[Webcast Transcript] Building a Resilient and Repeatable White-Collar Investigation Playbook
Editor’s Note: White-collar investigations unfold fast—sometimes before sunrise. When the call comes in, there’s no time for guesswork.
This webcast from the EDRM, hosted in partnership with HaystackID, offers legal and investigative professionals a rare inside look at building an effective, repeatable playbook for white-collar investigations. With insights from leading voices in legal compliance, corporate risk, and advanced eDiscovery—including HaystackID EVP Bryan Bellack, Liberty Mutual’s Jordi de Llano, and Holland & Knight’s Michael Hantman—this session brings clarity to chaotic first-response moments, cross-border regulatory friction, and data governance challenges.
For cybersecurity, information governance, and eDiscovery professionals, this conversation is a blueprint for how modern investigations must be handled—from preserving privilege to leveraging GenAI for faster and more accurate discovery.
If you deal with incident response, compliance risk, or digital forensics, this is a must-read transcript to keep within reach the next time an early-morning call turns into a corporate emergency.
Expert Panelists
+ Bryan Bellack
Executive Vice President, HaystackID
+ Michael Hantman
Partner of White-Collar Criminal Defense, Internal Corporate Investigations, and Compliance Services, Holland & Knight LLP
+ Jordi de Llano
Global Financial Crimes Officer and Vice President, Liberty Mutual Insurance Company
+ Mary Mack
CEO, Chief Legal Technologist, EDRM
[Webcast Transcript] Building a Resilient and Repeatable White-Collar Investigation Playbook
By HaystackID Staff
Before the Headlines: Inside the 6 A.M. Call That Tests Everything
At 6:00 a.m., the general counsel of a multinational pharmaceutical company jolts awake to a whistleblower’s report of systemic fraud. Offices across the U.S., Europe, China, and Latin America are implicated. In minutes, the organization will move from routine operations to full-blown investigation.
This was the high-stakes hypothetical used to launch the recent EDRM webcast, Building a Resilient and Repeatable White-Collar Investigation Playbook, hosted by Mary Mack and sponsored by HaystackID. But for many in legal, compliance, and cybersecurity circles, this isn’t a hypothetical—it’s Tuesday.
The panel brought together voices from across the investigative spectrum. Bryan Bellack of HaystackID, Jordi de Llano of Liberty Mutual, and Michael Hantman of Holland & Knight offered a rare, behind-the-scenes look at what really happens in the early hours of a white-collar crisis—and how seasoned professionals prepare before the call even comes.
Michael Hantman likened the experience to “changing a flat tire on a car going 60 miles per hour.” Everything must happen at once: data preservation, privilege protection, stakeholder coordination, and a clear-eyed assessment of legal exposure. Miss one step, and the consequences compound quickly.
Jordi de Llano emphasized the importance of timing and structure. “The best plan,” he said, “is to have a plan in advance of the 6 a.m. call.” That includes knowing where your data resides, which jurisdictions it touches, and what tools are required to secure and review it rapidly. He stressed that understanding criminal exposure and executive involvement are two key drivers that determine how quickly outside counsel is brought in.
Privilege, predictably, was a dominant theme. Both Hantman and de Llano stressed that internal investigations must be meticulously structured to protect it—especially in situations where senior leadership could be under scrutiny. Outside counsel isn’t just helpful; they’re often the shield that protects the investigation from collapsing under legal risk.
The global nature of modern data environments adds layers of complexity. Hantman walked the audience through examples of how privilege and regulatory protections differ wildly between jurisdictions—from China’s expansive state secrecy laws to Europe’s strict GDPR mandates. Having pre-established relationships with trusted local counsel is no longer optional. It’s a survival strategy.
From the provider’s perspective, Bellack highlighted the growing demand for tools that can keep pace. He detailed how GenAI and investigative analytics are changing expectations in the early stages of document review. “We’re not just talking about speed anymore,” he said. “We’re talking about clarity—being able to make informed decisions 48 hours after collection, not two weeks.”
Tools like Relativity AIR and eDiscovery AI now allow investigators to surface relevant narratives, communication anomalies, and co-conspirator patterns almost instantly—while maintaining defensibility and reducing review costs. But Bellack cautioned that technology still needs a human overlay: validation, context, and conservative application remain critical to avoid false leads.
Perhaps most compelling were the insights on witness interviews. The panel acknowledged that many professionals underestimate the cultural and psychological nuance required to conduct effective interviews across borders and hierarchies. Charm, credibility, and clarity often win out over authority. “You don’t always need a stick,” Hantman noted. “You need trust.”
As the discussion closed, the message was clear: companies that don’t prepare in advance are gambling with time, credibility, and compliance. From building internal data maps to scripting crisis communication playbooks, readiness isn’t a luxury—it’s a mandate.
For those navigating the intersecting worlds of cybersecurity, eDiscovery, and regulatory compliance, this session wasn’t just informative—it was instructive. It reminded everyone listening that when the stakes are high and the timeline is tight, success depends on repeatable processes, cross-functional collaboration, and the right mix of legal and technical fluency.
Because when that 6 a.m. call comes, the investigation has already started.
Watch the recording or read the transcript below to learn more.
Transcript
Mary Mack
Hello everyone, and a warm welcome to the EDRM Educational Webinar. I’m Mary Mack, CEO and chief legal Technologist for EDRM. I’m delighted to moderate today’s session, “Building a Resilient and Repeatable White Collar Investigation Playbook”. Today’s program is proudly hosted by EDRM and sponsored by our longtime trusted partner HaystackID. We are recording today’s webcast for future on-demand action, and slides will be available after the webinar. The webcast will be available on the EDRM Global Webinar Channel to help support your ongoing learning and reference needs for the next quarter. Holly Robinson, EDRM’s Senior Marketing Operations Manager, is here. Holly, can you please tell us what resources are available today?
