medias and making sure that if it’s called upon, I need this store or this chain and I need this kiosk, can you find that? Are you organized to have that information or are you the liability to the investigation? That could be a big problem.
John Wilson
And even beyond just talking about the sensitive data on those kiosks, you got PCI or potentially you have PCI transactional data. You have PII. Personal information about employees or customers that can be contained in those systems. Those systems can contain varying amounts of information, and that information can be anything from totally benign product information to highly sensitive information. Clothing sizes for my customer, transactional information, credit card information, purchase histories tied to individuals. There’s a lot of significant considerations that you have to have around that sensitive information.
Rene Novoa
Yeah. And as you pick up those types of devices, you can’t leave a car overnight. Things have to be consistently planned and have a portal of safety and control. There’s a lot of controls that go with it while you’re transporting and you’re responsible when it’s under your possession. So yeah, in those two examples, in those two cases, there’s a lot of logistics, a lot of sensitivity and a lot of stress just in trying to ensure that everything goes as planned.
Going on to celebrities and athletes, I think we touched bases on some of this as far as access. You may not be able to meet that individual. You’re dealing with a third party, which also brings another level of the chain of custody, that brings another level of consultative in nature of the case that making sure that individual may be there. We definitely need to factor. We may need facial facial recognition. We may need things to be turned off to gain access and targeted information. Because depending on who that individual is … In the case that I’ve worked with, we’ve definitely had to be very careful and sensitive to the other data that might be on the device, both personal as well as business related into their transactions they’re on into their businesses that they’re a part of.
John Wilson
Yeah. Well, and when you start talking about high profile, again, when you start dealing with celebrities and athletes, a lot of their value is reputational. So it’s not that you’re necessarily going to go find, hey, here’s the document where the $100 million is, it’s reputational and it’s reputational damage. It’s reputational misdirection. There’s a lot of possibilities there. And so what drives those into being high profile? The data winds up becoming very different because you’re looking at protecting reputational information versus business documents, business information as to what was posted to social media by who and when and who saw that and who read it or who reposted it or retweeted it or whatever you want to call it.
Rene Novoa
Even the location of where you’re doing the collection is going to be important depending on exactly the A-list or a B-list or a photograph of you wearing your company logo on there, and it doesn’t bring good attention to you as well. So I think that both reputation, both as for the organization doing the work as well as the individual under investigation or under a legal hold. Did you want to touch a little bit on the second requests?
John Wilson
Yeah. Well, again, another type of cases that we generally deal with that we consider most of them to wind up being a high profile are second requests. And so second requests come with an entirely set of their own challenges because you have to go out, you have to do these collections, it has to be very quick. That data has to then be analyzed, processed, reviewed, and delivered to the governing authority in a very short window. And then many cases you have to go do recollections, re-analysis reprocessing, re-review for a short period at the end.
So say a second request goes on for 45 days. You may have 30 days for the initial compliance and then you have to do a re-sweep and deliver a recollection of data just for the new data, the new things in that last two week period. And so that adds a whole nother set of timing and challenges, especially when you start talking about … Again, these are typically high profile, high-level engagements, large companies and merger and acquisition deals, and there’s a lot of implications to the investigation by that regulatory authority to either approve or deny that M&A activity possibly. Making sure that you’re fulsome and complying with those regulatory requests. And again, that can be very challenging when you’re talking about a large company and 80 people, 80 custodians distributed across a large geographical area that you have to collect from twice, analyze, review, and deliver to the government all in a 30 or 45-day window.
Rene Novoa
Let’s not forget to add in certain third-party applications, communications ones that may not be easily accessible, and the type of data that is being requested. We just looked at the Wells Fargo. Again, I’m not picking on just based on the article that we’ve posted and some of the other financial institutions that had WhatsApp. And that one is fairly common, but there are Confide, Wickr, Signal that are not as easily to collect and easy to produce in that timeframe for that many individuals. So lots of challenges and things to consider when you take that on.
