Forensic data collection: getting it right in the GCC

Forensic investigations of company data are increasing in the region, but companies need to understand how to manage the initial stage of the investigation, data collection, while keeping within the law, writes Rick Barker, director & head of Forensic Technology (MENA) Deloitte & Touche (ME)

Tags: BahrainComputer forensicsData governanceDeloitte & ToucheKuwaitQatarSaudi ArabiaUnited Arab Emirates
  • E-Mail
Forensic data collection: getting it right in the GCC Barker: Forensic investigations can be expensive, so companies need to ensure they don’t jeopardise the data collection process through legal or practical mistakes.
More pics ›
By  Rick Barker Published  July 14, 2013

Companies undertake electronic document reviews when defending themselves in disputes, conducting investigations and when responding to regulators. The foundation of any review is the forensic collection of company data. How do companies ensure that they get value for money, the right advice, the right solution and don’t undermine the whole process from day one?

An electronic data collection may be triggered by circumstances that are sensitive, stressful and may pose a serious risk to the business concerned, but a forensic electronic data collection, undertaken by experienced and trained specialists using specialist equipment and accepted methodologies, ensure all the available data is collected in such a manner that it can be relied upon, especially in courts of law.

There are three common scenarios for forensic collections in the GCC. The first is international companies, usually with exposure to the US, who need to investigate allegations of prohibited activities in their local branch office or subsidiary. Typically this relates to bribery of foreign government officials or transactions with sanctioned countries.

The second scenario is companies in arbitration or litigation disputes, who need to present evidence to an arbitration panel. Arbitration is becoming common in local legal actions, especially in relation to capital project disputes. The final common scenario is international or local companies investigating staff misconduct and dishonesty, usually fraud or ‘kick-back’ related.

Failing to focus and coordinate the legal and technical approaches can be costly and jeopardize the case. If legal advisors and forensic technology specialists don’t work hand in hand, the company risks missing evidence or wasting expensive man hours reviewing irrelevant data. It is even possible for inexperienced or unqualified staff to make matters worse, by accidentally destroying or compromising critical data or by breaching local data privacy laws.

Complying with data laws

It is critical to take into consideration the complete gamut of legal constraints of the jurisdiction in which the collection takes place and associated jurisdictions. Data privacy laws, such as those in the European Union, afford far more protection to employees in other jurisdictions, and failure to address these local legal constraints can lead to penalties for the company and individuals involved.

Other types of data compliance laws that need to be considered include laws relating to business or banking secrets, state secrets, blocking statutes, employment, data interception, telecommunications, legal privilege, publication and encryption technology.

Even when the collection is taking place in the GCC, companies must still consider laws from foreign jurisdictions, such as drafted revisions to the EU data privacy laws to protect EU citizens; or situations where companies have regional IT data hubs or where outsourced elements of their IT are hosted in another jurisdiction.

Data compliance laws in the GCC do not present as many hurdles to data collection as elsewhere, but the circumstances of each collection can quickly change, so it is important that local legal advice is sought to ensure the company does not expose itself to additional risk or penalties. There are pockets within the GCC that do have robust data privacy laws and including the Dubai International Financial Center, the Qatar Financial Center and also Dubai Healthcare City; in addition there are some constitutional protections that prohibit disclosure of personal data in countries such as the UAE and Saudi Arabia.

Seeking legal advice

Local legal advice should always be sought, and should cover more than just data privacy or cross border movement of data, as that is just part of the legal compliance requirements. Advice should come from a firm or individual that has proven experience in this field, and cover the proposed technical approach of the data collection. Companies need to weigh up between the benefits of international law firms with knowledge of different jurisdictions and previous experience, or those of wholly-local firms with in-depth and practical local knowledge.

Planning a collection

There are recommendations on the technical aspects of collections that can help ensure that the company collects the right data and does not miss key evidence. There has been a tendency by investigators and legal advisors to only order the imaging (forensic copying) of laptops and PCs, and the extracting of mailboxes without seeking input from the forensic technology specialists. In any collection, the technology specialist should be given sufficient time to liaise with the local IT team to fully scope the IT infrastructure, prepare for the onsite work and brief the legal team as to any technical peculiarities that need to be addressed.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code