Holly Robinson
Yes, thank you, Mary, and we are loving ON24 with so many more ways for you to engage. If you look at the bottom of your screen, you’ll see the console. The question mark icon is where you can type your questions for today’s faculty, and we highly encourage you to do so. You’ll also see the paperclip icon. If you click on it, you’ll find today’s resources. You can download the ON24 engagement tool descriptions to help you better engage with the platform. There’s also a link where you can learn more about HaystackID’s exceptional services. If you’d like to connect directly, there’s a link to schedule a meeting with the experts at HaystackID. You can also visit HaystackID’s Newsline for cutting-edge insights.
You’ll also see a registration link for HaystackID’s upcoming webinar, “Framing Construction Discovery’s Future with AI Power Document Review”, happening on November 4th. We’d love to have you join us again, and be sure to register for our upcoming webinar tomorrow, “Beyond the AI Hype: External Intelligence Delivers Outcomes You Can Trust”. If you’d like to learn more about today’s faculty, click on the speaker bios and they’ll pop open with more details about our presenters. And just like on Zoom, you’ll see the smiley face emoji and lots of other reactions. We highly encourage you to use them throughout the webinar. And finally, click the LinkedIn logo to follow EDRM and HaystackID on LinkedIn. Back to you, Mary.
Mary Mack
Thanks, Holly. This session addresses the escalating demands of white-collar investigations, where every minute counts and best practices must be both resilient and repeatable. Our expert panel will break down methodologies for managing multi-jurisdictional investigations, share strategic frameworks to guide early response, and showcase how AI and emerging technologies empower teams to surface risks and triage massive data sets even in cross-border scenarios complicated by privacy laws and regulatory complexity.
Before diving into the agenda, let’s meet our panelists, our distinguished panel of experts. We have Brian Bellack. Brian is the Executive Vice President of Business Development for HaystackID. He’s responsible for global sales and business development of HaystackID’s eDiscovery, Cyber Incident Response, White Collar, and Investigation Solutions. Before joining HaystackID, Brian was a Managing Director at BDO’s consulting practice, where he led sales for their forensics technology division. Brian also serves as an advisory board member for Guardrail Technologies, an AI risk management platform. He’s a CEDS and he holds certifications from Harvard Online and eCornell.
We also have with us Michael Hantman. Michael is a litigation partner at Holland and Knight’s Miami office. His practice focuses primarily on white collar criminal defense, internal corporate investigations, compliance, and complex business litigation. He assists companies and individuals in investigating and responding to and defending against government scrutiny, whistleblower complaints, enforcement actions related to allegations of bribery, fraud, and accounting, misrepresentations, kick backs, money laundering, and other ethical issues. Mr. Hantman recently co-led the representation of Liberty Mutual Companies, which resulted in a declination with disgorgement resolution with the Department of Justice, the first such resolution under the second Trump administration.
We also have with us Jordi de Llano. Jordi is the Global Financial Crimes Officer and Vice President at Liberty Mutual Insurance Company, where he leads a global team responsible for anti-corruption, sanctions, and anti-money laundering compliance programs. A former federal prosecutor and Deputy Chief of the Securities, Financial, and Cyber Fraud Unit at the US Attorney’s Office for the District of Massachusetts, Jordi brings over 15 years of experience investigating and prosecuting complex financial crimes and advising corporations on compliance and risk management. He previously served as a partner in a law firm. The opinions and views of our wonderful panel that will be discussing all of this are not those of their organization, and no legal advice is being provided. And with that disclaimer, Brian, do we have some things to discuss?
Brian Bellack
Thanks, Mary. Of course, the great Mary Mack. We really appreciate you hosting us here today. So this is just a few of our session objectives and panel roles today. What we really want to do is provide you with a repeatable, defensible process that you can walk away with. We’re going to highlight a few key areas, but a lot of the things that we’re saying have a core foundation you can use. We have a panel of in-house counsel and outside counsel who are experts in working on these types of investigations, and we’re going to get their insight and feedback.
Let me set the stage for you, and then we’ll get started. Okay, it’s 6:00 AM. Monday morning, you’re waking up. You are the general counsel of a global pharmaceutical company. It’s multinational with offices in the US, EU, China, and Latin America. You get a phone call. On the other side of the line is someone in your company telling you a whistleblower has alleged systematic bribery, corruption, and fraud throughout the company and across all of those jurisdictions. Okay. So you have a crisis on your hands right away, as soon as you wake up. Everything you do next will impact the future of the company. So with that being said, I’m going to turn it over to Jordi, who’s our in-house counsel, to find out, what do we do next?
Jordi de Llano
Thanks, Brian, and thanks, Mary, both of you for having me and inviting me to this panel. Very excited about it. So with that call at 6:00 AM in the morning, I think the first two considerations, the most important considerations, are what is the nature of the allegation and what is the potential exposure to the company? That is what, primarily, will drive the next steps in my mind. Why does that matter? If the allegation concerns criminal exposure for the company, certainly that requires a different level, a different type of approach. Similarly, if the allegation concerns high-level or potential high-level involvement within the company, that could also determine how quickly I choose to engage or seek to engage outside counsel.
Here, the scenario you presented implicates both of those things. So corruption, bribery, and fraud at a systemic level suggest that there is potential criminal exposure and certainly potential involvement at the highest level. So in that scenario, I would more than likely be reaching out to outside counsel fairly quickly following that 6:00 AM call.
Brian Bellack
Got it. And Michael, you pick up the call from Jordi, and now you’ve got a crisis on your hands.
Michael Hantman
Yeah, I’d better make sure my ringer is on. It’s not usually at 6:00 AM. So yeah, keep the ringer on, I guess, is tip number one. I think that in those early moments, there are a few critical things that we pay a lot of attention to. Jordi sort of touched on a few of them. One is preservation. And it’s probably, if you only take away one thing from what I say today, that is the number one. You cannot have a circumstance where, in the days or hours or months or whatever, after outside counsel is retained, things are being destroyed, deleted, whether on purpose or by the company’s auto-deletion software. That will set you on your back foot instantly. Second, I would say, is privilege. In internal investigations, guarding privilege is sacrosanct. There are a number of different ways to accomplish it, ensuring that counsel is providing legal advice, not business advice, is an example, making sure when you interview folks, you’re providing Upjohn warnings.