Which leads into some of the other articles that we were finding just about a lot of CEOs leaving, a lot of C-levels going from one company to the other. There’s a lot of retirements, there’s a lot of uncertainty after COVID that we saw a lot of transition. But I found it very interesting in some of the cases that I’ve worked on where we had not only C-level individuals but even high-level individuals leaving one company to go to a competitor. Which happens all the time.
And we’ve touched on executives sitting on several boards and the implications that has in being able to make sure that we don’t collect another company’s information because we don’t have the legal right to it. But one of the stories I wanted to say is I was dealing with an individual who was a high level individual. I believe he was a high sales individual and left the company. Went to a competitor, had non-compete, had all the legal documentation. But as the investigation started to continue, we started seeing confidential information and strategy being sent to a personal email address. But it was not his email address. It wasn’t his listed personal account. It happened to be his wife’s account. Which threw a lot of red flags because now the company did not want him to have that information. They didn’t want to have access to it. Even though he probably helped write the document or probably knew the contents, it was more the matter of fact, we need that document remediated. What else has been taken to this other computer?
And as we go through the investigation, we find that the individual’s wife only had one computer and only one email account and only looked at that email account on one computer. And the court issued that we had to do a remediation. So that was going to require us to collect the computer and do a full remediation. So our request was to show up, confiscate the computer until the court could really decide on what we were going to look at because she had personal information on there. She had her own business. She had a personal business let’s say. And her not having a computer was going to be detrimental to her business. And really the court decided that was on your husband, on the spouse to send that individual documentation. That document needs to be remediated over the next 30 days.
So based on the court’s ruling, we held that computer for 30 days while we did the remediation. We had to image, find other documentations. They had to go look at a priv log. There was a log what else has been sent over the tenure of this individual. So there was a lot of extensive going through someone’s computer that did not want to be involved. Felt like their life was being turned upside down. And it’s all because individuals are going from one company to another. Individuals are leaving and taking things they’re not supposed to. And the consequences of that cannot only be financial, but it also, in this case, it was probably not a good 30 days in that household, unfortunately. I’m smirking about it. But it’s something that as individuals, we have to show up and be sensitive to that. Being able to talk through as to what is going on and understand this is not what we’re doing. This is what the court has ordered and you’ve agreed to.
So there are a lot of repercussions, not just the billion dollars that we showed with financial institutions or possibly jail time. Someone’s business was out for 30 days. So as you do your investigations, understand that there are drastic things that can happen as you leave a company or you are part of an organization or an employee leaves from your organization or you’re getting one. Be aware of what you’re accepting and what’s leaving. Because even if you bring in a new individual, what are they bringing in? What liability they can cause your company where they’re going to do an investigation and find information that you don’t want to have exposed.
John, I think we’ve touched a lot on this. As what we do, forensic best practice, very consultative, very walking them through the ins and outs and sharing some of these experiences like this is what you do, this is what’s going to happen. We need to have access. We need to have two-factor authentication. Let’s do this right. Do not self collect because we may have to come back and collect again and you cannot destroy this information. I can’t stress this enough. It’s not as easy when it is in the news and it is being scrutinized and the individuals do not want other information. You cannot have this. You cannot see my personal photos. You cannot see company B’s ledgers that are on my phone. Did I miss anything on that? Because I think we’ve covered a lot of this as these-
John Wilson
Not yet. Yeah.
Rene Novoa
But these are going to be the caveats that are going to make your job harder, that make our job harder, especially when they’re a high value individual or presume to be high value or public facing.
John Wilson
Yeah. I absolutely agree. I think we’ve pretty much covered it, but it really comes down to that forensic first approach. It’s providing best practices, having sound defensibility of the actions you’re going to take, making sure that what you do, the processes you implement are repeatable. That’s how you drive all the way to the end and delivery successfully.
Rene Novoa
Yeah.
John Wilson
So let’s talk about how we handle the chaos, how we actually deal with the situations that we’re faced with and let’s get into some practical discussions.
