Forensic Data Collection in the GCC
Ensuring your electronic review doesn’t fall at the first hurdle
Companies undertake electronic document reviews when defending themselves in disputes, conducting investigations and when responding to regulators. The foundation of any review is the forensic collection of company data. How do companies ensure that they get value for money, the right advice, the right solution and don’t undermine the whole process from day one?
Why undertake a forensic collection?
A company does not commission a forensic data collection lightly. It is a necessity in order to protect the company. The circumstances that trigger the need for the collection can be sensitive, stressful and may pose a serious risk to the business. The company’s investigators or legal advisors need to undertake a review of the available electronic evidence so that they can report on their client’s exposure and advise accordingly.
An electronic data collection defines itself as being forensic when it is undertaken by experienced and trained specialists, often using specialist equipment and accepted methodologies that preserve the integrity of the evidence. Forensic collections ensure all the available data is collected in such a manner that it can be relied upon, especially in courts of law.
Collections are the first step in electronic reviews. The purpose of the review is typically threefold 1) to identify critical electronic evidence that can settle or set the direction of the matter, 2) identify the evidence that will be relied on and 3) identify any issues that need to be addressed or mitigated.
When are GCC collections required?
We see three common scenarios that necessitate a forensic collection in the Gulf Cooperation Council (“GCC”) states. The GCC includes Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates.
The first is international companies, usually with exposure to the US, who need to investigate allegations of prohibited activities in their local branch office or subsidiary, which may have to be reported to a regulator. Typically this relates to bribery of foreign government officials or transactions with sanctioned countries.
The second scenario is companies in arbitration or litigation disputes. The matter is typically being heard in US or UK courts or by an arbitration panel. We also note an increase in local legal actions, especially in relation to capital project disputes.
The final common collection scenario is international or local companies investigating staff misconduct and dishonesty, usually fraud or “kick-back” related.
What can go wrong?
The potential monetary or reputational impact to a company in these investigations or disputes can be significant. The electronic evidence, especially communications (including emails) can be critical to success or failure. Mistakes made in the collection phase automatically impact on the review, the findings and the legal response.
Failing to both focus and coordinate the legal and technical approaches can be costly and jeopardize the case. If legal advisors and forensic technology specialists don’t work hand in hand, the company risks missing evidence or wasting expensive man hours reviewing irrelevant data. The same risks apply when legal counsel or technologists are inexperienced in this field.
It is also possible to make matters worse. We have seen numerous examples where the use of inexperienced or unqualified staff, including in-house IT personnel, to perform collections has led to evidence being undermined or even destroyed. Data collections in foreign countries have been known to have fallen foul of the local countries’ data compliance laws, European data privacy laws in particular, risking additional penalties.
Companies have a right to expect that the collections and review will be effective and not expose them to further risk.
Complying with data laws
Data compliance is more than just data privacy or protection. It is critical to take into consideration the complete gamut of legal constraints of the jurisdiction in which the collection is undertaken and, potentially, associated jurisdictions.
EU-style data privacy laws
Large international Foreign and Corrupt Practices Act investigations over the years, particularly those based in Europe, have taught international law firms the importance of identifying local data privacy laws before undertaking collections and transferring data across borders.
The privacy laws in EU countries typically afford far more protection to employees than in other jurisdictions, such as the US.
Additional processes have been developed to address local requirements, such as obtaining written (free) consent1, group consent via worker collectives2, and utilizing safe harbor provisions3.
Failure to address local legal constraints can lead to penalties for the company and the individuals involved.
Other types of data compliance laws
In addition to data privacy laws, there are a number of other types of laws than can impact on collections, depending on how the collection is carried out and in which jurisdiction.
It would be unwise not to consider laws relating to business or banking secrets4, state secrets5, blocking statutes6, employment, data interception, telecommunications, legal privilege7, publication and even munitions8 for encrypted data.
Solutions adopted to address these laws include conducting reviews in-house9, exclusion filtering and redaction, obtaining authority from government departments or commissioners10, enhanced employment contracts and/or enhanced acceptable IT use policies.
Can foreign laws be ignored in the GCC?
If the collection is being carried out in the GCC, does the company need to worry about the laws of another jurisdiction?
International companies should be careful about any extra-territorial provisions that protect their citizens, their employees or their data that may extend into the GCC. For example, the drafted revisions to the EU data privacy laws include such provisions.
Companies that have regional IT data hubs or where outsourced elements of their IT are hosted in another jurisdiction should take care to check legal requirements for those jurisdictions.
Data compliance laws in the GCC
As a general rule, collections in the GCC region do not face as many legal hurdles as those required in other jurisdictions. In the main, the EU style data privacy laws are not found in the region.
Pragmatically, “standard” collections do occur in the GCC without any data compliance difficulties. However, the circumstances of each collection can quickly change, so it is important that local legal advice is sought to ensure the company does not expose itself to additional risk or penalties.
There are pockets within the GCC that do have obust data privacy laws and these include the Dubai International Financial Center, the Qatar Financial Center (both modeled on EU laws) and also Dubai Healthcare City.