If there are other outside counsel involved, making sure there’s a common interest agreement, something along those lines. The investigation really must maintain privilege to the maximum extent possible. Another key initial fact is, who is the client? In most circumstances, a transaction or civil litigation. That is not a hard question to answer. It’s the company. Well, here, Jordi talked about “systemic” and how this might implicate the highest levels of the company. Well, if the company itself, thereby the management of the company, is who you are answering to, that may very well be untenable. If the guy that’s directing you or the woman that’s directing you is being alleged to have committed wrongdoing, you’ve got a problem on your hands. So oftentimes we would select an independent committee of the board of directors, sometimes an audit committee or a risk committee, but those are the types of important considerations you need to engage in.
And then I would say two more. One, who is your day-to-day contact at the company? If I just call up the head of IT, he’s going to say, “Who the heck is Michael Hantman?” You need somebody, an honest broker who can help you get access to the people you need access to, to the data you need access to, who will give you the entree to certain people whom you need to work with to acquire data, documents, things like that. And then I would say the fifth one is, how did this start? Sometimes these start with a grand jury subpoena. Oftentimes, they’ll start with a whistleblower. And I would say that very early on, if it is a whistleblower, developing and giving thought to a strategy to keep that whistleblower communicating with you and not with the newspaper or not with the federal prosecutor or not with a federal regulator.
And oftentimes that can be accomplished through a combination of “we take this very seriously” and some level of charm. Whistleblowers sometimes are in it for the money, but sometimes, many times, they’re in it for wanting to be taken seriously. They care about this organization, and they don’t want the organization running afoul of the law. So we have been successful in a number of cases of keeping the whistleblower talking to us and honest with us, but not going to a lawyer or the newspaper or somewhere else.
Jordi de Llano
Brian, can we perhaps unpack that privilege piece that Michael referenced? I think that’s a really important piece for the group to hear about. In many instances, depending on the size of the organization, an initial whistleblower allegation or a complaint may be dealt with internally to conduct a preliminary review or a preliminary investigation. That is not uncommon. Certainly, it can involve the legal department, or if the organization is large enough, perhaps have an investigations department or a compliance department that is handling that initial review. It is very important, though, that where there is criminal exposure or where there is a need or a potential need for privilege to attach, that is being handled by outside counsel in conjunction with the company.
Now, if it is an internal resource that has both, let’s say, legal and business responsibilities, it is critical that a plan is formulated very early on to identify when that person has their, let’s say, lawyer role hat on advising the company and when that person has their business hat on. And so that is really one of the key aspects, underscoring the engagement of outside counsel. And the sooner you can get to that decision point, the better you are for the internal investigation.
Brian Bellack
And Jordi, to that point, I also wanted to touch upon the preservation comments that Michael made, especially with regards to, you know, there’s preservation and data collection. Preservation is a little bit easier to do. We’ll talk about data collection a little later on, but even if you have to preserve data from an executive in the organization, you probably have to notify that person. And so there is definitely a nuance depending on the engagement, and there’s really a nuance to that. The preservation process is critical, and typically you’ll rely on a provider, an eDiscovery provider like HaystackID or another type of provider to collaborate upfront in terms of developing a defensible plan, mapping out where all the different data is, understanding the different jurisdictions, and whose data you need. Also, trying to narrow down preservation. You don’t want to preserve everything in the business, and you don’t want to disrupt the business.
So, how can you do this tactically? So that’s an important part of the process. Now you have the cloud that you have to deal with. You have lots of different preservation points. Mobile data, five years ago, six years ago, not every investigation would include a mobile phone, maybe a handful. Now every single investigation includes one or two multiple devices. So we have to preserve that data, and then we’ll talk about collection in a little bit, but the critical point that Michael mentioned.
Jordi de Llano
Yeah, and the reality is the best plan is to have a plan in advance of the 6:00 AM call. So you understand where all the data is and what the challenges may be in preserving and subsequently collecting that data. You mentioned the cloud. I think we’re in a better position now if organizations do have their data centralized or backed up to some sort of cloud computing service, such that we can preserve it or at least disable the deletion, the auto-deletion function immediately, and companies should be able to be in a position or have a plan to do that. And it’s independent of whether outside counsel is engaged to tell them to do so.
After that, as soon as you engage counsel, you would want to come up with an investigation plan that includes the very key and early details about how that data is going to be preserved and then subsequently collected. So it’s really identifying what is irrelevant or where the pockets of data could lie. It could be mobile phones, it could be localized laptops, et cetera. But for the most part, if you take away anything, it’s to have a plan in advance of that 6:00 AM call.
Michael Hantman
I would reemphasize what Jordi said about the importance of a plan. The way I describe these types of investigations is it’s like trying to change a flat tire on a car driving 60 miles an hour down the highway because you can’t just stop everything. The company is operating, it’s trying to make money, it’s trying to do business, it’s trying to do… And if you don’t have a plan, sort of anticipating what could come, it will upend everything. You won’t be able to make future business plans. You’ll have the general counsel’s office running around with their hair on fire. So, to Jordi’s point, having a plan, whether you’re under investigation or not, everybody should have one. Big company, small company, everybody needs one.
Brian Bellack
It’s hard to get corporations to be proactive when, as you said, everything is moving forward. For example, data is often disparate. It’s not organized, right? Every company has a discretionary budget to work on things like info governance, but then life gets in the way. Business gets in the way. A cyber breach could get in the way. And so it’s always going to be a challenge, but if you can get the company in some kind of readiness state, even having a policy or plan, and practice it out a couple of times, you’ll take them a long way.