Rene Novoa
Yeah. I’ve hinted around this quite a bit through the presentation of documentation. Logistics really. And these are just some of the bullet points that I’ve worked through. Having communication firewalls, email groups, code names. And really I want to circle back to communication firewalls. As a large company that a lot of these forensic companies are, you have people that have been acquired through acquisitions. Acquisition is nothing new for the forensic world or the eDiscovery world, and you’re going to get individuals that came from law firms, that came from other companies. And as cases develop over years, you may have a conflict, not with your company, but with an individual. So you want to make sure that when things are scoped and you’re working on the logistics that everyone is conflicted out. And if there are individuals within your large organization that cannot be part of it, it is important to have those email groups having those code names. So you’re not putting company X, Y, Z in it. You’re putting project happy place.
I’m just looking at my cup that has a beach logo on it. But you have project happy beach or happy place. Then all the communications, if there happens to be anything, nobody really knows who the company is. You’re really trying to sanitize what is going on. Having those rules of communication and really understanding the case so you understand that you cannot forward it. Whether we have to encrypt emails, no forwarding on. Having only certain people on that group and only working with those email groups because only those individuals in those email groups will have access to those emails.
John Wilson
And it’s talking about the rules of communication and then we’ll move on. It’s really important to understand do you have a protective order in a matter? Do you have can only a handful of people, the people that have to know any information specific to the matter? People that are specifically working on it. Does a larger distribution group work or do you have to remove the larger distribution group because the protective order requires only the specific individuals working on specific things can be aware of the activity and those specific things? Also, when you’re dealing with celebrities or other high profile people, are there rules of engagement for your communications with them? Do you have to go through a virtual assistant or a handler or a lawyer or the business manager? There can wind up being significant hurdles to overcome that you have to plan for and put into those rules of communication. So what shouldn’t you do, Rene?
Rene Novoa
None of these things. Obviously we’re not discussing the topics in main email chains with added individuals. We’re not forwarding them to team members. And then one of the big ones I really like is the buddy system. Is not getting on a phone call, especially if you are talking to a celebrity, you’re talking to a high individual, which is you one-on-one. I really believe that you need to have the buddy system. You need to have multiple people on the phone call, one to take notes and make sure that we’re documenting not only what was discussed, what needs to be done and what is going to be done and what’s left to be done. So those things and then we’re using that communication for full transparency because you definitely don’t want to get into a he said, she said, especially when it’s all in the news. You want to have that documentation. Not only for an individual, but as far as an organization. Something to refer back to in six months, 10 months, you were told to collect this, you collected this. Like, “Well, no. Here are my scoping notes. These are the individuals that are on the call. This was absolutely communicated, and this is for your protection as well as mine, that everything was done.” Especially get into regulatory and compliance and request issues. This is going to be a big no-no not to be on by yourself.
John Wilson
Yeah, I agree. I think the very next bullet is another great one is making sure that a recap or a summary of what was discussed, what the action items are, what the deliverables are, is summarized and put in writing so that everybody’s clear. There’s clear marching orders. Again, making sure that that only goes to the people that fall within the protective order, for instance, or the agreed upon communication group allows you to make sure that you’re in compliance, but defining what you’re doing.
Rene Novoa
Yep. Excuse me.
John Wilson
So now we’ll get into a little bit of storytime. Talk about some various client experiences that I think can be very interesting.
Rene Novoa
Yeah. I know we’re running close to time, so I want to make sure we get to some of the other cases. I’m not sure how many people are aware of the Panama Papers. It was a big investigation where data was leaked from a law firm. The law firm was the source of the leak. Eleven million documents, two and a half terabytes, 2.9. In 2016 when this was released, that was a lot of information. Today it might be over the weekend you’re able to process that information. But there was a lot of information that got leaked. Three years to do the investigation to come up with analysis of what the impact globally of all the shell companies and the financial repercussions for that. So I don’t want to spend too much time on the Panama Papers, but it’s something worth to look at as far as exposure and where your information is. And again, self-awareness. Where’s your data at? How are the accessing it? What is the security? And things to be aware of because definitely could be at risk. As we get into some of the other scenarios, I think everyone’s aware of the FTX cryptocurrency issues with Bankman. Again-
John Wilson
SBF.
Rene Novoa
Huh?
John Wilson
SBF.