Even in the absence of specific privacy laws, there can be underlying constitutional protections, such as those afforded in the United Arab Emirates and the Kingdom of Saudi Arabia that prohibit disclosure of personal information and interception of private communications. A list of GCC data compliance related laws can be found in Appendix A.
Seeking legal advice
It is common for a company’s in-house counsel or UK/US legal advisors to ask the forensic data collection specialists what local data privacy laws there are. This question should be answered by seeking local legal advice and this advice should incorporate the collection’s technical issues.
Standard legal advice for collections
Many forensic technology firms use their engagement contracts to shift the legal responsibility of data collection compliance to their clients. The contract will commonly require the client to consider any data privacy and compliance requirements and seek local legal advice as needed.
In addition to this, the local legal advice should:
1) Cover more than just data privacy or cross border movement of data, as that is just part of the legal compliance requirements;
2) Be from a firm or individual that has proven experience in this field; and
3) Cover the proposed technical approach of the data collection.
The technical approach should match the circumstances of both the case and the IT environment.
Selecting local legal advisors
Local law firms, whether wholly local or local offices of an international firm, are only as strong as their practitioners. They may not be aware of their jurisdiction’s data compliance rules, so the approach of “seeking local legal advice” may be fundamentally flawed unless the law firm is carefully selected. International law firms may have the advantage of being exposed to various jurisdictions and previous collections exercises. Wholly local firms may have in-depth knowledge of the local and regional laws and how the legal systems work in reality.
Several law firms in the GCC have published articles on their website and in the media on this subject.
What to ask?
When selecting a local legal advisor it would be beneficial to question them about their knowledge of the various types of data compliance laws and the possible issues and solutions. This should distinguish which firms are new to this work from those who are experienced and knowledgeable in this area. Ideally the legal advisor should customize their advice and approach to match the data landscape. They should be seeking to engage with the forensic technology specialists to ensure that the data identified matches the issues of the legal matter and the legal approach addresses the technical peculiarities of the company’s IT environment.
Clarify their assessment of the usefulness of legal privilege and precedent in the matter. In UK/US matters these can be essential whereas in GCC local courts privilege and precedent are often not recognized.
There may be legal difficulty in collecting the company data due to co-ownership issues. There are a variety of ownership and joint-venture company structures used in the GCC with some countries requiring companies to be co-owned by a local national with possible side agreements in place. Is the legal advisor experienced with these structures and what are their thoughts on managing these complexities, especially if the local national owner wields considerable personal power and influence11?
Many company executives and in-house counsels comment at the end of a review, “If only I knew then, what I know now”. Take the time to ask both your legal advisor and forensic technology specialist to walk you through every step sooner rather than later.
Planning a collection
Beware of collection plans that consist solely of imaging laptops and extracting mailboxes without consideration of the host of other critical data sources.
There are recommendations on the technical aspects of collections that can help ensure that the company collects the right data and does not miss key evidence.
There has been a tendency by investigators and legal advisors to order the imaging (forensic copying) of laptops / PCs and the extracting of mailboxes without seeking input from the forensic technology specialists. In any collection, the technology specialist should be given sufficient time to 1) liaise with the local IT team to fully scope the IT infrastructure, 2) prepare for the onsite work and 3) brief the legal team as to any technical peculiarities that need to be addressed.
The scoping exercise can identify key evidence stored on file servers, on portable devices, within email vaults, in backup archives, hosted with external vendors, in different jurisdictions, within ad hoc migration sets, on retired servers / systems / PCs, deleted, locked within encoded or encrypted systems and much more. The collection plan must be adjusted accordingly.
The cost of the collection phase costs usually is significantly less than the overall review. However, any collection that requires travel or needs to be undertaken in countries with security risks are bound to increase the expense and logistical effort required including arranging travel visas or even security escorts. Whereas in London or New York you could simply perform multiple collections, when it comes to remote locations, not just in the GCC, it is advisable to limit the collection to just the one instance.
The scope of the onsite collection should be quite broad to minimize the risk of needing to return. It is often possible to collect the full sets of data (such as a whole file server) just as easily as it is to collect the required subsets (such as user folders stored on the file server). The same broad collection approach applies to imaging computers. The computers assigned to the whistle-blower, the implicated staff, their assistant, and also colleagues who may be witnesses or co-conspirators, should be collected where possible.
It may also be useful to collect (“bag and tag”) back-up tapes and other electronic media that may not be required initially. Just because the data has been collected does not mean that it needs to be processed or reviewed (with the associated costs). However, collecting it in the first instance may save on having to re-collect (at additional cost) and prevent the data’s accidental loss or deliberate destruction.
It is worth mentioning that before the review commences it may be possible for the forensic technology specialists to undertake an initial computer forensic analysis to focus or accelerate the review. This usually involves identifying who has been trying to hide data, recovering recently deleted or encrypted material, detailing which files and devices have been used, and determining which data sources are missing.
Collection considerations in the GCC
The scoping exercise can be more important in the GCC where document management is not always as robust as in other regions. It is not uncommon in large disputes or arbitrations for the client’s team to claim that the documents do not exist or that they can’t find them.