Michael Hantman
It’s funny you say that, Brian, because I joined Holland and Knight 19 years ago, and back then, we would try to sell companies on the importance of having a compliance program, which has a plan of action for investigations and things like that. And it was a hard sell back then. That has really changed in the last 19 years. You see countries that never cared much about compliance, having requirements that companies have robust compliance. You saw it a lot in Brazil as a result of the Operation Car Wash case. And a lot of countries in LATAM, as an example, never really cared that much. They do now. So it is an easier sell these days. People realize the vitality and how it’s a requirement in big business.
Brian Bellack
And data has actually come a long way, too. I mean, from a company perspective, 10 years ago, everyone was a mess. Now, not everyone is a mess. Some are even categorizing their data; they’re finding their high-value data and being able to really organize and search it to prepare. If they are a litigious organization, it’d be wise for them to prepare to do that. These investigations come, and you never know. But as a large organization, if you’re dealing with global regulatory issues, you should be prepared to defend for that.
I think we just wanted to make a comment, Jordi, on the communication and the briefings as this is going on, as you’re working with Michael and having to share information with the group at the company. What do you do?
Jordi de Llano
We’ve jumped to the spot where we know that there’s an internal investigation that’s necessary. We see that there is certainly exposure, and we have to update senior executives and perhaps the board of the matter. You want to do it early on so that it is approached in a transparent fashion. And to the extent there is senior leadership involvement, we want the board opining on the direction of that investigation. Oftentimes, it is, like Michael said, identifying who the client is, and it could be a committee of the board. It could be the board itself or the audit committee, for example. Not so much the company itself. But I think in the initial moments, you update them, and then you keep them periodically updated on the progress of the investigation. It could be perhaps not the board on a… I see the slides 48-hour initial and a weekly cadence thereafter. Maybe not that frequently. Again, depends on the size of the organization, but certainly, there is a very constant feedback loop and update loop with counsel, legal department, and senior leadership for sure.
Brian Bellack
And all communications are essentially flowing through Michael to the extent possible to protect privilege.
Jordi de Llano
I don’t think they have to flow through outside counsel communications internally to the extent there are… If it is a communication. So, the in-house resources that still have privileged communications, however, you want to have outside counsel involved in as much of that, because you’ve hired lawyers for that reason. You want them to be up-to-date and up to speed on what is going on. It’s not necessarily that an in-house communication would not have privilege protection because it will. As long as you have clearly defined the scope of the investigation and the roles and responsibilities of the in-house folks.
Michael Hantman
Yeah, I would say that privilege is… It’s easier generally to protect it when it’s an outside lawyer, but to Jordi’s point, of course, in-house counsel enjoys privilege, communications with board members, but you have to be cautious of how you do it. But the other point, of course, is we had talked about systemic, and if this flows to the highest levels of the C-suite, that general counsel might be advising the board about misconduct of his or her boss. That’s problematic. And so in certain circumstances, you would want outside counsel to do those briefings. Again, it just depends on who the allegations are about.
Brian Bellack
Which takes us now, Michael, to, we’ve established privilege, we’ve done our preservation, got a handle on things. Now we’re looking at these different jurisdictions.
Michael Hantman
Yeah, this is probably right at the top of the list of most important things you can… Decisions that you have to make. I would say one very important thing as a lawyer at a law firm who does a lot of this type of work is don’t wait until a Jordi or a client calls you. Hey, we need a lawyer in local counsel in Turkey. Don’t wait until that point to identify the types of lawyers that you want to work with in different jurisdictions. I probably have a list of 40 or 45 countries where I have a few go-to people that do this type of work. And the countries, especially in the FCPA type of situation, they’re the ones that you think of. It’s not so much Western Europe as an example. It’s more countries that don’t do as well on the corruption index. So have your list together. And sometimes in a large country, maybe it’s a few people on that list, some that tend to focus more on financial crimes, others who might focus more on adulterated pharmaceuticals, as an example. So essentially, you can quickly turn to that list.
Privilege is something that we in America are very comfortable with, and we know that in many circumstances or in most, it’s sacrosanct, and the court usually will not invade it. That is not the case in many, many, many countries around the world. So, engaging local counsel is vital in certain parts to protecting that privilege because the privilege rules in the UK versus China or perhaps South Africa really are different, and the nuances are vital. And there are ways, as an example, in a country or a jurisdiction, that privilege isn’t as sacrosanct, to keep protecting it. As an example, let’s say Cuba is where you’re working; the Cuban regime does not really recognize privilege the same way we think of it. So if you have a Cuban lawyer, you can give them access, for example, to a shared drive so they can see the investigation documents. They can get up to speed, but you can cut off that access at a moment’s notice, as opposed to emailing it to them, in which case the Cuban government can just come in and take it.
And then you also have the added component where, here, probably the US, is maybe where our biggest concern is. We might want to let the US regulators or law enforcement drive the train somewhat, but if this company is doing big business in other countries around the world, you need to develop a plan as to how to protect the company. Do you have to make disclosures to your regulators or to law enforcement in those nations? Well, and now do you have a piling-on situation where you’re defending this conduct in a dozen jurisdictions? So, engaging local counsel is vital and is right at the top of the list of things that you must do in order to act quickly.
Brian Bellack
From the technology provider, we really lean on local counsel when they’re engaged to help us navigate some of the cultural norms in different jurisdictions. Every country is unique. Some countries require human skills to be able to access data. You might have the piece of paper in hand, saying I can go and collect that. It’s another thing to actually do that. So we really lean on local counsel. Sometimes we lean on them for resources like real estate. We need to park our equipment there. That’s if we go on site. Nowadays, collection, especially on global matters, has taken a turn for the better, I would say, with the technology that’s available. A lot of these collections used to only be able to be performed on site. And sometimes with tricky data, it might have to be, but new tools have emerged for the investigative community around remote capabilities.