Rene Novoa
Yeah. Well, we talked about everything was on Signal. Again, hard to collect. Requires a lot of moving parts. And who knows what we didn’t get through the disappearing messages. I think one I want to touch up before we get into the political one is the NFL. There was a coach and an announcer that got caught up into a scandal on an investigation that didn’t involve him. He was caught because there was an investigation on somebody else and these emails and the information that was spewed was found based on another investigation. So it comes to a lot into play of how we communicate, how long that communication stays there and the effects that it can have on an individual.
And I think if you’ve been watching the NFL or watching football you understand the individuals involved and the impact that it had on his career that he lost his announcing role and rightfully so for the information that was spewed. But it came down to … It wasn’t part of the investigation. It was found during the collection and it was reviewed and analyzed and actions were taken. So it’s something that when we’re cross-pollinating information, and you’re taking with the individuals from multiple boards, you don’t know what can be collected and what can be pulled into the public eye and cause quite the embarrassment. But I wanted to make sure we had enough time for the last one if you wanted to say anything on that, John.
John Wilson
Yeah. So, talking about political figures or CEOs or athletes where you don’t necessarily have direct access to the custodian. I was the independent neutral between the Trump organization and the New York Attorney General and did not have direct access to Mr. Trump, but had to interact in writing between him and his lawyers in order to get the information needed to fulfill my role as the independent neutral. All that being said, that takes some very careful maneuvering, some challenges. But beyond that, there was a whole lot of incidents and things that occurred around that matter including my information got published in a court record where the Attorney General published a report, an email status update that was delivered to the Attorney General into the court record, including my full signature block and my LinkedIn and all my social and my email and my phone numbers. And that turned around-
Rene Novoa
Did you get any hits? You get any comments?
John Wilson
Yeah. So that turned into the bazillion posts into my LinkedIn that had to be blocked and it turned into hundreds of phone calls a day. And it becomes very important to understand how to deal with those situations because answering a call, not answering a call to those unknown numbers, making a comment or not making a comment to reporters and other commentators that are going to turn around. There’s a big difference between didn’t respond or didn’t answer to, had no comment, and there’s a lot of different angles they can take as to how they address that. And then all the way into bomb threats and personal threats. So things got a little crazy. Make sure you have some systems in place to make sure that you have some proper isolation and you have those things carefully dealt with.
Rene Novoa
A lot of logistics. A lot of planning and execution with a team that’s well-informed. I think the education ahead of time and not fake it until you make it. I know that was one of the bullet points before. And I think having a sound understanding of your tools, your process and the individuals working together really makes a difference when dealing with high profile cases.
John Wilson
And anybody that has questions, feel free to either post the questions here or feel free to contact us through the HaystackID website. Happy to talk about it. Thank you to my fellow expert here, Rene, for sharing his insights and information. We also want to thank everyone who took time out of their busy schedules to attend today’s webcast. We truly value your time and appreciate your interest in our educational series.
Don’t miss our January 2024 webcast scheduled for January 17th, focusing on notable trends in US privacy laws. Led by privacy and compliance expert Chris Wall, this webcast will explore key developments and trends impacting privacy laws and regulations across the United States. You can learn more about and register for this upcoming webcast and explore our extensive library of on-demand webcasts on our website at haystackid.com. Once again, thank you for attending today’s webcast and we hope you’ve had a great day.
Rene Novoa
Thank you everybody. Thanks, John.
John Wilson
Thank you.
About HaystackID®
HaystackID is a specialized eDiscovery services firm that supports law firms and corporate legal departments and has increased its offerings and expanded with five acquisitions since 2018. Its core offerings now include Global Advisory, Discovery Intelligence, HaystackID Core®, and artificial intelligence-enhanced Global Managed Review services powered by ReviewRight®. The company has achieved ISO 27001 compliance and completed a SOC 2 Type 2 audit for all five trust services criteria for the third year in a row. Repeatedly recognized as a trusted service provider by prestigious publishers such as Chambers, Gartner, IDC, and The National Law Journal, HaystackID implements innovative cyber discovery services, enterprise solutions, and legal discovery offerings to leading companies across North America and Europe, all while providing best-in-class customer service and prioritizing security, privacy, and integrity. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, please visit HaystackID.com.
*Assisted by GAI and LLM technologies.