The assessment of the IT systems by forensic specialists then needs to be expanded to scan the network for the missing documents or text search the scanned paper documents to find the material critical to the case.
It is more common in the GCC for companies to allow their employees to use their own computers and mobile devices. However, employment contracts are not then also updated to allow the company to access the company data stored on these items.
The physical act of collecting electronic items from an office environment in order to image them, which are subsequently found to be privately owned, can lead to hysterical and unfounded cries of theft by their owners.
Where the data from an individual’s personal device does require processing, the challenge of sorting personal data from company data is compounded by employees using their personal email addresses for business purposes and the lack of business email signatures.
The issue of personal property and email accounts mixed with business data would ideally be identified early in the scoping exercise and the collection plan adjusted accordingly.
Covert collections12 or remote collections13 appear to face less legal constraint in the GCC than in other jurisdictions; however, this is somewhat undermined by poor network connectivity and the tendency of employees to take their laptops home overnight for personal use. In theory remote collections that can be executed via the Internet are a useful alternative in the GCC when access to the site is limited or hazardous. Firms selling data interception tools in the GCC appear to be quite optimistic about how widely their tools can be used. However, there are some local laws, particularly in relation to telecommunications and in the new cybercrime legislation, which need to be considered before commencing wholesale monitoring of employee communications.
Less of an issue in collections but more of a consideration in review is the mix of languages in the GCC with Arabic obviously featuring prominently. Forensic technology tools have come a long way in respect to language handling and recognition so this should no longer be an issue when using professional vendors.
Getting the forensic data collection right ensures a firm foundation for subsequent review, findings and legal action. With so much at stake, companies and their legal advisors can’t afford to make assumptions or make avoidable mistakes
Getting the collection right
Companies obliged to undertake forensic data collections in the GCC are under significant pressure to meet deadlines, minimize costs, resolve the situation and then move on with growing their busines. They rely heavily on their legal advisors and their forensic technology vendors to provide them with the right solution.
The first step to success is close collaboration between all parties to execute a focused plan that addresses both the legal and technical challenges.
In practice, there are relatively few data compliance restrictions across most GCC countries and there are many straightforward collections performed without any issues arising. However, engaging legal advisors with relevant experience in the region will help companies steer clear of the pitfalls that can undermine the review or expose the company to penalties or unnecessary cost.
The collection plan should consider more than just laptops, PCs and mailboxes, otherwise there is a serious risk that the review will be flawed by the absence of critical data.
Experienced forensic technology specialists can help you effectively and efficiently harvest the evidence that a company needs to protect itself while keeping the costs under control.
Company executives and in-house counsel shouldn’t be afraid to dig into the details of the collection and review the plan and the associated costs. Asking what could go wrong, how to mitigate risks and how to make the collection more effective will help to ensure that the company’s investigation or legal dispute gets off to a flying start.
- Employee consent is often used as a blanket mechanism to overcome privacy protections but care must be taken as some jurisdictions, for example France, challenge an employee’s ability to give free consent.
- Germany for example, manages the consent and collection process via worker collectives.
- Safe harbor provisions allow for the transfer of data to jurisdictions or organizations recognized as providing equivalent levels of protection.
- Business and banking secrets are legally protected in some jurisdictions, particularly in Switzerland but also in some GCC and neighboring countries, including Egypt, Lebanon and Kuwait.
- Greece protects state secrets requiring electronic reviews to be conducted in-house.
- Some jurisdictions utilize blocking statutes to prevent foreign enforcement bodies from undertaking investigations within their jurisdiction without going through government channels. For example, a company responding to US Department of Justice (DOJ) investigations runs the risk of breaching laws in France and Switzerland if they undertake collections in those countries without their authorization. The forensic practitioners employed to undertake the collections are also at personal risk of breaching such laws.
- Many GCC legal systems are based on the Egyptian legal system, which in turn was based on Napoleonic French law. Legal privilege and precedent are generally not recognized within this legal system and therefore cannot be relied upon in the local GCC courts.
- Some jurisdictions, Russia and the US amongst others, categorize encryption as munitions grade technology and it is said that carrying encrypted data across the border may be a breach. Forensically collected data is often encrypted for security and confidentiality reasons, particularly when the collection involves travel, and therefore forensic practitioners run the risk of breaching these laws.
- It is not uncommon in European matters for the collection and review to be all undertaken in-country or even in-house, particularly in Swiss banks.
- Interception of communications in transmission, such as phone calls, emails and instant messenger chats, is usually heavily regulated in western jurisdictions and infrequently used within forensic collection exercises. When it does occur in corporate environments, it is after implementation of specific employment agreements, regular notification of the practice to staff and other conditions to ensure that interception is reasonable, proportionate and in line with the relevant authority’s (such as an Information Commissioner) guidelines.
- A delicate point to consider in GCC collections is that not all IT users are equal. Much like in a western corporate collection, where the Chief Executive Officer’s is treated with care, powerful local nationals may require preferential treatment.
- Covert collections are often performed overnight when there is no one in the office and the computers can be forensically imaged without the employee knowing.
- Remote collections are usually performed over the office network or via the Internet.