Some of them are so good that you could actually just tether that phone to a PC, keep using your phone, and everything can be downloaded. That could be a good scenario if you need information earlier. If you need to do a forensic image and bring that back, that’s not going to be the right solution. So what’s the next solution? Well, there are remote kits available where we’ll send that to the custodian, and the custodian can plug in and do the collection. A little more complicated, but again, everything stays with them. That creates comfort.
This is really critical, as I mentioned before, with mobile devices, getting our hands on them. The easier we make it for them not to say no, the easier it’ll be for us to collect data. We typically are working hand-in-hand with counsel and in-house counsel, IT officers on the ground. The people that are coming to the collection are typically seasoned people because they’re dealing with different jurisdictions, they’re dealing with different rules and regulations, and in different jurisdictions, there’s often different types of data. And so you need people that are a little bit more experienced than a normal subject matter expert that does collection. So you want to make sure this person has done this before. Once you collect the data, we need to make decisions about what to do with it. And this is really when we continue to work with counsel, can we call some of that data out?
Do we need to actually look at some of this data at all? There’s a lot of different tools we can bring, and it leads us, I think, to these cross-border constraints that I wanted to touch upon, being that we’re in different jurisdictions. I’ll touch upon China for now because it’s the most complicated. So we’ve collected the data, now we need to look at it, right? If we’re in the US, it’s typically pretty easy. If I collect the data out of Chicago, I can host it in a tool in the United States, unless there’s a state privacy issue, and lawyers can look at that data right away. But in China, they have certain rules like other countries do, but theirs is very strict as it’s a state secret regulatory regime, which requires you to remove any data that could compromise their national security or their state secrets.
And on top of that, there’s only a handful of companies in China that are authorized to do that work. So providers around the world have to not only understand what they need to do once they have data in China, but they also have to have relationships with the folks in China that can help them do this work, and then hopefully get some of it out. Sometimes all the work has to be done in China. It’s a very unique jurisdiction right now compared to others. In LATAM, sometimes we’re just dealing with complicated places to collect data, difficult to move equipment and resources around. Some places don’t have power or infrastructure. And so these are kind of like the practical concerns around collecting data. But what we’re trying to do at the end of the day is collect it as quickly as possible and get it back in the hands of Jordi or Michael.
Michael Hantman
It’s interesting, Brian, that you touched on the state secrecy laws in China because anybody listening to this who hasn’t done work in China probably thinks, “What is Brian talking about?” A pharmaceutical company engaging in misconduct? How can that be a state secret? Sort of as Americans, we think, oh, a state secret must be like national security or something like that. But to Brian’s point, it is much, much broader in China. Things like work secrets are covered under the state secrecy laws, and you are not going to be very successful in doing work in China if these things aren’t front-of-mind, because you can imagine what types of harm may befall the lawyers, the company, the investigation if you are cavalier about the China state secrecy laws.
Jordi de Llano
I’ll add to that. It’s not just for China, but it’s back to my original point: have a plan beforehand. Companies should know everywhere they operate, where their data is, and should understand what the obstacles are for reviewing, collecting, and transferring that data. And I think we’ve come a long way as different countries’ laws and regulations regarding data, cross-border data transfer, state secrets, and data privacy laws have evolved. We have entire practice groups at law firms that focus on this work, and we should have a very good idea in advance of that 6:00 AM call or this internal investigation to understand what the obstacles are, what the obstacles could be in the event that an investigation needed to review data that’s located abroad.
Brian Bellack
And these rules are constantly evolving too, so you have to stay on top of it, all the data privacy officers that work on that. And in the EU, just to kind of cover it with the GDPR protection of PII and PHI, you can’t pull data out of Europe without making sure that you’re not pulling any protected data. And so it’s different from a state secret review. You can get waivers, you can conduct a small review, and then move data out. In China, everything has to stay there, but that’s also a constraint. So you want to have a plan around Europe, to Jordi’s point, and really make it regional if you can, if you’re a large multinational.
Michael Hantman
And again, that falls back right on the concept of local counsel. As American lawyers, we are not experts in these things and really need to rely on those in-country who deal with this on a daily basis.
Brian Bellack
So let’s assume that we’ve executed collection across all of these jurisdictions. We had a good plan in place, we’ve done all the paperwork, and we were able to gather that data and host it in an environment for those who may not know a tool like Relativity or another tool where data can be hosted and the evidence is maintained pristine, but allows lawyers to review that, make comments and tags. So this is where we talk in investigations about the need for speed. So the most important thing now for Michael and Jordi, but for Michael right now, is to get as much information as possible as quickly as possible. In the past, when data was collected, you would have to process and host it, but it would take maybe six to 10 days, critical days.
Now we have GenAI, and what GenAI has done has increased the speed of getting valuable insights. It’s also helped reduce cost and also helps reduce the volume of data, but depending on your matter and why you need it. So, for example, there are different tools to tactically go after an investigation. Before I dive into that, I wanted to turn it to Michael and Jordi on their experiences using analytics and/or AI. What was good, bad, and ugly about it, if anything?
Michael Hantman
Yeah. So going back to when I first started doing this work again 19 years ago, a matter like this would come in the door and we would retain 20 or 30 document review attorneys and we would train them and they would go through the million or 2 million documents or whatever it was, and it would be relatively quick, but it certainly wouldn’t be instantaneous. And of course, you would also often have the problem where different reviewers were having a different methodology, maybe in terms of tagging documents relevant or hot or whatever. In that circumstance, of course, you would sort of do quality control checks, but there would be circumstances where you’d have two reviewers, one who was sort of more cavalier and the other who would see a problem everywhere. That, obviously, that type of human error is enormously problematic, but it’s the only real way to get through a lot of data back in the day.
Then you started moving towards some of the data analytics that Brian talked about, and certainly using things like search terms was valuable as we progressed, using things like Brain Space has been helpful, but you still, again, the human error component is significant. I’m sure that Jordi has been in many investigations. I know I have, where people mistag things, or a data analytics tool led you on a little bit of a wild goose chase. Again, they’re helpful, they’re valuable, they can cut the time down, but there are concerns, and it’s not batting a thousand, that’s for sure. So now, to move to the new age that we’re in now, the hope and expectation is that we can keep up with these efficiencies, and while at the same time eliminating some of the human error that we’ve been seeing over decades.
Jordi de Llano
Yeah, I think for me, the biggest change that I’ve seen with the AI tools has been just the confidence that we can have in them. Even a couple of years back, experimenting with those AI functions within the tools, I was dissatisfied, frankly. I’m going to say it that way. Even though I could certainly recognize that there were cost savings and efficiencies with using it, the results were less than impressive. And this is back before my current role. We’d have to go and just hire an army of doc reviewers to go back and lay eyes on the documents. Because at least that way, taking into account that you could have things mis-tagged or missed, you had folks laying eyes on all of [inaudible 00:40:16] of documents. That’s been the biggest change from the current state. I think now we all can have far more confidence in the tool, that it will lead to not only cost savings and efficiencies, but we have confidence that the results are accurate. And that’s been, like I said, the biggest game changer.
Brian Bellack
And from the provider’s standpoint, we’ve seen a growth of adoption over the last six months, for example, then 12 months out. Each week, we get new inquiries or opportunities to bring gen AI to the table on matters. And a lot of it is around either speed, I need to get through this, or cost, and those are key drivers. In the investigation space, you actually have a lot of flexibility, or more flexibility than you would have in litigation. In some sense, you’re organizing your data and you don’t necessarily have to notify or tell folks what you’re doing as opposed in a litigation. And so, since that time, Jordi, tools have emerged that are now being more commonly adopted and used in the investigation space. I’ll name a couple. There are others out there, but Relativity is a big software product in our industry, and they have a tool called Relativity Air.
If you haven’t seen it, I would take a look at it. It’s an AI platform to help you review documents quicker. There’s also a tool called the eDiscovery AI, which also works with Relativity and has other features, can handle foreign language, and can handle a little bit more prompts. So with all of AI, it’s a conversation, does this data make sense? We want to have success. Jordi, when we use this. We don’t want it to turn out that it wasn’t a good data set to use this on. So there’s a lot of time that goes into that. But for investigations, what you could do now and very quickly, within 24 to 48 hours, is you can run all of the data and get a dashboard report of the data, giving you timelines, custodians, all search terms that are relevant, all issues, like a Brain Space wheel, to Michael’s point. Issues you weren’t thinking of right away.
And it also buckets the data into what might be responsive and what’s not responsive. And all this starts with a giant prompt. So you would do a prompt in ChatGPT, but an extensive prompt, you add in documents, anything you’re looking for, things you’re not looking for, that kind of thing. And so you get this result, and the results are really good, is what I’ll say when we talk about accuracy, Michael. The results are better. That doesn’t mean we lean on this. There’s a very conservative approach to this, which I think we cover. There’s a very conservative approach to doing AI. There’s a lot of validating and testing to make sure that we got it right, but again, in the investigation space, you have a little bit more looseness, and you can really leverage these tools. It’s very affordable, and that really can set your investigation apart.
The other way to do it is I’ve got a million records to look at and I’ve got to get through them, and that’s a gen AI for what we call relevance, which is like a responsive, not responsive, down the line, and that could be very effective, but there are costs associated. It might make sense to call the data down and then run the gen AI, just the nuance of managing these costs and expectations. But the clients, the corporations, seem to be pushing, or the end client is pushing the law firm we’re finding to know about this, and in some cases, their expectation is that the law firm would know more, or at least as much as they do about it. That if they’re talking to an attorney that doesn’t understand it more than they do that, that’s a sign that they need an attorney that has AI in their tool belt. So it’s kind of all coming together, but really heightened in investigations.
Michael Hantman
Yeah, I couldn’t agree with you more, Brian. I mean, I was in a pitch meeting, maybe in the last month or so, where the potential client was asking how we were going to be utilizing AI for efficiencies, cost savings, and things like that. That is a question I have never heard before in a pitch meeting, but this suggests that this will be happening more and more in the days and weeks ahead.
Brian Bellack
I also think it’s good, just all lawyers, we need to understand this now. It sucks in some regards for folks that aren’t into technology, but this is part of what we have to do right now. But when we have roundtables and we speak to corporate clients, some of them don’t really understand the AI at all, and so we’re all in the same boat, kind of like that. But other companies have put in the time, other in-house counsel have put in the time, and they know enough to know if someone has an understanding.
And you don’t need to have a broad understanding. I think you need to understand what it accomplishes when we’re talking about speed, cost, and accuracy; those are three basic tenets. That’s what we’re looking for. Maybe it’s so sensitive, maybe it’s a celebrity, and the data is so sensitive that gen AI would be the easiest way to do it, so nobody can actually look at it. There are different reasons why you might want to use this, but it’s here. And to Jordi’s point, much more adoptable right now. From the regulator’s standpoint, a lot of initiatives and conversations, it has been used in some cases. I know with antitrust and the FTC that there are active conversations. I know the DOJ is using gen AI. I don’t know how today, Mike, how they’re taking it in per se, but I would expect that they would.
Michael Hantman
Yeah. Well, listen, I mean, the reality is we haven’t talked about whether the government is aware of the misconduct in this investigation. It is not uncommon that they are. It is not uncommon that the internal investigation is being conducted simultaneously with the government doing their own investigation. In those circumstances, which I would argue is probably at least 50/50 that the government is aware of the misconduct, getting them to buy into the methodologies and the technologies you’re using is vital, right? Because a big part of the reason that company X is engaging in this investigation is to get to the bottom of what happened, and it must have integrity. And if what you’ve done is not something that is defensible, to use the word on the slide, what’s the point? DOJ is not going to buy into anything that you’re selling. They’re not going to agree with your conclusions. So again, if they’re involved, make sure that they are on board with the methodologies that you’re engaging in.
Brian Bellack
And just to reiterate, that’s why this validation of results, this human QC, is still here. I’m sure one day we’ll get to a point where we’ll have to do a very minimal amount of this, but so you can walk into court and say, I’ve done this. This was the methodology, this is what we did, and in addition, I did this.
Michael Hantman
Yes. Yes.
Brian Bellack
Okay. So kind of wrapping things up here, you’ve done the collection, you’ve gone through the data, hopefully had an opportunity to use technology and analytics or GenAI to get through that data quickly. You’ve learned a lot about the matter, and now, Mike, I’ll turn it over to you in terms of what you do next in the investigation.
Michael Hantman
Well, I mean, once we’ve preserved data, we’ve collected data, we’ve tried to protect privilege, we’ve identified who the client is, and things of that nature. Once you have your arms around what the allegations are and what the evidence shows, text messages, documents, things like that, you would then get into a circumstance where you would conduct interviews. And typically, you start with the sort of lower-level folks and you work your way up to either more senior folks or folks to whom the allegations are directed, the misconduct. Not that different than what you see in the movies, right? You don’t start at the top and work your way down. You tend to do the opposite. These obviously are highly sensitive interviews. It is, oftentimes, hard to get people to trust you and to open up to you. There are circumstances where people will ask you whether they need their own lawyer.
There are even circumstances where somebody is a member of a union, and maybe they actually have the right to have a union representative at these interviews. But then, of course, if you’re in foreign countries, there are nuances that are important. Brian, you mentioned earlier about cultural norms. I can tell you that the way folks react to me doing an interview of them who happen to be in Latin America versus in Asia Pacific, it is completely different. And you somewhat need a cultural interpreter, or you really will not understand, okay, you’ll understand the words that they’re using, but you won’t understand the meaning behind it. You won’t understand why they’re being either so genial or so aggressive. So these are vital conclusions and resources that we use to get to the bottom of what really happened here.
And by the way, because we’re doing an investigation, folks think, oh, it must be most of the time that you do these, you find misconduct. That’s not correct at all. I would say there is a healthy percentage of my investigations that do not result in findings of misconduct. Oftentimes, the whistleblower is just mistaken, or the whistleblower has an axe to grind or whatever. So these don’t always result in the parade of horribles that you might think.
Jordi de Llano
I’ll just add to that, the timing point, Brian. The timing of interviews is always very tricky because oftentimes it’s the initial interviews that tell you where additional data may be or relevant information. So sometimes you have to have multiple rounds of interviews. All of this should be sketched out pretty early on as part of an investigation plan with counsel.
Brian Bellack
Yeah, I appreciate you commenting on that because you need to preserve right away. You need to collect, and you need to look at stuff right away. So you’ll have your initial interviews, but then there’s potentially a lot of other folks that could lead you down different paths. So how do you weave that in? Is it all about the plan and how that’s executed in parallel and things like that?
Jordi de Llano
Well, you need to flex as you learn information during the course of an investigation. You need to be able to pivot another way. I think the safest approach is to have a plan early on and then adjust it as you go. So, for example, you may have to conduct early interviews with certain individuals, but there are a lot of considerations that are at play there. Will that person inform others of the questions, the scope of the investigation? Perhaps you have to have that interview early on with a high-ranking person because you feel they may leave the company, and you want to be able to facilitate that early on and document what their position is or what they have to say. So we’re sort of throwing these things out there for the group here, but these are all parts of the conversation that a company will have with outside counsel when developing an investigation plan.
Brian Bellack
Well, Mary, I think right on time, that takes us to the end of our webinar, and I think we just wanted to sum up some keynotes for everyone, if I may. First thing you want to do… Well, the first thing you want to do is get a great lawyer. That’s one of the things I take away from these conversations every time is that you really want to have experienced counsel, and you do that because you want to protect privilege right away. You want to preserve all potentially relevant data as soon as possible, okay? Every second really counts once you learn about the issue. And so you want to get those preservation orders out. You want to engage local counsel to help you execute on preservation and or collection, understand the regulatory norms, and help you collect as quickly and as easily as possible with less burden.
Collection-wise, you want to just deploy a collection that would leverage remote and outside capabilities. This all really goes back to Jordi’s point and Mike’s point about having a plan and strategizing. If you have 50 custodians, these 13 will be handled this way. These 24 are going to be handled this way, and then we go out and execute. Use of AI and analytics. AI is absolutely here. It’s not very expensive. You should try to dip your toes in it if you can. I think you’ll see the results are very good and very effective for white collar defense in investigations, or more usable, more usable right now, it seems. And then last but not least, use all the information you have reviewed and uncovered in your follow-up interviews and investigations, but you’ll need to have a flexible interview schedule based on the matter and what you know at the time. To Jordi’s point earlier, is there anything I missed, guys?
Michael Hantman
No, I think that, listen, the flexibility you guys just mentioned, the old saying, a battle plan never survives the first five minutes on the battlefield, and that is very much the type of mentality one needs to engage in going in. You’re constantly shifting and adjusting and recalibrating.
Mary Mack
We have a question from the audience about what’s your advice about handling the reluctant witness or custodian at the staff level, and then at the C level?
Michael Hantman
I refer to it oftentimes with the younger folks who work with me, as we have to engage in a charm offensive. And the reality is, I don’t have subpoena power, so people are as cooperative and as they are trusting of me. So if I can’t establish that I’m not out to get them, that I’m a friendly, reasonable guy, that this isn’t some witch hunt, people tend to be much more open with you in that circumstance. I mean, the biggest stick that I guess I wield is if a member of an organization, whether it be very senior or very low level, is unwilling to cooperate, that person risks very, very severe employment consequences.
I can tell you if the head of Holland and Knight came by my office and wanted to talk to me about how I handled a certain case, and I said, “I refuse to speak with you,” I’d be on the street. And that really generally is the greatest stick. I don’t try and ever use that stick because oftentimes the charm offensive is helpful. But we’ve had at times, we’ve had to recommend clients terminate somebody because they were dishonest. They destroyed data, they refused to speak with me, things like that.
Jordi de Llano
Really, you have to know your audience and know the location in which the cultural values and the cultural norms are, and the location where you’re doing these interviews. In some places, an internal investigation is thought to automatically involve criminal authority. So I think, to Michael’s point, from a very early stage, explain that you are simply fact gathering, obviously subject to Upjohn warnings and all the required warnings, but I think that that goes a long way with his charm offensive, as he referred to it is clarifying that you’re not there to prove a point. You’re there to just gather information.
Mary Mack
Excellent. Thank you.
Brian Bellack
Any other questions, Mary?
Mary Mack
No, that’s it. So we will wrap right now. This has been a fantastic discussion. Thank you to our listeners for joining today’s EDRM and Haystack ID webcast. We sincerely appreciate your time, your engagement, and your commitment to advancing your investigative and legal skills. Your participation in education like this helps strengthen the entire eDiscovery and compliance community. And before signing off, I’d like to invite you to our trusted partner, Haystack ID’s next webinar, Building Elite Cyber Incident Response Capabilities at Scale.
It’s taking place Wednesday, October 29th at 11:00 Central. This event will spotlight how organizations can accelerate incident response from discovery to notifications while meeting demanding regulatory standards. Essential knowledge in today’s high-stakes cybersecurity landscape. Panelists include Kevin Golas, Anya Korolev, and moderator Michael Sarlo, who will share practical strategies for building and scaling highly effective cyber incident response programs. For registration in more details on upcoming events, use… And their library of on-demand sessions, please visit HaystackID.com. Thank you again for being part of today’s program. We hope you gained valuable insights and look forward to seeing you forward at a future webcast. Wishing you a productive and resilient journey ahead. Thank you.
Brian Bellack
Thank you.
Expert Panelist Bios
+ Bryan Bellack
Executive Vice President, HaystackID
In his role as an Executive Vice President at HaystackID, Bryan Bellack is responsible for global sales and business development of HaystackID’s eDiscovery, Cyber Incident Response, White Collar, and Investigations solutions. Before joining HaystackID, Bellack was a Managing Director in BDO’s Consulting practice, where he led sales for their Forensic Technology Division. Bellack earned his B.A. from the University of Michigan, his law degree from the Maurice A. Deane School of Law at Hofstra University, and is licensed to practice law in New York State. In addition, Bryan serves as an Advisory Board Member to Guardrail Technologies, an AI Risk Management Platform. Bryan is a Certified E-Discovery Specialist (CEDS) from ACEDS and has certifications in Managing Cybersecurity Risk and Data Analytics.
+ Michael Hantman
Partner of White-Collar Criminal Defense, Internal Corporate Investigations, and Compliance Services, Holland & Knight LLP
Michael Hantman is a litigation partner in Holland & Knight’s Miami office. His practice focuses primarily on white collar criminal defense, internal corporate investigations, compliance, and complex business litigation. He assists companies and individuals in investigating, responding to, and defending against government scrutiny, whistleblower complaints, and enforcement actions related to allegations of bribery, fraud, accounting misrepresentations, kickbacks, money laundering, and other ethical lapses. Mr. Hantman recently co-led the representation of Liberty Mutual Insurance Co., which resulted in a declination with disgorgement resolution with the Department of Justice, the first such resolution under the second Trump administration.
+ Jordi de Llano
Global Financial Crimes Officer and Vice President, Liberty Mutual Insurance Company
Jordi de Llano is the Global Financial Crimes Officer and Vice President at Liberty Mutual Insurance Company, where he leads a global team responsible for anti-corruption, sanctions, and anti-money laundering compliance programs. A former federal prosecutor and Deputy Chief of the Securities, Financial & Cyber Fraud Unit at the U.S. Attorney’s Office for the District of Massachusetts, Jordi brings over 15 years of experience investigating and prosecuting complex financial crimes and advising corporations on compliance and risk management. He previously served as a partner at a global law firm, representing companies and executives in white-collar criminal defense, government investigations, and compliance matters. Earlier in his career, Jordi was an Integrity Officer at the Inter-American Development Bank, where he investigated fraud and corruption in bank-financed development projects across Latin America and the Caribbean. He has successfully led major international corruption investigations, refined enterprise-wide compliance frameworks, and regularly advises senior executives on regulatory matters.
+ Mary Mack
CEO, Chief Legal Technologist, EDRM
Mary Mack leads the EDRM, a project-based organization, and is the former Executive Director of a certification organization. Mack is known for her skills in relationship and community building as well as for the depth of her eDiscovery knowledge. Frequently sought out by media for comment on industry issues, and by conference organizers to participate, moderate a panel, lead a workshop or deliver a keynote. Mack is the author of A Process of Illumination: The Practical Guide to Electronic Discovery, considered by many to be the first popular book on eDiscovery. She is the co-editor of the Thomson Reuters West Treatise: eDiscovery for Corporate Counsel. Mack was also recently honored to be included in the book; 100 Fascinating Females Fighting Cyber Crime published by Cyber Ventures in May 2019. Mack has been certified in data forensics and telephony. Mack’s security certifications include the CISSP (Certified Information Systems Security Professional) and the CIAM (Certified Identity and Access Manager).
About EDRM
Empowering the global leaders of e-discovery, the Electronic Discovery Reference Model (EDRM) creates practical global resources to improve e-discovery, privacy, security, and information governance. Since 2005, EDRM has delivered leadership, standards, tools, guides, and test datasets to strengthen best practices throughout the world. EDRM has an international presence in 145 countries, spanning 6 continents. EDRM provides an innovative support infrastructure for individuals, law firms, corporations, and government organizations seeking to improve the practice and provision of data and legal discovery with 19 active projects.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
Source: HaystackID